Machina Research calls for better regulation to prevent IoT-enabled DDoS attacks

26 October 2016

The recent Distributed-Denial-of-Service (DDoS) attacks enabled by malware-infected IP cameras, DVRs and other embedded devices have caused fresh concerns about the future of IoT security. In light of the incidents, Machina Research has six takeaways from the situation:

  • The Mirai malware has not been a technology problem, but a process and policy problem. There is, technology-wise, nothing that would fundamentally prevent IoT developers from securing their devices appropriately. Hardcoding a generic term such as “admin” as the product’s default password (if that is what has indeed happened with certain Mirai-affected devices) is deeply irresponsible, but the good news is that it is also entirely avoidable.
  • Mirai is a problem of consumer IoT, and not a problem of enterprise IoT. IoT security is a hugely diverse space of very different application requirements, and what we have seen now involves the inherently less secure end of it. In enterprise IoT, suppliers that fail to meet certain security standards generally also fail to win business. In consumer IoT, the same business incentive is lacking.
  • What makes DDoS a particularly complicated security issue is the fact that the customers of hacked devices do not typically face their full consequences. The backlash to the affected device makers ultimately remains to be seen, but the chances are that it will not be serious enough to make a difference amongst the B2C makers of today and tomorrow.
  • There is a strong case to address security standards in consumer IoT through regulation and certification. If some device manufacturers do not have an incentive to take security seriously, and if it is the other companies and their customers that must face the consequences, then the industry is clearly dealing with a moral hazard and a market failure. The “smart” aspect of smart devices should be brought under the same frameworks that vet products for their overall safety, such as CE and UL.
  • There should be an effort to make the Internet as a whole more resilient to IoT-driven DDoS attacks. Vendors that supply backbone infrastructure for Internet services should start shoring up their contingency plans. Similarly, their customers must also invest in their own fallback strategies.
  • Governments should assess their options to mitigate the cyber risks stemming from out-of-date “zombie” devices. Over time there will be countless IoT devices that are operational, but whose firmware and software are no longer being updated. There is no realistic way to mandate any company to manage devices over their entire lifecycle, but one possibility is a special “IoT tax” that is imposed on certain device categories. These would then be used to support an ISP-led scheme to analyse traffic and sunset identified rogue devices. The end-users would acknowledge the risk of this happening, and waive their relevant rights, when purchasing these devices.

Principal analyst Aapo Markkanen concludes, “There is no one single silver bullet to mitigate the long-term DDoS threat that the growth in IoT devices poses to the Internet-based economy, and the response must be a mix of different remedies. Companies with anything at stake in the IoT need to come together and find the right avenues to advocate better developer practices. Given that there is a strong public, and national-security, interest in the issue, it would be wise for the industry to move proactively and come up with concrete proposals that will help set the right incentives for developers.”

Machine Research clients can read the full Research Note ‘IoT-enabled DDoS attacks demonstrate the need for more rigorous regulation’.

Meet Aapo at the IoT Security Foundation in London on the 6th December, where he will be delivering a presentation on IoT security.  


About Machina Research

Machina Research is the world’s leading provider of strategic advice on the newly emerging Internet of Things, M2M and Big Data markets. Our Advisory Service provides comprehensive support for any organisation interested in these opportunities. Our vertical market information and forecasts cover sectors such as Industry, Healthcare, Cars and Cities. Furthermore, we provide guidance on commercial and technical best practice supporting all stakeholders in the sector including users, manufacturers, service providers, investors and regulators. In addition to our syndicated Advisory Service research we also undertake a wide range of client-specific custom research projects ranging from White Papers through to full go-to-market strategies. Machina Research is staffed by the leading industry analysts in the sector.

For further comments or more information on this press release, please contact us.

quick links >