PRINCETON JUNCTION, N.J., Nov. 01, 2016 (GLOBE NEWSWIRE) -- A cascading string of distributed denial-of-service (DDoS) attacks—most recently taking down parts of hundreds of sites including Twitter, Netflix, Spotify, Airbnb, Reddit and The New York Times—has demonstrated record-breaking volumes that are overwhelming website defenses. The four-fold growth in attack size over the last year is being driven by hundreds of thousands of internet-connected devices hackers are adding to their botnets, according to industry sources.
The attacks and dramatic growth in the strength of DDoS attacks highlight new vulnerabilities and the lack of security in the rapidly growing Internet of Things (IoT) industry.
With an estimated 21 billion devices expected to be connected to the internet by 2020, there is a critical need to ramp up the security of “things.” To do this, the Smart Card Alliance advocates for the addition of embedded security in IoT devices.
The vulnerability exploited in these DDoS attacks is just one of the many potential threats prompting the Smart Card Alliance recommendation to ensure that security requirements are included in the design of IoT ecosystems. This includes how communications with IoT devices are authenticated, how access is controlled, how data is protected, how IoT devices are managed during their lifecycle, and how the IoT device may impact other systems. While there is no silver bullet and effective security must have many levels, for those systems that impact life safety or the functioning of critical infrastructure, the Smart Card Alliance believes the addition of embedded security, which can be implemented using secure chip technology, is a necessity. This is the same technology currently being used in GSM mobile devices, payment chip cards, secure identity tokens and e-passports. Applying these techniques can deliver crucial security mechanisms for authenticating and authorizing access to, and protecting data being generated by or delivered to the billions of connected IoT devices.
According to the Smart Card Alliance, every IoT device serves as a potential entry point to a broader IoT ecosystem. These devices can become part of wider botnets, where many different devices – all connected to each other, all network-enabled – can bombard targets with crippling volumes of data, making it harder to detect and respond to DDoS attacks. If successful, these types of attacks can negatively impact businesses through unnecessary service disruption causing consumer frustration, loss of business productivity and profit, and exposed security vulnerabilities.
“These recent attacks, one of which was more than four times the size of the largest reported attack last year[1], are comparable to the massive payments data breaches that have been in the spotlight over the past few years,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “This is just the latest example of the IoT vulnerabilities that exist today, demonstrating why the security of things is so critical. To protect connected devices and their data, the IoT industry needs the attention, coordination and commitment to security that the payments industry is putting into securing payments.”
Embedded security can establish the “identity” of each device, ensure that access to the device is only allowed to authenticated and authorized entities, and protect the data being generated or delivered to the device. These are fundamental requirements to prevent unauthorized tampering with how these devices are designed to work, and to protect the privacy and security of the vast amount of data the devices generate.
The Smart Card Alliance formed its Internet of Things Security Council to provide a single forum where all industry stakeholders can discuss applications and security approaches, develop best practices and advocate for the use of standards for IoT security implementations. The council welcomes participation from organizations involved in the many IoT ecosystems to participate in these efforts, as well as to network and share implementation experiences. More information about the council is available at http://www.smartcardalliance.org/activities-councils-internet-of-things-security/.
The Council initiative addresses in part the call from noted security researcher and author Brian Krebs for industry associations to start addressing IoT security issues. His own popular cybersecurity website, “Krebs on Security,” was an early victim of the recent spate of record DDoS attacks.
These topics and more were the focus of the Smart Card Alliance’s October Security of Things 2016 conference, held in Chicago. For a recap of the event, visit http://iotsecurityconnection.com/posts/security-of-things-2016-recap.
About the Smart Card Alliance
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.
Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.smartcardalliance.org.
About the Internet of Things Security Council
The Smart Card Alliance’s Internet of Things Security Council develops and promotes best practices and provides educational resources on implementing secure IoT architectures using embedded security and privacy technology. The council focuses on IoT markets where security, safety and privacy are key requirements, and leverages the expertise and knowledge gained from implementing embedded security technology across other industries to provide practical guidance for secure IoT implementations. More information on the council’s mission and its current members can be found at http://www.smartcardalliance.org/alliance-industry-councils/.
[1] Akamai, State of the Internet / Security: Q2 2016 Report on DDoS & Web App Attack Trends