Security experts have long warned that the connected devices that make up the so-called internet of things are way too vulnerable to hack attacks. These gadgets—fridges, fitness trackers, thermostats, sleep monitors, your next piece of jewelry—are like the zombie soldiers of the internet, often poorly secured and easily vulnerable to the will of hackers. Small medical devices and industrial control systems can be manipulated to do serious harm, and smart home appliances can be hijacked to steal personal data or even spy on their owners, as owners of smart TVs vulnerable to CIA spy software recently learned from a WikiLeaks report.
To counter the growing risk, Cloudflare, which protects websites and networks from digital attacks, launched a new service on Thursday aimed at fending hackers off a range of connected devices, from sophisticated industrial equipment to home appliances. The San Francisco company also said it was working to create a security organization to form best practices and standards for protecting IoT devices that are often considered highly vulnerable.
Perhaps the most serious threat surrounding connected devices so far has been when they’re hijacked in concert at a massive scale: Last fall, tens of thousands of wired devices including internet routers, security cameras, and DVRs were infected with malware called Mirai, which organized the machines into a botnet that launched the largest distributed denial of service attacks in history, reaching 1.2 terabits (1,200 gigabits) per second at its peak and disrupting access to major sites like Reddit, Twitter, and Netflix. In total, around half-a-million devices around the world were thought to be part of the mysterious, malware-formed network at the time, but only an estimated 10% of those were involved in the attacks.
Recent data suggests Mirai wasn’t an isolated incident—a report released this week by security firm Symantec found attempted attacks per hour on the company’s set of test machines nearly doubled over the course of 2016. The scale of attacks is only limited by the market for the devices themselves: Some estimate that there could be more than 20 billion such internet things by 2021.
“If Something Went Wrong, Someone Would Die.”
The Mirai attack was a wake-up call for many IoT manufacturers, says Matthew Prince, cofounder and CEO of Cloudflare. His seven-year-old company had in recent years been getting more inquiries from makers of internet-enabled devices about how its tools could be of use, something that only accelerated after the Mirai botnet.
Cloudflare is best known for its secure content distribution network, which effectively sits between client web servers and consumers’ internet browsers, speeding up delivery of online content and filtering out malicious content like denial-of-service attacks and SQL injections. The company says its network handles almost 10% of all internet traffic.
At the time of last year’s botnet surge, Cloudflare was already hearing from makers of systems for industrial operations like power plants, or computers that would be used in cars, where failures could have serious consequences, says Prince.
“About 18 months ago, we started to get calls to our sales team from various IoT manufacturers that were asking, could we be of help in protecting their devices,” he says. “These tended to be manufacturers who, if something went wrong, someone would die.”
The new service, Cloudflare Orbit, is directly geared toward manufacturers of consumer-grade IoT devices. In addition to protecting servers from attacks by malware like Mirai, Cloudflare will provide secure connections for potentially vulnerable internet devices themselves, keeping them from being reached by hackers or malware.
So far, Cloudflare says about 25 IoT manufacturers have been using the system over the past six months, including connected lock startup Lockitron, industrial monitoring company Swift Sensors, and Karamba Security.
With Orbit, device makers work with Cloudflare to ensure their devices are only able to communicate with remote servers through Cloudflare’s secured network, which would function like a VPN for the internet of things. Depending on their needs, they can use Cloudflare’s software development kits to implement firewall rules that restrict communications to the secure connection, or introduce more complicated rules that use cryptography to verify that each piece of data is actually passing through the Cloudflare network.
Then, the manufacturers can use a digital dashboard to set rules for what type of traffic is allowed to pass through the network. That can let manufacturers address security vulnerabilities effectively instantaneously, without having to distribute security patches to all of the devices in the field, he says. If manufacturers learn that a factory-configured password can give hackers access to their systems, for instance, they can quickly tell Cloudflare’s systems to block network traffic containing that string of text, or restrict it to situations they deem safe.
“In the simplest form, you’d just look for that default password, then you can simply block those requests,” Prince says. “You can require that those requests have some additional piece of information for them to pass through, so you could have an additional level of security—essentially in order to use that default password, you have to enter another password.”
When manufacturers do want to release security updates, having the network security in place can let them do so at a more leisurely pace, he says, leaving more time to test and debug fixes, than if devices were otherwise immediately vulnerable. The company said that pricing will be based on the number of devices protected and the amount of requests sent to and from those devices.
Historically, security experts have warned that many makers of IoT devices, especially ones designed for consumers, have treated security and privacy as an afterthought as they rush to get devices to store shelves. Default passwords, unencrypted web connections, and software with known vulnerabilities have allowed hackers access to some devices, and many vendors haven’t always quickly fixed security bugs in the software on their devices. And with IoT technology, from hardware to communications protocols, not nearly as standardized as comparable technology in the PC or smartphone industry, plugging security holes in one device doesn’t necessarily make the industry as a whole safer.
“All of the potential weaknesses that could afflict IoT systems, such as authentication and traffic encryption, are already well known to the security industry, but despite this, known mitigation techniques are often neglected on these devices,” Symantec researchers warned in a 2015 report. “IoT vendors need to do a better job on security before their devices become ubiquitous in every home, leaving millions of people at risk of cyberattacks.”
Larger IoT providers—the Googles and Amazons of the world—may build their own comparable secure networks, Prince acknowledges, just as their scale has made sense for them to build their own secure content distribution networks. And its network-based technique isn’t the only way companies are approaching IoT security: Chipmaker Micron Technology and Microsoft recently announced plans for secure hardware-based technology that would ensure only trusted and demonstrably secure systems could sign in to cloud servers. And San Francisco-based Bastille has focused on what the company calls the “internet of radios,” monitoring the airwaves inside businesses to understand what the devices on-site are transmitting digitally.
Many companies will likely take a hybrid approach: One early Cloudflare Orbit client, Karamba Security, says it intends to use Orbit in conjunction with its own tools that seek out and block suspicious code, in order to maximize protection for automotive systems.
“We view Cloudflare’s Orbit as a complementary solution that enables secure connectivity between the cars’ hardened controllers and the car company’s data center for trusted, over-the-air updates,” CEO Ami Dotan said in a statement.
The market for IoT network security is likely to continue to grow, with research firm Markets and Markets predicting IoT could be a $36 billion industry by 2021. Researchers at Gartner placed security at the top of their list of top 10 IoT technologies for 2017 and 2018, noting, “IoT security will be complicated by the fact that many ‘things’ use simple processors and operating systems that may not support sophisticated security approaches.”
And that will likely mean more than one firm taking Cloudflare’s network-based approach, Prince says, especially as new attacks emerge. “My hunch is we won’t be the only provider of solutions like this.”