Friday’s distributed denial-of-service (DDoS) attack on a company whose servers monitor and reroute internet traffic, caused sporadic outages at several major websites, including Twitter, Netflix, Spotify, and Residential Systems. It was a relatively minor inconvenience for many of us who were temporarily unable to reach favorite websites, but it was a major wake-up call for anyone that installs internet-connected devices and home networks for a living.
The most troubling aspect of the attack on Dyn—one of the many companies that host the Doman Name System (DNS), which functions as a switchboard for the internet—is that it apparently relied on hundreds of thousands of internet-connected (IoT) devices that had been infected with software that allows hackers to command them to flood a target with overwhelming traffic. Because these are the types devices that many in our industry install or integrate with, we must understand the perils of security breaches associated with such products and take proper steps to protect our clients and our companies.
Network security is a topic that CEDIA VP of emerging technologies Dave Pedigo has been examining even before Friday’s attack. In fact, he just returned from the Consumer Technology Association’s Fall Forum/standards meeting in Austin, where the entire conference was focused on cybersecurity.
At the CTA conference Pedigo learned that the Dyn attack wasn’t the first of its kind. An earlier DDoS attack on krebbsonsecurity was cited at the conference as the canary-in-the-coalmine moment for the CE business. It also used IoT devices, such as IP-enabled cameras using port forwarding, to send out a 650Gbps attack. And it was enabled by what Pedigo called the industry’s “functionality approach to design and purpose,” when it comes to IoT products.
“Security isn't a priority,” he said. “[However,] adoption will be stifled if it isn't addressed.”
That said, the Dyn and Krebbs attacks represent external threats, using IoT devices to attack websites and critical infrastructure but not to penetrate the home. So, we don’t need to panic, at least for now, according to Pedigo.
“It's just a wake up call to get serious about security,” he stated. “For manufacturers, the message is clear, the days of security as an afterthought are over. Want to build a new product, great. Question number one should be, ‘How are we going to make is secure?’ Question number two, ‘What do we want it to do?’”
For home technology professionals, there is no cyber security panacea. But there are solutions to help reduce risk. CEDIA and CTA are working on best practice guidelines (first by identifying attack sources), and they are looking for anyone with expertise who would be willing to participate in their research. Designing systems with layer 3 switching and creating VLANs and using firewalls will help, as well.
It’s an area where most of the custom installation channel is lacking, noted Pat Hagerman, principal of home technology integrator cyberManor, in Los Gatos, CA. “I don’t think anyone in our industry, that I’m aware of, is doing a very good job on this,” he said. “Doing port forwarding is a really bad idea and exposes the end-point devices to these kinds of issues. Once we open the port, we are relying on the device manufacturer to provide a secure entry point into their device that can’t be compromised. It is unlikely that most do.”
Pedigo noted other solutions to help keep clients safe, including making key security devices work only on premises, not remotely (an isolated intranet), which he acknowledged is not practical for many clients. Another alternative, he noted, is to design truly custom security solutions, done with “creative thinking and deep understanding of how hardware works.”
“This will buy time for the IoT device makers and the U.S. government (who was at the CTA meetings) to develop more secure products and regulations (yes they are coming) to enhance security, which will take years before it is in full effect,” Pedigo said.
Most important, Pedigo said, is educating homeowners about the inherent vulnerabilities of internet-connected devices. “It’s a risk-versus-reward matrix that you go through with your client,” he said.
And creating legal cover wouldn’t hurt either, Hagerman noted. “[As an industry], we don’t do a good job of creating contracts that provide indemnification against being sued when something like this, or other data breach, happens,” he said. “I think we have a ton of exposure, both as a company and as an industry.”
Asked to provide a final word (for now) on the subject, we reached out to Access Networks CTO Brett Canter. He agreed that integrators need to be vigilant and ensure the equipment they install is configured correctly and kept up to date with the latest security patches.
"In many cases, hackers are exploiting known vulnerabilities for which the manufacturer has already released a patch," Canter said. "These are increasingly complex systems that require regular checkups and maintenance; 'set it and forget it' won't cut it. A maintenance plan that includes regular checkups and updates should be sold with every system."
Canter agreed that port forwarding should only be used when absolutely necessary. Instead, whenever possible, remote access to systems should be made through a secure VPN or a manufacturer’s cloud management console.
The equipment you choose to install is important, he added. "When possible, choose an established manufacturer who takes security seriously and regularly updates their product and patches vulnerabilities," Canter said. "Cheap no-name equipment is ripe for exploitation. When a manufacturer has nothing riding on their brand's reputation, they have very little incentive to prioritize security.
"These issues need to be part of a broader discussion with homeowners about security vs. convenience. In most cases, you need to sacrifice some degree of one for some degree of the other. Finding the right balance is much easier to achieve when integrators and homeowners stay educated and communicate regularly."