There have been some interesting stories in the press recently discussing how the proliferation of ‘Internet of Things’ devices are enabling certain forms of cyber attack.

The basic problem is that in order to be ‘connected’, an IoT device requires a higher level of processor sophistication than dumber devices. Generally this is required in order to run some form of communication protocol. The precise protocol is dependant to some extent on the connectivity technology chosen. The range of connectivity options are typically:

  • WiFi
  • Zigbee (or related mesh network)
  • GPRS/2.5G/3G/4G

I am not sure where the IoT moniker can and can’t be used. For instance, it is perfectly possible for a remote device to communicate via GSM SMS (historically called M2M or machine to machine communications). Though this pre-dates the IoT moniker by decades.

The DDOS (Distributed Denial of Service) attack on the Dyn company’s DNS services was enabled by hackers’ ability to take control of millions of IoT devices. They then used them to generate massive amounts of traffic to swamp Dyn’s servers. Losing Dyn had knock on effects disrupting millions of large websites.

A different form of attack is described in a recent paper from the Weizmann Institute of Science, entitled “IoT Goes Nuclear: Creating a ZigBee Chain Reaction“, it describes a possible chain infection of IoT light bulbs. Plug in an infected bulb, and a software worm will find other bulbs within range and infect them. Provided there is a density of > 15k devices per Km2, a chain reaction of infection can be generated. Once infected the bulbs could be made to flash randomly or bricked. (The bulb manufacturers were informed and have since plugged the vulnerabilities).

It would appear that security is an area of IoT implementation that has been overlooked, and as density of deployment increases, cannot be overlooked any longer.