They say every cloud has a silver lining and that is certainly true for broadband operators in the wake of one of the biggest DDoS (Distributed Denial of Service) attacks yet and one which significantly was launched by hijacking IoT (Internet of Things) devices. The victim was French ISP and cloud hosting provider OVH, which in late September faced a massive DDoS attack from a botnet comprising at least 150,000 IoT devices, mostly CCTV cameras. According to OVH founder and CTO Octave Klaba the company’s servers were hit by multiple attacks occurring almost simultaneously and generating aggregate traffic in excess of 1 Tbps at the peak.
The silver lining for operators is that this gives them a unique opportunity to exploit the publicity generated by this breach, along with one or two others, which confirms the clear concerns SoftAtHome has been expressing over lack of IoT security for some time. As it happens, only a day or two after this huge DDoS attack occurred the non-profit Prpl Foundation published the biggest survey yet into IoT security, concluding that the “smart home is woefully insecure due to users’ failure to follow best practices.”
The prpl Foundation Smart Home Security Report noted that at least in some European countries smart home adoption had already reached tipping point with around five devices per household. The report, based on interviews with 1,200 respondents across the US, UK, France, Germany, Italy and Japan, also noted that home owners were very lax about IoT security, with 43% never updating their router’s firmware and as many as 93% of consumers regularly leaving one or more ports open on their router firewall. The latter leaves the home network open to the hijacking exploited in the DDoS attack on OVH.
Where we differ from the authors of that report is in putting responsibility for home IoT security squarely on the shoulders of the home owner. We do not believe that in the real world the majority of users will ever rigorously apply the procedures recommended in that report, which include regularly checking for router firmware updates, configuring firewall policies and using a guest network for both visiting and home devices, as well as closing all ports on the firewall.
So instead home broadband service providers can exploit their visibility into the home network via the Home Gateway, which they supply and can monitor continuously, in order to manage security on their customers’ behalf. They can apply all these measures recommended in the Prpl report and more.
Of course operators themselves need to have the expertise and tools available to manage IoT security for their customers and this is where SoftAtHome comes in. We provide the software running on the Home Gateway which is the cornerstone of home security and embodies that expertise needed to manage the emerging IoT ecosystem. Operators can of course rely on the proprietary software that comes with different brands of Home Gateway, but apart from being locked into a given hardware vendor this compromises security. Only by having an independent vendor dedicated to the software platform can operators be in full control over the home ecosystem.
SoftAtHome provides software fully secured on the Home Gateway that includes advanced security functions such as a proxy firewall, applying routing rules and enforcing policy to secure the digital home. All requests coming in and out are processed by our proxy firewall before being allowed to pass either way. In this way the operator is in control of the software running on the Home Gateway or CPE and is better placed with our help to ensure that they can embrace an expanding IoT ecosystem securely.
As the Prpl survey reveals, threats such as hijacking client devices to launch coordinated DDoS attacks are only going to increase with growing IoT device proliferation. It was perhaps no coincidence that this big DDoS attack occurred in France which has the highest IoT device penetration of the countries in the Prpl survey at 5.8 devices per home compared with just 2.6 in the UK and 2.4 in the US, despite some high profile deployments in those two countries. In that sense the OVH attack can be seen as a signal of things to come more widely around the world. It should also be a signal to operators that they now have a window to capitalize on the IoT security weakness and exploit that silver lining.
Another key point is that operators will have difficulty monetizing their IoT and Smart Home, given reluctance by their customers to spend extra on services beyond broadband or pay TV. However, as that prpl report indicated, users are becoming more concerned about IoT security and are willing to pay a premium to a broadband provider that they believe will protect them best against breaches. Therefore operators should look seriously at developing a proposition around the idea of a safer digital home comprising secure IoT devices. They can develop such an offer through independent CPE software like SoftAtHome’s. The Home Gateway can then become the secure custodian of the digital home, protecting the consumer as well as the operator’s network.
Content submitted by SoftAtHome