Security experts have long warned that the connected devices that make up the so-called internet of things are way too vulnerable to hack attacks. These gadgets—fridges, fitness trackers, thermostats, sleep monitors, your next piece of jewelry—are like the zombie soldiers of the internet, often poorly secured and easily vulnerable to the will of hackers. Small medical devices and industrial control systems can be manipulated to do serious harm, and smart home appliances can be hijacked to steal personal data or even spy on their owners, as owners of smart TVs vulnerable to CIA spy software recently learned from a WikiLeaks report.
To counter the growing risk, Cloudflare, which protects websites and networks from digital attacks, launched a new service on Thursday aimed at fending hackers off a range of connected devices, from sophisticated industrial equipment to home appliances. The San Francisco company also said it was working to create a security organization to form best practices and standards for protecting IoT devices that are often considered highly vulnerable.
Perhaps the most serious threat surrounding connected devices so far has been when they’re hijacked in concert at a massive scale: Last fall, tens of thousands of wired devices including internet routers, security cameras, and DVRs were infected with malware called Mirai, which organized the machines into a botnet that launched the largest distributed denial of service attacks in history, reaching 1.2 terabits (1,200 gigabits) per second at its peak and disrupting access to major sites like Reddit, Twitter, and Netflix. In total, around half-a-million devices around the world were thought to be part of the mysterious, malware-formed network at the time, but only an estimated 10% of those were involved in the attacks.
Recent data suggests Mirai wasn’t an isolated incident—a report released this week by security firm Symantec found attempted attacks per hour on the company’s set of test machines nearly doubled over the course of 2016. The scale of attacks is only limited by the market for the devices themselves: Some estimate that there could be more than 20 billion such internet things by 2021.
“If Something Went Wrong, Someone Would Die.”
The Mirai attack was a wake-up call for many IoT manufacturers, says Matthew Prince, cofounder and CEO of Cloudflare. His eight-year-old company had in recent years been getting more inquiries from makers of internet-enabled devices about how its tools could be of use, something that only accelerated after the Mirai botnet.
Cloudflare is best known for its secure content distribution network, which effectively sits between client web servers and consumers’ internet browsers, speeding up delivery of online content and filtering out malicious content like denial-of-service attacks and SQL injections. The company says its network handles almost 10% of all internet traffic.
At the time of last year’s botnet surge, Cloudflare was already hearing from makers of systems for industrial operations like power plants, or computers that would be used in cars, where failures could have serious consequences, says Prince.
“About 18 months ago, we started to get calls to our sales team from various IoT manufacturers that were asking, could we be of help in protecting their devices,” he says. “These tended to be manufacturers who, if something went wrong, someone would die.”
The new service, Cloudflare Orbit, is directly geared toward manufacturers of consumer-grade IoT devices. In addition to protecting servers from attacks by malware like Mirai, Cloudflare will provide secure connections for potentially vulnerable internet devices themselves, keeping them from being reached by hackers or malware.
So far, Cloudflare says about 25 IoT manufacturers have been using the system over the past six months, including connected lock startup Lockitron, industrial monitoring company Swift Sensors, and Karamba Security.
With Orion, device makers work with Cloudflare to ensure their devices are only able to communicate with remote servers through Cloudflare’s secured network, which would function like a VPN for the internet of things. Depending on their needs, they can use Cloudflare’s software development kits to implement firewall rules that restrict communications to the secure connection, or introduce more complicated rules that use cryptography to verify that each piece of data is actually passing through the Cloudflare network.
Then, the manufacturers can use a digital dashboard to set rules for what type of traffic is allowed to pass through the network. That can let manufacturers address security vulnerabilities effectively instantaneously, without having to distribute security patches to all of the devices in the field, he says. If manufacturers learn that a factory-configured password can give hackers access to their systems, for instance, they can quickly tell Cloudflare’s systems to block network traffic containing that string of text, or restrict it to situations they deem safe.
“In the simplest form, you’d just look for that default password, then you can simply block those requests,” Prince says. “You can require that those requests have some additional piece of information for them to pass through, so you could have an additional level of security—essentially in order to use that default password, you have to enter another password.”