Hi Ayla, besides pleading with end users to change the passwords on their various IoT devices, what can manufacturers do to prevent their products from being hacked and used in DDoS attacks?
With the October 21, 2016, DDoS attack against the DNS provider Dyn still fresh in everyone’s mind, your question is very timely.
You’re right to point out the importance of end users not leaving their connected devices with the default password, and not choosing an obvious password such as “password” if they do reset it. Exploiting default or easy-to-guess passwords is how the October 21 cyberattack happened.While it would be great if all end users practiced impeccable security hygiene, manufacturers of connected devices don’t need to wait for that unlikely scenario. Here are some things that manufacturers can do to reduce the chances that their devices will be hijacked and used in a DDoS attack:
Make it easy for end users to change the passwords on all their connected devices. Don’t hide the mechanism for changing passwords or make it complex and difficult.
Even better, compel end users to change the passwords on connected products the first time the products are set up. Enforce some minimum level of password complexity and set a password lifetime. In other words, make users change the passwords on some regular and reasonable schedule.
- Make it so that logging in to your IoT products using a username and password doesn’t allow access to the software code—so software can’t be changed and new software can’t be loaded onto the product—or the ability to change the behavior of the product in any way.
- Use per-device credentials, such as a unique encryption key for each connected product that provides authentication with the cloud. That way, even if a single connected product gets compromised, the breach affects only that one product.
- Include mechanisms for restricting access to the connected product. Access must require an authenticated user who authenticates the device to him/herself from the cloud.
- Use the latest security standards, such as WPA2 instead of WEP.
- Keep security mechanisms updated to the latest standards using secure over-the-air (OTA) updates.
Manufacturers need to figure out their own mechanisms for setting passwords. For the rest of these ideas, however, manufacturers not willing or able to become experts in all aspects of IoT security can turn to comprehensive IoT technology such as provided by the Ayla IoT platform. Using the Ayla platform for IoT makes it much easier for manufacturers to build secure connected products—and to reduce the risks that their IoT products can be hacked and used in DDoS attacks.
What do you want to know about the Internet of Things? In our Ask Ayla ongoing blog series, Ayla Networks will answer questions about IoT technology, products, use cases, and trends. Submit your IoT question here or email to firstname.lastname@example.org, with the subject line: Ask Ayla. Check back often to see the answer to your question, as well as what others have asked.Ask Your Question