Practical Steps for Protecting IoT Devices


The security of IoT devices is a high priority these days, as attackers can use Distributed Denial of Service (DDoS) attacks to target them and wreak havoc on a system.

“Due to the sheer volume of unconnected devices, it can take hours and often days to mitigate such an attack,” says Adam Englander, who is a Senior Engineer of the LaunchKey product at iovation.

Adam Englander, Senior Engineer of the LaunchKey product at iovation
In his upcoming talk at ELC + OpenIot Summit, titled “IoT Lockdown — Battling Bot Net Builders,” Englander will discuss some practical steps developers can take to make their devices less vulnerable to attackers. We talked with Englander to learn more about these basic security techniques. What are some common ways that IoT devices are targeted by bot net builders?

Adam Englander: IoT devices are commonly used for a few purposes. One use is as a proxy server which allows attackers to masquerade their identity and location via the compromised device. This proxy allows the attackers to reach targeted systems with a lower level of defense as the IoT device will not be identified as high risk by standard criteria. Another use of compromised IoT devices is for sending spam or phishing emails.

Email providers work very hard at identifying spam and phishing SMTP servers. These efforts are thwarted by the randomness and scale of compromised IoT devices providing the ability to circumvent blacklists. Finally, the most well-known usage for bot nets is Distributed Denial of Service, or DDOS, attacks. Attackers use devices to flood targets with networking requests.

Due to the sheer volume of unconnected devices, it can take hours and often days to mitigate such an attack. The most famous being the October 2016 attack on Dyn, which caused Internet disruption for several hours across a large percentage of the United States. A lesser known DDOS attack was launched against Krebs on Security, a security news site. The Krebs on Security site used well-known Content Deliver Network (CDN) provider Akamai. According to Akamai, the attack was nearly twice the volume of their previously recorded level for a DDOS attack. What basic steps can developers take to ensure that their applications or devices are protected?

Englander: A great basic resource for developers would be the Open Web Application Security Project, or OWASP, IoT Project. The OWASP group has been providing similar information and resources for web application developers for over a decade. Are there tools that you recommend? Or other specific strategies?

Englander: IoT security, like any other, is best handled by via Defense in Depth. Defense in depth is based on the premise that any security protocol can fail. You must use the highest level of security at every vulnerable point, or layer, of your system. Adding each layer to the system makes a formidable fortress for attackers to penetrate. What’s the most important thing for developers to be aware of when securing devices from bot net builders?

Englander: Writing good software is not enough. Architecting the most secure solution requires layers of protection at the Linux level. Many of the bot nets being built today are utilizing poor Linux hardening. A few simple changes to the Linux OS configuration can make all of the difference. What else should developers know?

Englander: The source code of the malware used for the two DDOS attacks mentioned is available on GitHub:

Embedded Linux Conference + OpenIoT Summit North America will be held on February 21-23, 2017 in Portland, Oregon. Check out over 130 sessions on the Linux kernel, embedded development & systems, and the latest on the open Internet of Things. readers can register now with the discount code, LINUXRD5, for 5% off the attendee registration price. Register now>>