[IoT] How Azure IoT would have prevented a DDoS
Two weeks ago, parts of the Internet came to a halt due to a DDoS attack. DDoS attacks have become pretty common these last few years, but usually target a specific website. For instance, attackers might target microsoft.com and start firing enormous amounts of requests to it. Due to the load, the website will eventually choke and stop responding to both the malicious as to normal requests, with the result that the website is “down”.
There were two things that made this DDoS attack a bit different:
- This attack was not targeting a website or webservers, but instead DNS servers. DNS is used for address resolution, which comes down to translating a normal URL (like www.repsaj.nl) to an IP address. By targeting DNS servers, the attackers managed to bring down lots of sites at once, with your PC left unable to find the correct IP address for the website you requested. So in this case, the webservers were fine but the clients didn’t have a way to reach them.
- The attack was largely carried out using IoT devices. This included IP-connected webcams for instance, which many people have at home.
This uncovers a large security issue with lots of IoT devices, which could have been easily prevented (or at least a lot better secured) using a back-end like Azure. Let’s find out how…
Open ports are evil
The name Internet of Things implies that IoT devices have an internet connection. The idea behind IoT is that we link all sort of devices to the internet to make them smarter, more connected and more user friendly. Usually, a connection is bi-directional, allowing data both from the device as well as to it. In case of the before mentioned webcam; most of them have an internal webserver which hosts a page you can connect to. This requires you to open up a port in your router / firewall and that way enable it to be found online.
Now this does not need to be a problem, but often it is. Especially when one of the following applies:
- The device has security issues. Software requires constant patching. Might happen automatically on some devices, but on some it does not so you need to do it. And let’s be honest: who’s really patching webcams every week?
- Also, your manufacturer might stop producing security updates completely after a few years. So even if you’re willing to, there might be a time where there are no updates left to install.
- People who are completely unaware might not even change the default username/password for the device. This makes it super easy for attackers to gain access. A proper device will ensure that you do change the credentials, but unfortunately not all do.
No matter how well you try to keep things secured, an open port simply always introduces a security risk no matter what.
IoT Hub infrastructure
So how is IoT hub different? Three things to note:
- Connections are always initiated from the device itself. So you only need to ensure the device can access the internet, not that the internet can access the device. This makes a huge difference.
- Connections are easily (and by default) secured using encryption when the device supports it. This makes man-in-the-middle type attacks a lot harder since the data is not readable for third parties.
- The IoT hub has a default authentication mechanism which requires a device to present a key when connecting, ensuring that this device is known and authorized to use the hub.
These are all things that make a lot harder for hackers to get in. Note that I’m not saying it’s impossible, it never is. There is always a flaw, loophole or other way to crack the system; it’s just a matter of how much effort you need to put in. And with Azure IoT hub set-up, the effort involved is definitely a lot higher.
Will IoT hub help my webcam?
Back to the webcam example, which in retrospect is maybe not the best example. I have not seen any evidence of streaming video being delivered via Azure IoT Hub. You could send a picture every second or so, but realtime streaming video might not be the best use case. Luckily, that is not the point I’m trying to make. The point is that platforms like Microsoft Azure provide all kinds of ways to set-up services so that they’re connected and secure at the same time.
For our webcam example, for instance, you could take a look at Azure Relay which is a way to connect an on-premises hosted webservice to Azure without the need for inbound connections. So we could create a webservice with streaming capabilities which is relayed through Azure.
With your existing devices, you might be dead out of luck. If manufacturers do not provide patches or you do not update the software; you will be at risk. But hopefully manufacturers will increasingly start looking at cloud services to power their IoT devices in a way that security is provided by default instead of by exception.