In the past year, the Internet of Things played a starring role in at least one major Internet outage, where Dyn, a provider of DNS lookup services, was brought to its knees by an enormous, nearly 1Tbps denial-of-service attack that made use of hijacked IoT devices like web-connected cameras and DVRs.
Now the industry is striking back with new security guidelines — and those guidelines include email authentication.
The Online Trust Alliance just this week released an update of its IoT Trust Framework (.pdf), which provides a list of best practices and recommendations for manufacturers, buyers, and sellers of Internet-connected devices.
The recent attacks were a “shot across the bow,” said OTA president Craig Spiezle. The IoT industry needs to expect more attacks like this, and get ready.
Among the items that the OTA’s framework now considers mandatory: Email authentication. From the OTA’s framework:
31. End-user communications including but not limited to email and SMS, must adopt authentication protocols to help prevent spear phishing and spoofing. Domains should implement SPF, DKIM and DMARC, for all security and privacy related communications and notices as well as for parked domains and those that never send email.
32. For email communications within 180 days of publishing a DMARC policy, implement a reject or quarantine policy, directing ISPs and receiving networks to reject email which fails authentication verification checks.
The OTA considers item 31 mandatory for IoT security best practices, while 32 is merely a recommendation. Neither is brand-new this year, but the OTA did at the option of a DMARC “quarantine” policy in item 32.
Why DMARC is relevant to IoT
Any company that communicates with customers needs to know that its customers can trust the messages that it sends. This is especially true when the company’s products may be subject to hacks.
For one thing, phishing attacks are closely connected with IoT pharming. For instance, in one recent case hackers targeted subscribers of a Brazilian ISP with phishing emails that looked like they had come from the ISP itself. When customers clicked on links in these emails, it allowed the hackers to hack into their DSL modems.
Given the generally lax security in many IoT devices, phishing doesn’t appear to be the primary way that devices get infected with malware like the Mirai botnet that took down Dyn for a day: Simply scanning IP addresses and trying various devices’ default passwords seems to be pretty effective for now.
However, as IoT vendors and distributors (such as ISPs) increase the default security settings of their devices, phishing emails like the one in Brazil might quickly become more important.
It is also important for IoT makers to have an authenticated line of communication with customers so they can more effectively distribute software updates for their gadgets. And with security patches being likely, you want to ensure that only legitimate software updates get through.
In short, in order to safeguard their email identities and protect their customers from phishing, IoT vendors are going to need email authentication. That’s why the OTA’s inclusion of DMARC in its framework is an excellent step.