Addressing IoT security with DNS and DNSSEC

We are witnessing a huge explosion in the number of Internet of Things (IoT) devices as a growing number of new “smart” consumer items, appliances, and vehicles are brought to market. While these devices introduce conveniences and enable new exciting applications and experiences, they introduce a high level of security risk to business and consumer networks. This is because manufacturers are frequently lax when it comes to the security implications of deploying smart connected devices in the wild.

So why does IoT pose a potential risk to consumers? These devices fall under the “set it and forget it” bucket. They are typically easy to set up – you connect them to whatever network or networks you use regularly and then you don’t have to think about the devices again. Consumers are focused on functionality instead of the way the devices are communicating with the outside world, about updates to the devices, or about the network security characteristics of the devices.  

From a manufacturer standpoint, security is typically an afterthought that is addressed post-design. Manufacturers are thinking about what the device can and should do from a product feature standpoint – not what it shouldn’t be able to do or how malicious actors might take advantage. For this reason, the security posture of a new IoT device is often lacking and may leave many potential vulnerabilities unaddressed. Further, once on the market, these devices are hard to update because they have their own operating system or firmware. After new iterations of that firmware, it can be difficult if not impossible to update the firmware itself, never mind applying security patches.

As the number of connected devices explodes into the tens of billions over the next several years, the implications of insecure IoT devices take on new urgency and significance. An office printer that is not properly protected may easily be taken over by malware and used in a DDoS attack to take down a business application or website. Likewise, a company’s connected camera system may become part of a botnet that drops ransomware on a home or corporate network. These attacks all have the potential to be business killers for those affected – imagine how users would react if their favorite music or TV streaming service went down for a day? Or how much revenue would be lost if an insecure device was the attack vector enabling a massive data breach against a major retailer?

Security experts have pointed to many solutions to the IoT security challenge, including superior baked-in security protections, separate networks for connected devices, and frequent monitoring of network activity. However, these recommendations have overlooked one solution every network already uses – DNS, or the Domain Name System. As the entry point to every application on the internet, DNS plays a critical role in the deployment of IoT technologies. It is the mechanism by which IoT devices discover and connect to internet or cloud services to transmit data and receive updates and commands.

Connected devices are often hard-coded to connect to corporate domains (think “api.thing-company.com”) for updates. They inherently trust that domain to be secure and reliable, which makes them vulnerable to DNS cache poisoning attacks. This common man-in-the-middle attack corrupts DNS data, causing the name server to return a fraudulent IP address. Malicious actors can use cache poisoning attacks to direct IoT devices to rogue update services, giving the actor an opportunity to ship a bad update to the devices, potentially compromising them, taking them offline, or hijacking the devices to leverage for botnet attacks on other organizations.

Because of this potential, DNS can and should play a vital role in IoT security efforts. Deploying security protocols for DNS security, called DNSSEC, ensures that IoT devices only receive authentic software and firmware updates. For example, when that connected fridge in the breakroom accesses the corporate network for its next software update, you can be assured that DNS will route the appliance to the correct website.

IoT devices also need to discover and connect to cloud-based systems for shipping or receiving data and commands. It is critical that these services be reliable and perform effectively, otherwise the organization is at risk for loss of data, compromised device functionality, and other similar threats. So in addition to DNSSEC, organizations should leverage redundant DNS networks and manage access to DNS configurations effectively with minimal permissions and two-factor authentication, ensuring maximum reliability of the DNS for cloud systems upon which connected devices depend, and maximizing operational security for the domains of those systems.

With the number of IoT devices expected to grow exponentially over the next several years, it is critically important for manufacturers to think about the security of these devices early – before they are deployed in the wild – as well as to consider the role DNS plays in IoT. Incorporating DNSSEC and ensuring the DNS setup for connected devices is secure and resilient is fundamental to IoT security and will only become more imperative in this rapidly advancing, connected world.