The DDoS attack against Dyn on Oct. 21 may not have been anything new or sophisticated to those steeped in cybersecurity, but it should serve as a significant wake-up call to retailers this holiday season and beyond, say experts. The hack — which led to vast consumer trouble loading major websites such as Etsy, AirBnB, Netflix and Twitter — was particularly notable because it appears to have relied on infecting internet of things (IoT) devices such as cameras, monitors and routers with software meant to flood targets with overwhelming traffic.
This should concern retailers that are investing heavily in IoT technology in order to gain operational efficiencies and enhance customer loyalty — everything from in-store personalization through beacons and other mobile technologies to remote inventory of consumer’s items, says Mandeep Khera, CMO of Arxan.
Most of these IoT devices, including edge devices, cameras, gateways and mobile applications, are easy pickings for the hackers, he says. “As they roll out these sensors and adaptors to connect to consumer appliances, linking it to grocery carts, and eventually even to cars, all of these are connected at the gateway level,” he says. “Hackers can get into the gateway to the back-end server where data is transmitted.”
This leads to a serious conundrum: On the one hand, retailers are using IoT devices to provide more contextually relevant engagement and meaningful experiences for their customers in order to build loyalty and compete with online behemoths such as Amazon. On the other hand, if IoT devices cause vulnerabilities that deny access to a retailer’s ecommerce sites or mobile apps, it could be devastating, says Capgemini’s Bill Lewis: “For a retailer, the online channel is how they drive revenue, growth, customer engagement, stay competitive, and drive their business,” he says. “Having the ability to keep this channel available is as important if not more important than having loss prevention in the brick and mortar stores.”
IoT vulnerabilities speak to larger security issues
DDoS attacks are part of a “broader issue about the way in which organizations set themselves up to utilize the internet,” says Sean Curran, director of security and infrastructure for business consulting firm West Monroe Partners, who points out that vendors and retailers are not necessarily thinking about security first. “There is the widespread use of a single service provider for internet services, for example, and companies developing both hardware devices and software products are thinking less about security and more about getting into market first.”
The problem with IoT devices, he adds, is that it’s not that easy to “bolt on” security after the device is already developed and connected. “It’s been proven time and time again that as these devices become more and more connected, they are being exposed to attacks in the business that these devices have never been secured against,” he explains. “Everything is done at a software level — the IoT hardware is not hardwired to do a function. This allows changes on the fly, but the problem then becomes based in vulnerable software.”
Security was almost an afterthought for retailers, adds Khera, because everyone has focused on building and implementing IoT-enabled apps as quickly as possible. “Security has been ignored because the IoT devices themselves don’t cause much of an impact if stolen, but the devices themselves are far from the only issue,” he explains. “What retailers need to do is look at entire infrastructure from endpoint to gateway, to the point of communication and the back-end server where data is transmitted, and come up really with an overall infrastructure policy on IoT.”