Companies that don’t want to bother with securing their Internet of Things (IoT) products may want to use Cloudflare’s new service, Orbit, which promises to secure their products for them.
Growing Problem Of IoT-Powered DDoS Attacks
By now, the low security of the IoT is well known. We’ve seen multiple massive distributed denial of service (DDoS) attacks last year that disrupted major online services.
The future isn’t looking too bright, either, with more and more companies big and small hurrying to release their own IoT products. Security is often treated as an afterthought, mainly because a lack of it doesn’t typically affect the people who buy a product, but also because new features and lower prices are prioritized. Something may need to change in the IoT marketplace to incentivize manufacturers to also care about security.
Cloudflare Says IoT Not Like PC Industry
Cloudflare argues that the PC security model, where a flaw is found and patched by Microsoft a month or several months later, can’t scale to tens of billions of IoT devices. The company said that one of the reasons why the two industries are the same is because nobody really wants to update their smart toaster or light bulbs.
The company has a point there -- few would want to update every single electronics product in their home. However, a solution that comes to mind would be to use automatic updates similar to the ones used by Chrome, Firefox, and other apps.
Cloudflare also said that the main reason why even enterprise users don’t apply patches to their IoT products is that those products aren’t designed to be patched. The company cited Chrysler Jeep’s remote execution bug, which the car-maker couldn’t patch over-the-air and had to recall 1.4 million cars to resolve, as an example of this problem.
Again, this seems like it would be a solvable issue, if only companies would actually design their products with software security and a robust update system in mind.
Cloudflare’s “Orbit” Solution IoT Security Problems
Cloudflare argues that it could solve many IoT security issues by interposing itself between the device maker and the user by offering a third-party security layer. The company said could have solved the Jeep security issues, for example, by using a firewall to restrict direct access to the car’s vulnerable software.
Cloudflare will also use its own anti-malware system to filter known malware from passing through its network. Additionally, its customers will be able to write their own rules for the Cloudflare firewall affecting their devices, similar to how a Windows user creates their own firewall rules on top of the default ones.
Cloudflare said that it’s already protecting 120 million IoT devices with its Orbit security layer, and that Lockitron, which makes smart door locks, is one of the companies benefiting from this security:
“Keeping our products and customers secure is our primary concern,” said Paul Gerhardt, co-founder of Lockitron. “Cloudflare provides an extra layer of security that allows us to keep our devices continually updated and ahead of any vulnerabilities,” he added.
An Old Solution To Even Older Security Problems
Although Cloudflare believes that the IoT industry isn’t like the PC industry, the security ecosystem of IoT devices feels much like the '90s era of Windows security. If IoT devices are like '90s Windows machines, then Cloudflare’s solution seems to be a 2000s-era security solution.
Firewalls started rising in popularity in the 2000s, but we’ve learned since then that they are far from impenetrable. In fact, companies such as Google and Duo are already moving away from such perimeter defenses in favor of better end-point security and other, more modern security systems.
That doesn’t mean Cloudflare’s solution isn’t a good one in the current wild, wild west of IoT security. Orbit could significantly improve the security of many IoT products on the market. However, it could be only a matter of time before this solution stops being enough, just as it happened in the PC market. Eventually, IoT manufacturers would likely learn that the best security is end-point security coupled with a solid update system.
