Rapid7 Aims to Stop IoT Devices from Becoming Pawns in Future Cyber Attacks

A little over a week ago, the East Coast suffered a major cyber attack that prevented users from accessing dozens of major websites, including Twitter, Amazon, Netflix, AirBnb and Reddit. The reason the internet essentially blew up for people on the Eastern seaboard is a major distributed denial of service, or DDoS, attack had been unleashed on Dyn, a New Hampshire-based DNS service provider that resolves domain names into IP addresses.

It was discovered soon after that a significant portion of the attack traffic came from a network of Internet of Things devices that had been hacked and taken over by a piece of malware called Mirai. This meant people who owned weakly secured devices that could connect to internet — like webcams and digital recorders — may have had no idea these devices were the perpetrators. As a result, manufacturers of connected devices with poor security protocols have since been recalled.

The risk posed by IoT devices has moved from theoretical to real-world.

In wake of the recent attack, Rapid7’s announcement of a new Internet of Things security practice seems prescient. The company unveiled the new practice on Tuesday, saying it will help companies developing internet-connected devices “think strategically about building security practices into product development cycles.” It will also provide “thorough assessment and testing of potential weaknesses for hardware and software,” as well as “forensic analysis for devices that have been compromised.”

The company said the recent cyber attack underpins the need for Internet of Things security.

“The risk posed by IoT devices has moved from theoretical to real-world. When we consider IoT, we’re no longer talking about a single or highly unlikely, targeted instance of a vulnerable device that leads to one compromised system or consumer. We’re now seeing large-scale attacks that leverage huge numbers of devices against extremely popular organizations,” Deral Heiland, IoT research lead at Rapid7, said in a statement. “As a result, device developers and manufacturers are coming under increased scrutiny and heightened expectations. Their products are assumed secure, though many of these product developers are still learning the fundamentals of secure design principles.”

With over 20 billion connected devices to come online by 2020 — according to research firm Gartner —Rapid7 said this creates new opportunities for attacks to steal information, gain access to physical spaces or even cause physical harm.

As part of Rapid7’s new Internet of Things practice, the company will also offer expertise in securing transportation hardware, with Craig Smith, author of “Car Hacker’s Handbook,” leading the offering.

“Over the past five years, we’ve seen increased recognition for security research as a valuable part of the transportation development process. Manufacturers are working to better understand how software vulnerabilities impact the safety of their products – we’re excited to continue forward on this path,” Smith said in a statement.