React, etc. Tech Stack

React, Flux, GraphQL, Hack, HHVM...? All of this and more!

Home Automation System exposed to DDoS reveals IoT risks

During 2016 some of the risks that security experts have warned regarding the IoT (Internet of Things) have realised.

The Mirai botnet using surveillance cameras and other devices have been disabling DNS (Domain Name Services) in the fall of 2016. With the notion of IoT and that devices from homes to light bulbs to heavy industrial equipment comes the risk of abuse.

The Mirai botnet wielded hundreds of thousands of innocent looking devices to disrupt network services, but the target can be more tangible than not being able to access your favorite social media.

In the latest series of home automation systems widely in use in Finland were disabled in such an attack. The attack caused some outages for core infrastructure services like heating and hot water delivery:

In an interview with Etelä-Saimaa, Rounela estimated the attack in Eastern Finland lasted from late October to Thursday the 3rd of November. The systems that were attacked tried to respond to the attack by rebooting the main control circuit. This was repeated over and over so that heating was never working.
DDoS attack halts heating in Finland amidst winter

In this latest case the reason was somewhat obvious as the tools were connected to the internet without proper firewall service. Apartment buildings are about as stationary assets as they come, so they're easy to keep control of centrally.

Where the challenge comes is more mobile devices that is projected to reach hundred of millions or even billions, enabled by the IPv6 standard. These devices will be much more mobile and firewalling will be much harder to control. In addition many of these these devices might be hard or impossible to update with security fixes, due to complexity or ignorance of technology vendors.

So similar to JavaScript that as a language and infrastructure allows developers to write everything from alert boxes on a website to enterprise grade service buses, it should be noted that the capability to do this does not mandate this creation. The IoT is a hype technology in a sense and everything from web developers in creative agencies to industrial automation giants are jumping on the bandwagon.

When acquiring critical infrastructure that will power cities for decades to come, it is good to treat technology as second. The vendor's proven capability to deliver and sustain systems whose lifespan is long should be given weight. An established industrial automation house providing a solution written in Java can be a valid chance over a flashy startup with a tool written in Node.js.

Written by Jorgé on Thursday November 10, 2016

Permalink -

« Keystone Node.js CMS receives React powered UI in 4.0 Beta - Debug Universal JavaScript running in Node.js and Chrome from VS Code »