Simple Service Discovery Protocol Adds to IoT Complexity

“I woke up and turned around to find a gun in my face.” This is something that you may read in a book by Alistair MacLean, but with the threat of IoT looming over us, this is what anybody using IoT will face–except that the gun is invisible, held by a nameless hacker 200 kilometers away.

Much has been written about how secure–insecure, rather–IoT is. As with all forms of technology, security takes the back seat because people often concentrate on other features. IoT is no exception and the threat of Simple Service Discovery Protocol (SSDP) looms large over it. 

What is SSDP? Wikipedia says that SSDP has been around since 1999 (ironically, Kevin Ashton coined IoT in the same year) and is a network protocol for advertisement and discovery of network services. SSDP comes enabled by default on IoT devices; they use it discover each other on a network. 

This means that SSDP can be used to compromise a network using IoT. Some reports are already highlighting the danger of SSDP–NSFOCUS, in its bi-annual DDoS Threat Report (April 2015) said that more than 7 million SSDP devices globally could be exploited. Arbor Networks monitored 126,000 SSDP reflection attacks in JFM 2015 compared to 83,000 in OND 2014. In May 2015, Akamai said that SSDP attacks–which were not observed at all in the first half of 2014–accounted for over 20 per cent of the attack vectors in 2015. 

This shows how hackers are shifting focus. A blog entry on sucuri.net says that, while UDP (User Datagram Protocol) DDoS attacks are common and can be blocked by rule sets, SSDP attacks are rarer, which means that CIOs, CSOs and other tech people will take some time to come to grips with it. 

But while it is easy to patch servers, with IoT, it could be tougher–IoT relies not on one big device but on hundreds, perhaps thousands of small sensors. Changing them–for security or other reasons–will require firmware upgrades, which will take time to implement. 

The growth of IoT is so fast–Gartner said that around 26 billion IoT objects will be present in 2020, while IDC said that the worldwide market for IoT will touch $7.1 trillion in 2020–everything is at risk

Consider an example–if your car has IoT sensors that automatically tell the manufacturer about the status of critical components, a hacker may be able to use this channel to hack into the automobile company’s secure servers. He could then use some system to turn off petrol flow (that will be IoT enabled too) to a lot of cars, thus (hypothetically) bringing many cars to a standstill.

This is no pipe dream–IHS Automotive says that the number of cars connected to the Internet worldwide will touch 152 million in 2020. Any one of them could be a starting point for a hacker. 

I don’t know about you, but I’m really scared. So scared that I sleep with a Smith and Wesson .44 magnum revolver under my pillow. I feel safe for now, but it’s just a matter of time before the damned thing gets an IoT sensor…