{"API Evangelist"}

Some Key IoT Security Considerations

I am continuing to learn from folks studying the recent DDOS attack on Krebs on Security. While not a straightforward API story, it overlaps with the API world in several ways, from the technical aspects of how the IoT devices were hacked and enlisted in the bot army, to how the hack has been analyzed online, and the sharing of machine-readable details of the attack.

There were some interesting nuggets from the attack analysis I wanted to include in my wider Internet of Things (IoT) research. When it came to the security lapses in the surveillance cameras, printers, and other devices used as part of the DDOS, there were several key areas in play:

While none of these areas speak directly to APIs, they definitely speak to some of the similar ways in which API security are compromised, and I think are also aspects of device operations that might be assisted, or improved upon with APIs. Right now I'm just adding this as security considerations for Internet of Things (IoT) implementations, but will also be keeping an eye out for any further role that APIs are playing in this type of attack, as well as the follow-up analysis.

Brian Krebs provides a wealth of insight into the attack, as well as the multiple other reports I've read. Krebs provided a CSV of the devices that had compromised passwords, something I am going to add the company URL and logo, as well as more product information to. This will help me learn more about the products contributing to the mayhem, as well as the companies behind them. After that, I will put some more thought into how APIs can be put to work helping make sense of this growing problem--if nothing else we can just use them to make the forensic details of each attack available online, so we can sift through the wreckage easier with each future event.