IoT devices are notoriously bad at security and hackers keep taking over large swaths of devices to launch massive DDOS attacks across the internet. One example comes from late last year when Krebs on Security, a security news site, wrote about a large scale attack. This is an example of what Cloudflare’s new service Orbit aims to help.
As we talked to IoT companies, over and over again we heard the same thing. In the consumer electronics space, IoT manufacturers were telling us that they were shipping patches to their devices, but their end users didn’t always download and install them. (Reserve your judgment, how many times have you pressed ignore when your phone asked you to update its operating system?) In the industrial control, medical and automotive spaces, where devices are used in life-critical functions, we heard a different story. Even if someone wanted to apply a patch, it just wasn’t that easy.
“Orbit sits one layer before the device and provides a shield of security, so even if the device is running past its operating system’s expiration date, it protects it from exploits”, Cloudflare says in in the announcement, “And while devices may be seldom patched, the Cloudflare security team is shipping code every day, adding new firewall rules to Cloudflare’s edge. Think of it like changing IoT to I*oT — devices can still access the Internet, but only after passing through Cloudflare where malicious requests can be filtered.”
Orbit looks like a helpful step in the right direction for getting IoT devices patched and updated in a reasonable manner, while also giving vendors more time when one-day exploits are found.