Internet of Things (IoT) may seem like the Wild West, but Cloudflare is looking to bring order to the chaos surrounding the burgeoning market for connected devices.
While IoT market is in its infancy, the risks have already been made disturbingly clear. Security researchers have successfully hacked into connected cars, given them access to systems critical to the safe operation of a vehicle. Some have already staged debilitating distributed denial of service (DDoS) attacks using an army of hacked IoT devices, knocking major websites offline.
If the ongoing security challenges faced by PC owners is any indication, the effectively patching of IoT devices in a timely and widespread manner may be next to impossible. To thwart IoT threats, Cloudflare Orbit service serves blankets devices with an extra layer of security instead.
Cloudflare product manager, Dani Grant, explained how it works.
"Cloudflare is running a firewall in thousands of nodes in over 100 data centers. As requests are proxied through Cloudflare to the devices, Cloudflare inspects the requests and checks them against a list of known attack requests," Grant told eSecurity Planet.
Of course, not all IoT services and devices are configured the same. "Orbit customers can additionally create custom rules to detect and filter traffic based on any traffic pattern," Grant continued. "When rules are added, they take less than 30 seconds to propagate to all data centers, and will then protect traffic to all devices."
Should a device vulnerability be discovered, vendors can deploy a virtual patch to all devices on the service simultaneously. "An example of virtual patching: when Cloudflare protected vulnerable web servers against the ShellShock bug," Grant said.
Cloudflare has also doubled down on secure authentication services, adding yet another barrier for hackers targeting IoT devices. In an April 27 blog post, Grant announced that "Cloudflare now offers enterprise domains TLS Client Authentication, a TLS handshake where the client authenticates the server's certificate (as with any TLS handshake) and also the client has a certificate that the server authenticates."
The approach helps reduce computational overhead and invalid traffic, she added. "With Client Authentication on Cloudflare, Cloudflare's edge handles the load of the TLS handshakes, validating the device client certificates and only sending the IoT infrastructure traffic from authorized devices."
Moreover, Cloudflare Orbit can adapt to an ever-changing threat landscape. "Orbit has the capability to protect against a range of attacks, as users can create their own rules to block traffic on any pattern," added Grant.