Cloudflare debuts a security solution for IoT

Cloudflare, the content delivery network that promises speed and security for websites, announced today that it’s moving into the internet-of-things industry with a security product called Orbit. Now, instead of just securing websites, Cloudflare wants to secure IoT devices too.

Orbit has been developed over the last 18 months in response to customer demand, Cloudflare CEO Matthew Price told TechCrunch. “We noticed a pattern of requests and turned it into a product,” Prince said.

Cloudflare’s move into IoT required quite a bit of customization and tweaking of its product in order to adapt it from website protection to smart toaster protection, but the effort makes a certain amount of sense.

After all, the security of internet-of-things devices is notoriously awful and it makes sense that security companies are eyeing the industry as a possible market. Clearly, whoever dreamed up internet-connected light bulbs was probably just thinking about how cool it would be to change the color of the light with the tap of a button, and not putting much thought into the fact that teenagers would commandeer the light bulbs using their default passwords and use them to DDoS each other over perceived snubs in online gaming.

But we’ve learned that, if you connect stuff to the internet — even with the grand intentions of mood lighting and convenience — someone will come along and ruin it.

IoT companies are learning this lesson the hard way. We saw this last year when the Mirai botnet hijacked webcams and used them to take out huge swaths of the internet. It’s not a problem that starts or ends with Mirai, but IoT manufacturers are starting to wake up to the fact that even though security might be boring and expensive, it’s important.

Enter Cloudflare. Orbit was created as an alternative approach to the patch system currently used to secure IoT devices.

Right now, when a vulnerability is discovered, an IoT manufacturer has to push a security patch to the device — if they’ve built the device to accept updates at all. But a rushed patch could potentially brick the device and piss off the customer, or a patch could be shipped too late to prevent whatever security problem arose in the first place. 

Manufacturers can use Orbit to force their devices to only connect through Cloudflare’s network, and Cloudflare can block exploits or prompt a device owner for further authentication if it suspects an attack.

Orbit is launching with 25 IoT businesses, but Prince says even that small pool will bring hundreds of millions of IoT devices behind Cloudflare’s network. He says interest has come primarily from the automotive and industrial industries, but smaller consumer device manufacturers are experimenting with the Orbit model as well.

One of those manufacturers is Lockitron, the maker of a home smart lock. “Keeping our products and customers secure is our primary concern,” said Lockitron co-founder Paul Gerhardt. “Cloudflare provides an extra layer of security that allows us to keep our devices continually updated and ahead of any vulnerabilities.”