A bit of the Internet broke this week. Over and over news websites and security experts repeated themselves. “IoT devices cause major Internet Outage”. And Twitter just let people regurgitate this over and over with a handy button. That was a serious attack, not a single IoT device was implicated. Nobody seemed to care because the lure of headlines like “Internet Toaster brings down Internet” was too great to pass up. The origin of this reporting seems to be a report on the causes of a DDoS attack on Brian Krebs. The report by Akamai “SSHowDowN — Exploitation of IoT devices for Launching Mass-Scale Attack Campaigns [PDF]” implicated IoT devices but then went on to describe wireless access points, routers, Digital Video Recorders (DVRs) and IP cameras, none of which are new and fall into a definition of IoT we previously mocked. Adding the buzzword IoT to a camera is like writing Virtual Reality on a Viewmaster to sell more units. If you call these devices Internet of Things then you might as well call every connected consumer device IoT. It disguises the problem and gives ammunition to that group in audiences at IoT talks who always ask and then expect you to apologise for every past and future vulnerability which could have killed their hypothetical cat, without acknowledging that the entire technology industry fights a constant infosec war and has done since the industry was born.
We’ve been wrong all the way: “The web is not the internet? What are you on about? Who cares?” That was an important lesson about the development of language.
What is The Problem Then?
If I can get off my high horse for a minute about retro-fitting names to things that were previously outside their scope, what are we actually witnessing here? My guess is unsecured consumer devices reducing in size and increasing in number, which also happens to be a key driver for IoT. More specifically in this attack, it’s the proliferation of poorly configured embedded unix. It’s one of the IoT’s major problems, yes, but only as a subset of “poorly made consumer electronic devices”. It’s unfair to point at IoT devices and say “Ha, told you so!”. As Tom Coates points out this could easily have been vulnerable WordPress blogs. What are the chances of this happening with IoT devices. Well, quite high, as it happens, but with one important distinction. The majority of the traffic seems to have been sourced from video devices. These can generate a considerable amount of legitimate data at the target. Sensors produce barely a trickle of data. Well, it’s not really about the sensors. Today’s devices aren’t native IP. They usually attach to a gateway. The ten smart lightbulbs in your house probably use a non-IP wireless network and the gateway is the only device with IP capability, and more importantly with the ability to send traffic to the Internet. IP to the edge will always be just out of reach as our ambition to connect ever smaller things continues.
What can be done?
Some have suggested auditing code, open sourcing everything, import conditions and ‘writing really good code’, as if the developers just weren’t trying hard enough. This is wishful thinking, like demanding free speech and democracy worldwide or you’ll stamp your feet. Consider the crappy margins on hardware and the lifetime of startups who make these devices. Everyone demands that they’re cheap, now we want them to be perfect? Companies like this are not equipped cope with 35 serious protocol vulnerabilities a year which suddenly propel them to the status of rentable botnet. Yes, they make stupid mistakes in configuration, but as previously mentioned, so do people with WordPress blogs. Is this really an IoT problem? No. It’s a problem of accelerating complexity and disastrous attention spans.
How about Intrusion Detection and Prevention?
Perhaps we need to mitigate against the effect of the traffic. This sounds like a job for Intrusion Detection and Prevention (IDP) which ten years ago was little more than a big networking vendor’s marketing term for “logging bad shit on a server and occasionally emailing you about it”. Things have moved on, and the trickle down effect is that IDP is possible on the devices and even low-end hardware. Matt Webb wondered if a hardware botnet detector would be credible using filters rather like the Akismet anti-spam blacklist. After a few hours yesterday mucking about with my overcomplicated firewall setup (think: Retired CIA agent’s operations room in a basement) and investigating Snort packet inspection software I felt something was possible, but it would need packaging into an appliance. This would have to be a consumer grade router, of course. And since ISPs seem to be the provider of crappy sub-£50 broadband routers, it’d have to be cheap enough and low maintenance enough for them to supply it as part of your service. Good luck with that.
Cutting People Off?
Perhaps cutting off subscribers is be the answer. Well, it could be, had we moved to IPv6. Instead many, many consumer ISPs still use IPv4 which allows our home networks to hide behind one router which knows what’s what. Or doesn’t know anything at all. Either way it can’t direct good or bad traffic to your device unless your device asked for it. IPv6 changes this. It has enough address space to overcome the need to share a single address, making subscribers’ home networks publicly addressable, if not actually reachable. Do not expect the end user to know what you mean when you cut them off, let alone understand it and do something about it. Just calling a subscriber to inform them something’s wrong would cost the average ISP the subscriber’s profitability for the next two years. As the Internet becomes increasingly hostile and that change accelerates past even experts’ capabilities to keep up it’s possible the Internet will balkanise. Clearly there’s a political will to do this, often in the guise of ‘safer internet’, sometimes suppression and censorship. Now imagine that ‘safe cloud operator’ was TalkTalk and imagine they approached the security of that system with their previous panache. we can’t think of anywhere better to find a weaponised botnet which could be turned against the country it intends to protect. This isn’t the answer, but look forward to being told it is for the next decade.
IoT Will Destroy Everything
For now we’ll have to just put up with the “IoT will destroy everything” narrative. It seems unstoppable. I’m definitely not one to uncritically accept technology, but shouting that the sky is falling in doesn’t help us to distinguish the problems. The clumsy word “security” belies the complexity of authentication, authorisation, accountability, trust, tradeoffs and motives, but serves as a very useful cosh to beat anyone with and doesn’t require any mental engagement in the problem
What can we do from there?