A bit of the Internet broke this week. Over and over news websites and security experts repeated themselves. “IoT devices cause major Internet Outage”. And Twitter just let people regurgitate this over and over with a handy button.
Having an IoT startup I’ve a vested interest in not having to explain myself every time I talk about IoT, so decided to look deeper into the stories. What I found was that although a serious attack, not a single IoT device was implicated. What I also found was that nobody seemed to care because the lure of headlines like “Internet Toaster brings down Internet” was too great to pass up. But as the owner of the second, perhaps third most successful IoT parody account on Twitter I’ve explored ideas like this until I eventually ran out of comedy. Has my satire helped jeopardise my own industry sector?
The origin of this reporting seems to be a report on the causes of a DDoS attack on Brian Krebs. The report by Akamai “SSHowDowN — Exploitation of IoT devices for Launching Mass-Scale Attack Campaigns [PDF]” implicated IoT devices but then went on to describe wireless access points, routers, Digital Video Recorders (DVRs) and IP cameras, none of which are new and fall into a definition of IoT we previously mocked. Adding the buzzword IoT to a camera is like writing Virtual Reality on a Viewmaster to sell more units.
If you call these devices Internet of Things then you might as well call every connected consumer device IoT: routers, access points, video cameras, CCTV cameras, servers, laptops. This is not helpful. It disguises the problem and gives ammunition to that group in audiences at IoT talks who always ALWAYS ask
“Yeah but what about security?”
and then expect you to apologise for every past and future vulnerability which could have killed their hypothetical cat, without acknowledging that the entire technology industry fights a constant infosec war and has done since the industry was born.
But the deafening silence on Twitter of people disagreeing that this was IoT led me to think I was the old man yelling at clouds. I’d been wrong trying to be right before: “The web is not the internet? What are you on about? Who cares?” That was an important lesson about the development of language.
Eventually someone I respect hugely picked me up on it. Matt Webb challenged me that yes, a TiVo could be classed as an IoT device. Meanwhile Tom Coates, founder of Thington (and another hero) took the same side as me. And so I decided to write a strongly worded medium post. Because that’s what we do now.
If I can get off my high horse for a minute about retro-fitting names to things that were previously outside their scope, what are we actually witnessing here? My guess is unsecured consumer devices reducing in size and increasing in number, which also happens to be a key driver for IoT. More specifically in this attack it’s the proliferation of poorly configured embedded unix. It’s one of the IoT’s major problems, yes, but only as a subset of “poorly made consumer electronic devices”. Routers, APs and DVRs — all longer established — are the only documented culprits in these reports. It’s unfair to point at IoT devices and say “Ha, told you so!”. As Tom Coates points out this could easily have been vulnerable Wordpress blogs.
Unhelpful tarnishing aside, what are the chances of this happening with Actual IoT devices (as they are now called, yes?) Well, quite high, as it happens, but with one important distinction. The majority of the traffic seems to have been sourced from video devices. These can generate a considerable amount of legitimate data at the target. Sensors produce barely a trickle of data. Can a botnet consisting of sensors be a credible DoS attack?
Well, it’s not really about the sensors. Today’s devices aren’t native IP. They usually attach to a gateway. The ten smart lightbulbs in your house probably use a non-IP wireless network and the gateway is the only device with IP capability, and more importantly with the ability to send traffic to the Internet. IP to the edge will always be just out of reach as our ambition to connect ever smaller things continues.
Some have suggested auditing code, open sourcing everything, import conditions and ‘writing really good code’, as if the developers just weren’t trying hard enough. This is wishful thinking, like demanding free speech and democracy worldwide or you’ll stamp your feet.
Consider the crappy margins on hardware or the accelerating shitshow of javascript frameworks and the lifetime of startups who make these devices. Everyone demands that they’re cheap, now we want them to be perfect? Companies like this are not equipped to cope with 35 serious protocol vulnerabilities a year which suddenly propel them to the status of rentable botnet. Yes, they make stupid mistakes in configuration, but as previously mentioned, so do people with Wordpress blogs. Is this really an IoT problem? No. It’s a problem of accelerating complexity and disastrous attention spans.
Perhaps we need to mitigate against the effect of the traffic. This sounds like a job for Intrusion Detection and Prevention (IDP) which ten years ago was little more than a big networking vendor’s marketing term for “logging bad shit on a server and occasionally emailing you about it”. Things have moved on, and the trickle down effect is that IDP is possible on the devices and even low-end hardware.
Matt Webb wondered if a hardware botnet detector would be credible using filters rather like the Akismet anti-spam blacklist. After a few hours yesterday mucking about with my overcomplicated firewall setup (think: Retired CIA agent’s operations room in a basement) and investigating Snort packet inspection software I felt something was possible, but it would need packaging into an appliance. This would have to be a consumer grade router, of course. And since ISPs seem to be the provider of crappy sub-£50 broadband routers, it’d have to be cheap enough and low maintenance enough for them to supply it as part of your service. Good luck with that.
Perhaps cutting off subscribers is be the answer. Well, it could be, had we moved to IPv6. Instead many, many consumer ISPs still use IPv4 which allows our home networks to hide behind one router which knows what’s what. Or doesn’t know anything at all. Either way it can’t direct good or bad traffic to your device unless your device asked for it.
IPv6 changes this. It has enough address space to overcome the need to share a single address, making subscribers’ home networks publicly addressable, if not actually reachable. Do not expect the end user to know what you mean when you cut them off, let alone understand it and do something about it. Just calling a subscriber to inform them something’s wrong would cost the average ISP the subscriber’s profitability for the next two years.
I attended last weeks’ Broadband World Forum at ExCel London. What I found was essentially a race to the bottom with crappy broadband routers and BT Openreach clinging ever more tightly to their legacy copper with a G.Fast rollout. Botnets were not talked about. DDoS was not talked about. Consumer broadband is low-margin high volume consumer devices. These are made by larger companies who’ve had their devices on the Wild West side of the Internet for years and are still world class terrible at security [TP-Link root backdoor http://websec.ca/advisories/view/root-shell-tplink-wdr740]
As the Internet becomes increasingly hostile and that change accelerates past even experts’ capabilities to keep up it’s possible the Internet will balkanise. Clearly there’s a political will to do this, often in the guise of ‘safer internet’, sometimes blatant suppression and censorship. If this happens I’d expect to see our broadband routers remotely managed by ‘safe cloud’ operators, continuously monitoring for botnet outbreaks, and impure thoughts.
Now imagine that ‘safe cloud operator’ was TalkTalk and imagine they approached the security of that system with their previous panache. I can’t think of anywhere better to find a weaponised botnet which could be turned against the country it intends to protect. This isn’t the answer, but look forward to being told it is for the next decade.
For now I think we’ll have to just put up with the “IoT will destroy everything” narrative. It seems unstoppable. I’m definitely not one to uncritically accept technology, but shouting that the sky is falling in doesn’t help us to distinguish the problems. The clumsy word “security” belies the complexity of authentication, authorisation, accountability, trust, tradeoffs and motives, but serves as a very useful cosh to beat anyone with and doesn’t require any mental engagement in the problem.
In the meantime two things we could do:
Is there a way you can contribute?