Is Your Refrigerator Running? Then You Better Make Sure It's Not Trying to Take Down the Internet
Things are getting weird out here in IoT security. And that’s saying a lot. Because IoT security, along with being an oxymoron, is also one of the weirder corners of the tech industry right now, and it’s getting weirder by the day. It’s so weird that even Congress is trying to figure out what the hell is going on.
If you’re just joining us, this story, like all recent security stories, can be traced back to the horrific state of security in embedded devices. The rush to connect every electronic device, appliance, shoe, vehicle, and vending machine to the Internet led to an entirely predictable and predicted wackness that is now coming back to haunt all of us in very real ways. The Mirai botnet has become a media darling in the last couple of weeks, for a couple of reasons: 1) It is made up of cameras, toasters, and other non-computers; and B) Someone used it to attack a major DNS provider on Oct. 21, knocking a whole mess of large sites such as Twitter, Reddit, and others, offline for several hours.
This can not stand.
It’s one thing for actual computers to attack each other. That’s been happening since the dawn of the Internet. (See: Morris Worm, est. 1988.) But when the formerly dumb devices we’ve trained to do our laundry and cooking and other menial tasks get in on the act, that’s a fridge too far.
And so we’ve come to a place where a veteran senator who knows his way around the technology world is asking the FCC, the FTC, and the Department of Homeland Security what the hell is going on out there. Sen. Mark Warner on Tuesday sent a letter to the heads of those three federal agencies expressing some serious feelings about the DDoS attack on Dyn last week, Mirai’s role in it, and asking what the agencies can do about it.
Let’s start with the last part. The answer is nothing. It’s much too late for any of those departments to do anything about the hundreds of millions of insecure IoT devices deployed around the country. That sinking ship has sailed, as Warner points out in his letter.
“Mirai’s efficacy depends, in large part, on the unacceptably low level of security inherent in a vast array of network devices. Attackers perform wide-ranging scans of IP addresses, searching for devices with poor security features such as factory default or hard-coded (i.e., unchangeable) passwords, publicly accessible remote administration ports (akin to open doors), and susceptibility to brute force attacks,” Warner’s letter says.
“In my June 6th letter to the Federal Trade Commission (FTC), I raised serious concerns with the proliferation of these insecure connected consumer products, noting that the ‘ever-declining cost of digital storage and internet connectivity have made it possible to connect an unimaginable range of products and services to the Internet,’ potentially without adequate market incentives to adopt appropriate privacy and security measures.”
As Warner correctly points out, Mirai is a symptom of a much broader problem. Time to market and features trump security in almost every case in these devices, and that’s how we end up in the absurd position of having to ask consumers to unplug their quesadilla presses and reboot them to remove malware from their memory. 2016, everybody!
In his letter, Warner asks nine questions, several of which likely would produce some seriously sweaty meetings on Capitol Hill and in tech boardrooms. But perhaps the most pertinent one going forward is this:
Would it be a reasonable network management practice for ISPs to designate insecure network devices as “insecure” and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses?
This is a modern version of a question that many people have been asking for the better part of 20 years, ever since large-scale DDoS attacks became a serious threat to sites and network operators. ISPs typically respond to these attacks by filtering traffic in various ways, and that generally works. But DDoS attacks come in many shapes and sizes and attackers adapt their tactics as they go along. So network operators have long sought the ability to identify and banish compromised machines from their environments, an idea that gave birth to NAC many years ago.
That can work well in an enterprise environment where you’re checking patch levels, but if ISPs such as Comcast or Verizon start throwing customers’ compromised devices off their networks, things will get very, very ugly very, very quickly. Customers pay a lot of American dollars to connect their devices to providers’ networks, and if they suddenly find them blocked, there will be a Mirai-sized flood of lawsuits.
But Warner’s letter raises an important question and it’s one that deserves some sober consideration in Washington as well as in Silicon Valley.