It was inevitable. If toasters and surveillance cameras became capable of destroying the internet, they eventually would. We caught the first glimpses of insecure connected consumer devices a few years ago, and many of us saw the problems these devices could cause in the future.Business Security News, Cybersecurity // 01.11.2016
Back in 2010, the information security industry was in agreement that the chronically unpatched Windows XP computers that were so popular at the time posed an existential threat to the internet.
“XP is not fit for the internet,” we used to say.
And while we were busy rolling our eyes, the consumer electronics industry started banging on about “smart” TVs. Car manufacturers started discreetly shipping cars with SIM cards in their dashboards. It was becoming clear that the internet was going to be populated with more than just computers and mobile devices.
It would become a place for “things”.
The IoT is Unfit for the Internet…
A project called the Internet Census of 2012 amused many of us infosec professionals. Basically, this project allowed hackers to turn millions of vulnerable internet-connected TVs into scanboxes. In a less amusing event later that same year, a Finnish ISP had to do some serious cleaning up after a botnet consisting of thousands of digital set-top TV boxes started scanning through their networks.
But everybody just shrugged: nobody got hurt, and the internet appeared capable of tolerating such fooling around.
However, this confirmed our initial impression that “things” were not built for life on the internet. “The internet would teach them a lesson,” we thought.
Since then, we’ve seen unbelievably clumsy attempts of old-time device manufacturers turning their wares into “remotely accessible” goods. We got cheap laughs out of watching the management interfaces of hockey rinks, a Swedish caviar factory, and wheat silos get exposed to the internet via unauthenticated remote management tools. Business decisions like these would have been unimaginable ten years ago. And these were most likely not deliberate business decisions this time either, but telltale signs of gross neglect in the making.
Meanwhile, electrical companies have installed “remotely readable” meters in basements and boiler rooms. It seems that only a handful of people have realized that these meters are “remotely managed”.
“What’s the difference,” I hear you asking. Remotely readable spells “vulnerable”. Remotely managed means: “even more vulnerable”!
At the turn of the Millennium, the estimated “life expectancy” of non-firewalled Windows computers was measured in minutes. Internet worms like Sasser, Code Red and Bugbear caused global outbreaks so large that ISPs struggled to keep their services running. Some people will remember how the infamous Morris Worm (released exactly 28 years ago as of tomorrow) virtually brought the early incarnation of the internet to a halt in November 1988.
When I see what we now recognize as “the internet of things”, it makes me think we’ve learned nothing from our history of creating vulnerable, insecure devices and software.
For us in the cyber security community, the idea of an Industrial Devices Internet of Things represents something that is incapable of defending itself against any type of internet threat whatsoever. We were struggling to come up with a proper acronym to describe the sorry state of affairs.
…or maybe the Internet is Unfit for the IoT
American journalist Brian Krebs was recently targeted with what was briefly crowned as the world’s largest denial of service attack. His service provider was forced to temporarily dump Mr. Krebs’ website in order to save its ability to serve other customers.
What was noteworthy is that the service provider in question was Amazon Web Services, operator of perhaps the world’s most powerful cloud platform. DDoSing is easy, bringing down giants like AWS not so. If AWS would’ve gone down, the whole internet sure would have felt the effect. Since it was a near-miss for anybody else but Mr. Krebs, virtually nobody paid attention.
Another remarkable thing to note was that there were hundreds of thousands – maybe even millions – of IoT devices participating in the attacks as non-voluntary sources of attack traffic. Who would have guessed the IoT would ultimately be behind this?
The recent, brief collapse of Dyn’s services under a massive flood of DDoS attack traffic took highly popular and visible services like Twitter and Netflix down with it. The collateral damage from this affected millions of users.
Again, huge numbers of poorly secured IoT devices contributed to the attack.
Maybe these signs are trying to tell the world something. Maybe people who think that the IoT will suffer from a lack of device security have it wrong. Based on what I’m seeing, the rest of the internet (the companies, the people, the services) are what’s going to pay the price for the internet of insecure things.
So if we’re unable to fix the IoT, perhaps we need to consider fixing the rest of the internet.
[Image by DAVID BURILLO | Flickr]