IoT should be considered the Internet of Hacking (IoH).
Mirai – is a bot network that is powered by a range of devices including infected home routers and remote camera systems. It took over these systems by using their default passwords. The network of compromised machines is then targeted to overload a target network or service. Last week the Dyn DNS service was targeted which restricted access to lots of other services for users on the east coast of the US.
DNS is like a telephone directory of internet destinations, if no one knows where to go it becomes a lot harder to get in touch.
Mirai didn’t spring miraculously out of thin air. It finds its history in passionate gamers who used distributed denial of service (DDoS) attacks to slow down or even kick opponents off online gaming platforms. Eventually the gaming companies got hip to it and went after the cheaters, not to be outdone the cheaters went after the gaming companies.
Taking a service offline using DDoS became a source of extortion against online banking and e-commerce services. Attacks can be used as a form of ‘digital hit’ to take out opponents or critics like online security commentator Brian Krebs.
Moore’s Law meant that computing power has become so small and plentiful that it is surprising what we often have in the palms of our hands. The first Cisco router was built on the circuit board of a Sun Microsystems workstation. Home routers now are basically small computers running Linux. A CCTV camera box or a DVR are both basic PCs complete with hard drives.
Back in 2007, BlackBerry co-founder Mike Lazaridis described the iPhone as
“They’ve put a Mac in this thing…”
The implication being that the power of a sophisticated PC was essentially in the palm of one’s hand. The downside of this is that your thermostat is dependent on a good broadband connection and Google based cloud services and your television can get malware in a similar manner to your PC.
For a range of Chinese products that have been acknowledged as part of the botnet; the manufacturer acknowledged that they were secured with a default admin password. They fixed the problem in a later version of the firmware on the device. Resetting the default password is now part of the original device set-up the first time you use it.
The current best advice for internet of things security is protecting the network with a firewall at the edge. The reality is that most home networks have a firewall on the connected PCs if you were lucky. The average consumer doesn’t have a dedicated security appliance on the edge of the home network.
Modern enterprises no longer rely on only security at the edge, they have a ‘depth in defence’ approach that takes a layered approach to security.
That would be a range of technology including:
- At least one firewall at the edge
- Intrusion detection software as part of a network management suite
- A firewall on each device
- Profile based permissions across the system (if you work in HR, you have access to the HR systems, but not customer records
- Decoy honey post systems
- All file systems encrypted by default so if data is stolen it still can’t be read
- Updating software as soon as it becomes available
- Hard passwords
- Two-factor authentication
Depth in defence is complex in nature, which makes it hard to pull off for the average family. IoT products are usually made to a price point. These are products as appliances, so it is hard for manufacturers to have a security eco-system. The likelihood of anti-virus and firewall software for light bulbs or thermostats is probably small to non-existent.
The Shenzhen eco-system
Shenzhen, just across the border from Hong Kong has been the centre of assembly for consumer electronics over the past 20 years. Although this is changing, for instance Apple devices are now assembled across China. Shenzhen has expanded into design, development and engineering. A key part of this process has been a unique open source development process. Specifications and designs are shared informally under legally ambiguous conditions – this shares development costs across manufacturers and allows for iterative improvements. This doesn’t seem to improve product security, quite the opposite, hence the internet of hacking.
There is a thriving maker community that allows for blurring between hobbyists and engineers. A hobbyists passion can quickly become a prototype and then into production . Shenzhen manufacturers can go to market so fast that they harvest ideas from Kickstarter and can have them in market before the idea has been funded on the crowdsourcing platform.
All of these factors would seem to favour the ability to get good security technologies engineered directly into the products by sharing the load.
The European Union were reported to be looking at regulating security into the IoT eco-system, to try and prevent the internet of hacking, but in the past regulation hasn’t improved the security of related products such as DSL routers. Regulation is only likely to be effective if it is driven out of China. China does have a strong incentive to do this. But it is unlikely to do anything to help prevent the internet of hacking.
The government has a strong design to increase the value of Chinese manufacturing beyond low value assembly and have local products seen as being high quality. President Xi has expressed frustration that the way Chinese manufacturing appears to be sophisticated, yet cannot make a good ballpoint pen.
Insecurity in IoT products is rather like that pain point of poor quality pens. It is a win-win for both customers, the Chinese manufacturing sector and by extension the Party. More security related content can be found here.
WSJ City – Massive Internet Attack Stemmed From Game Tactics
Your brilliant Kickstarter idea could be on sale in China before you’ve even finished funding it | Quartz
Asus lawsuit puts entire industry on notice over shoddy router security | Ars Technica
Europe to Push New Security Rules Amid IoT Mess — Krebs on Security
Why can’t China make a good ballpoint pen? | Marketplace.org