Your next DDoS attack, brought to you courtesy of the IoT

Originally published at: http://boingboing.net/2016/10/01/your-next-ddos-attack-brought.html

…

I always knew Blankie was up to no good.

Axiom: The observed tendency for IoT manufacturers to release inherently insecure devices is unlikely to change significantly.

Axiom: Because attack software running on IoT devices need not necessarily affect the working of the device or the owner’s network connection in a noticeable way, even those device owners who have the technical expertise necessary to secure their devices have little incentive to do so.

Axiom: Sophisticated and effective attacks can be designed that do not require great computing power on any one attack node; the resources required should be well within the capacity of many existing and future IoT devices.

Therefore: any strategy for protecting the Internet from attacks using large numbers of connected devices that depends on securing IoT devices will inevitably fail.

TL;DR: If you expect Joe and Jane Homeowner (or Zhang Wei and Wang Fang Homeowner) to do your security work for you, dream on.

Even shorter summary: We’re screwed.

I dunno if we’re that screwed. Government regulation is coming to IoT. That will present its own set of problems but you can bet it will become a major issue the first time someone decides to make a political point by taking down the CIA’s website.

I don’t even know why the thing has to be smart or, if it is smart, why it needs access to the internet.

You don’t want your kettle to have half a gig of RAM and the ability to talk to Russian teenagers over the internet? You filthy, communist luddite!

To use a few less inane examples:

• Refrigerators that can let you know when you’re running low on certain items or let you view cameras remotely to check those things while you’re away.
• Motion detector lights that can log a warning to a web UI when triggered and maybe take a photo as well.
• Moisture detectors that text or call you when they are triggered, possibly saving you a ton of money.

IoT absolutely should have hardened security; we shouldn’t be hearing about simple attacks on basic user/pass strings, repeated ad nauseum, or against unprotected telnet or other access ports. But there’s definitely a lot of useful applications for this sort of passive internet access.

This part, especially, is absolutely changeable. Building a device secured against basic security threats like the ones being discussed here is not difficult. More complex attacks? Sure, it starts being more difficult. But jumping the basic hoops of ‘user/pass are printed on the side to start with randomly, all non-required ports are shut down, etc’ are not crazy to get beyond.

It is bound to get worse with the rollout of IPv6 everywhere. A lot (most?) of the consumer routers do not provide any packet filtering on IPv6, leaving the insecure devices totally open with a publicly routable address. Problem exists in 100% of devices in my sample size of two: ISP provided cable modem and TP-Link Archer C7 router, which has been the Amazon #1 seller for a while.
FWIW, IPv6 is at 11%, and going up to 14% on Mondays and Tuesdays (wtf?): IPv6 – Google

Less inane perhaps, but I don’t feel the need for any of those. Even the moisture detector - last time my pipes burst was about thirty years ago. IoT is clearly a solution in search of a problem. A good application will be found, no doubt, but for now it’s all singing light bulbs and magical cars.

It’s not difficult … but it’s not done. The reason for my pessimism is exactly that: securing devices in a way that protects against basic attacks is, as you say, not difficult. But we’re already seeing stupid vulnerabilities, stuff that even a moment’s thought would have made clear was just a bad, bad idea.

I think we’ll definitely see the emergence of basic best practices, and more devices will ship as essentially secure rather than essentially insecure. So you’re right, this will change. But it won’t change enough.

You only need one popular manufacturer to ship things with a default password, because they think that a per-device password is too much of a burden on manufacturing or on the end-user, or to add some other “convenience feature” that opens the thing wide up. One developer cuts some corners to meet his deadlines, and that’s all she wrote. I’m a developer; we do this all the time, and we always promise ourselves that we’ll come back and fix it later, and we (almost) never do.

Prediction: as a rule, built-in security will be worst in the cheapest devices (because if security comes with any kind of cost, that’s the corner that will get cut first). The cheapest devices may also end up being the most widely-deployed.

Prediction: as more manufacturers get into the IoT market, they will increasingly use standardized components, or standardized libraries (because why bother with custom firmware when you can just have your lightbulb run a Node server?). Again, the components used will be the cheapest available; the libraries used will never be updated. Once a vulnerability in a widely-used common hardware or software component is discovered, all bets are off.

Prediction: As a rule IoT devices won’t update their software/firmware: the remote update process is too tricky to get right, with a high risk of bricking the device (“Some Turkish guy unpublished his Node library and half the country went dark”) or even of the update process being used as an attack vector. So whatever it ships with – and whatever vulnerabilities it ships with – is onboard for the lifetime of the device.

“smart” things go on the internet. That’s the “smart” part.

I would like to have infinitly more control over my router. Imagine a router with a nice UI that can tell you stuff about the traffic on it.

Being able to use updated blockinglists that vary from only blocking certain tracking domains, to blocking every company you think is unethical (all trackers, Google, Facebook etc).

Being able to monitor the traffic on your router, seeing what price your mobile ads are going for in those insane invisible auctions, seeing how often that browser plugin (or mobile app) phones home and what it’s saying about you and seeing what devices are receiving orders from a botnet and limiting their access to just the local network.

I know this would be massively complicated to the normal user but it would lower the barrier for learning about this stuff by a huge factor. Imagine every IT nerd using something like this instead of only security researchers, imagine the amount of extra eyeballs on all those badly written pieces of networked code.

Are you so cynical to not see why anyone would want those? I don’t want an art easel, but I don’t shout about how dumb it is that anyone would want one.

You can roll your own with software like PFSense if that’s your goal. I used to but found it simply too finicky long term compared to a consumer device.

That’s the thing – applications always occur. It’s like the CEO of Digital who didn’t see the point of personal computers in the 1970s (and ultimately leading to DEC’s downfall). Objectively he was right – 1970s personal computers were just technology in search of a application.

I’m absolutely fine with the withering chore of checking if I’m out of cheese all on my ownsome, without the help of a sentient refrigerator.

What has to happen to make this change is that the manufacturers have to be held financially accountable for their lax security and abandonware. Only when they have skin in the game will they change.

The first fecal geyser from the Internet of Shitty Things, and it’s definitely not going to get any better.

If you think it will, remember that DDoSes have been happening since before 2000 (they’re 20 years old) and the ‘well of course we’ll find a solution, this is intolerable’ people have been completely unsuccessful at finding any. The best you can do is mitigate it a bit.

Manufacturers don’t care, ISPs don’t care, and consumers don’t care. Except for the brief times where they’re specifically targetted. (This also confirms the pervasive ISP lie about limited bandwidth - they don’t really care.)

Gotta take your B.S. in Plugged Toaster Systems Administration, why not?

[quote=“doctorow, post:1, topic:86612”]The internet is reeling under the onslaught of unprecedented denial-of-service attacks, the sort we normally associate with powerful adversaries like international criminal syndicates and major governments, but these attacks are commanded by penny-ante crooks who are able to harness millions of low-powered, insecure Internet of Things devices like smart lightbulbs to do their bidding.[/quote]Seems to me I was reading dire warnings of this fifteen years ago. Reckon it was Steve Gibson’s articles – which now seem to be no longer available on his website, possibly because he seems to have attracted a goodly amount of criticism for his alarmism.