It didn’t have to happen.
Last month’s massive distributed Denial-of-Service (DDoS) attack on Domain Name System (DNS) service provider Dyn, which used a botnet of thousands of Internet of Things (IoT) devices to disrupt dozens of major websites including Twitter, Spotify, PayPal, GitHub, CNN.com and the New York Times, could “easily” have been prevented.
That contention comes from the Online Trust Alliance (OTA), creator of what it calls the "IoT Trust Framework", 31 principles designed to improve the security and privacy of connected devices and data, which it released this past March (see sidebar).
The declaration was not a direct response to the Dyn attack – it came more than a month earlier on Sept. 8. The OTA announced that, “every vulnerability or privacy issue reported for consumer connected home and wearable technology products since November 2015 could have been easily avoided.”
Not some. Not most. All of them.
Which would appear to run counter to the mantra of every security expert in the world: There is no such thing as 100 percent security.
Craig Spiezle, OTA executive director and former director of security and privacy at Microsoft, agreed that a blanket statement like that, on its face, could easily be interpreted as hyperbole.
“There is no perfect security,” he said. But he added that IoT devices could and should have vastly better security than they do, and if they did, a DDoS attack like the one against Dyn would have been difficult to impossible.
“What we have observed is that the inherent design of the devices, and their supporting applications, have not embraced security fundamentals nor fully anticipated the need for a security development lifecycle discipline – what we call ‘sustainability,’” he said.
While the mainstream media and some government officials presented the attack as a shocking development, security experts agree that nobody should have been surprised.
Since the “birth” of the modern IoT, said to be around 2008 – the point at which there were more connected devices than people in the world – there have been constant warnings from security experts, in everything from blog posts to television interviews to conference keynotes, that those devices were insecure – catastrophically insecure.
Among the numerous vulnerabilities are that most of them have open and discoverable administrative controls, default passwords and no capability to be patched or updated.
Experts have warned that an attack surface that broad and vulnerable would prove irresistible to criminal hackers.
Indeed, the conclusion of analysts is that the attack was most likely carried out not by a hostile nation state or sophisticated cyber criminals looking to extort money from large websites, but by “script kiddies” who used the Mirai malware source code after finding it posted publicly on the website Hackforums.
And this latest attack confirms that a massive compromise of those devices is not just a threat to the individual owners, but to the entire structure of the Internet. While laptops have been used to create botnets for years, IoT devices are much more attractive, since there are so many more of them, and many of them are on all the time.
Reportedly, webcams and DVRs were the main devices used in this attack. But other IoT devices range from toasters to alarm clocks, pressure sensors, valves, thermostats, light bulbs, refrigerators, door and window locks, vehicles, printers, medical devices on up to the power grid. They’re all called “smart.” But they have not been built smart enough to protect themselves and their owners.
Current estimates are that there are somewhere between 13 billion and 18 billion IoT devices now in use.
Still, while security experts are not surprised, others apparently are. US Sen. Mark Warner (D-Va.), cofounder of the Senate Cybersecurity Caucus, sent a letter last week to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security’s National Cybersecurity & Communications Integration Center (NCCIC), expressing alarm at the Dyn attack and calling for everything from government alerts to retailers and consumers about insecure IoT devices (which would include most of them) to keeping insecure devices off the internet by denying them IP addresses.
Warner’s staff said he was unavailable, and declined to comment on why such a letter wasn't sent years ago.
There were also calls from several Silicon Valley-based cybersecurity venture capitalists for IoT devices to use standardized encryption and other security measures.
Bob Ackerman, founder and managing director of the cyber venture capital firm Allegis Capital, acknowledged that exhortations like these are late in coming. But he said some of it is simply due to human nature – until something catastrophic happens, people are in denial.
After an attack like this, “people come to life in feigned indignation,” he said, acknowledging that since the attack was so predictable, “the outrage is misplaced.”
But he said an attack of that scale might have the benefit of finally awakening a push for better IoT security. “One of the fundamental challenges is that they (IoT devices) are designed to be functional, at price points that limit the capability to be updated in the field. And that is a minefield of massive proportions.”
It is not going to change quickly, however, even with something like the IoT Trust Framework available. Replacing or boosting security in even the majority of the billions now in use simply will not happen.
As Chester Wisniewski, principle research scientist at Sophos, put it, the framework would, “rectify most common issues with IoT devices, were it to be followed.
“I also want a pony,” he said, “and neither is likely to happen anytime soon. It’s very difficult to make a $12 smart egg tray if you have to spend $500,000 on engineering to follow the checklist.”
Spiezle acknowledged that while some companies have embraced the OTA framework, “others have said the added cost of 11 cents is prohibitive, and others say encryption will impact their battery life. Unfortunately we have yet to see leadership from any of the companies or platforms to embrace these or other security fundamentals.”
Mike Lynch, chief strategy officer at inAuth, sees similar problems. He noted first what other experts have been speaking about for years – that product designers and manufacturers are not necessarily security experts.
Second, “in the eyes of many organizations, building in security protocols is an unnecessary expense that eats into margins,” he said. “Both factors combine to create conditions where security is relegated to afterthought status.”
Finally, “many consumers of these IoT devices are not tech savvy, and asking them to patch firmware may be beyond their technical capabilities or desires,” he said.
Still, experts say there are constructive ways to start reducing IoT security risks.
Spiezle said the OTA believes the risks are great enough that vulnerable devices may have to be taken offline, somewhat like what the airlines have done to the Samsung Galaxy Note 7 phones, due the risk of fire.
“Second we are calling for all retailers – Target, Best Buy, Costco, Amazon and others – to review the devices they are selling and to pull products that are either not secure out of the box or not patchable over their lifecycle off their shelves.”
While he did not call for specific government regulation, he said government could help consumers by providing, “an advisory for products that do not meet minimal standards.”
For the longer term, if the IoT is ever to improve from being a security minefield, Wisniewski believes it will take a major mindset shift.
“Today almost all of the responsibility is on the consumer, who more often than not is not aware of the risks and doesn't know what to do to mitigate them,” he said. “The burden should be almost entirely on the manufacturer to make it as simple as possible. The devices I've analyzed tend to lean towards terrible, and absolutely none of my devices would get a ‘responsible’ rating.
“Consumers have some responsibility, but shouldn't have to become security specialists,” he said.
Spiezle said in the long run that attitude would save money for IoT developers. “The cost to address a bug in a device prior to shipping is less than $200,” he said. “To do it post release can cost of $15,000. The economics are pretty clear, and unlike a site vulnerability, the liability exposure for a device that is compromised can risk putting a company out of business.”
For now, however, Lynch said public concern is well warranted. “These attacks are bringing awareness of just how dependent on the internet we are, and how the IoT will be a critical failure point if future cybersecurity attacks succeed,” he said.