Today I watched an interesting Energy and Commerce subcommittee hearing about “Understanding the Role of Connected Devices in Recent Cyber Attacks.” The attacks refer to when insecure IoT devices infected with Mirai malware hammered DNS provider Dyn in October.
The hearing included testimony, as well as submitted prepared remarks, from Dale Drew (pdf), CSO and senior vice president of Level 3 Communications; crypto and privacy guru Bruce Schneier (pdf); and Dr. Kevin Fu (pdf), who helped shock the world years ago by saying pacemakers and implantable cardiac defibrillators were vulnerable to hackers. You can read the experts’ testimonies for specific concerns and suggestions, but this is primarily based on paraphrased commentary during the hearing.
It seems as if the committee was trying to wrap its collective head around the enormous potential of IoT DDoS attacks, when not thousands of devices but millions—with predictions of 20 billion to 50 billion—of devices are connected online. Focusing on the actual tech is not the way to go; technology is always evolving and the security industry, regulations and law are always playing catch-up.
If nothing changes, such as with default or hardcoded passwords in IoT devices, then there’s no telling what DDoS attacks will be capable of taking down. Since the attacks on Krebs on Security and Dyn, IoT botnets knocked the entire country of Liberia offine and hit five Russian banks. Another DDoS attack reportedly knocked heating systems offline, leaving two blocks of apartments in Finland with no heat in the winter.
More robust security needed
Default passwords on IoT devices played a key role in the attacks; all three experts agreed that the time for passwords has come and gone. Fu said the fact that we are even relying on intrinsically insecure passwords at all is a big problem. There were suggestions to instead rely on two-factor authentication (2FA), biometrics or other more robust authentication before default and hardcoded passwords in devices “bring down our most sensitive systems.”
Drew mentioned that the average CSO has to deal with an average of 75 security vendors to fill in the gaps and bolt on security to devices and systems that did not have built-in security. (One committee member thought bolt-on was a clever new saying.)
When speaking about insecure operating systems, Dr. Fu mentioned Windows XP and referenced a picture of an XP machine in his testimony; the XP box is controlling water pumps for the City of Michigan. Some people in medical or utility sectors laugh and think it’s funny that they don’t have any security on their devices or systems, but Fu pointed out that they won’t be laughing when everything goes down.
Fu has an entire photograph collection of IoT failures appended to his testimony, including a University of Michigan printer that took part in the of Dyn DDoS attack, a vulnerable medical imaging machine, a pharmaceutical compounder running insecure XP, a “Windows failed to start” screen in a taxi so it couldn’t process payments, a crashed airplane entertainment system, a failing boarding pass kiosk and crashed flight displays. Of the latter, he asked what if every smart TV in the world were to launch a massive DDoS attack?
Under an image of a gas pump that crashed, Fu wrote, “Imagine if a virus knocked out every gas pump simultaneously in the nation, or if a chorus of infected gas pumps began to unwittingly mount DDoS attacks on critical infrastructure."
Hospitals and those in the medical sector need a “bill of materials” to know what is even in the machines being run, he said. How can it be protected if you don’t even know what’s inside?
Networks will always be hostile
Schneier said we are “never going to make networks happy places full of rainbows;” they will always be hostile. When asked about biological systems as security immune systems, he said they may be a “new cool way” of thinking about security, but biological systems tend to “sacrifice individuals to save species.” He doesn’t see it giving defenders an advantage any time soon.
He spoke about catastrophic risks and the “emergent properties of interconnected everything” as computers control wheels, propellers and even functions in the human body. There are risks that can’t be foreseen, such as when discussing autonomous vehicles. There will always be surprising attacks such as when a CD player was able to infect a car with malware.
Schneier said he’s been concerned about USB ports on airplane seats, which an attacker might abuse to potentially control avionics. He discussed complexity and said we need to build resilience into systems so that a vulnerability doesn’t migrate to another vulnerability and cause something more catastrophic. It “goes up by a factor of square,” he said, when explaining why complexity is such a problem.
As for the IoT DDoS attack, it started out with one person understanding how to make it work. But that one person released it to the world, so now anyone and everyone can run an IoT botnet.
Drew said DDoS capabilities tend to evolve every three years. DDoS attacks no longer need to rely on spoofing and amplification; the IoT botnets used shaped attacks and can send any protocol or packet. What used to work can’t necessarily be depended upon to protect us now or in the future.
When asked about “hacking back” as a tactic, sending out “green viruses” to patch vulnerable software on a user’s behalf in an effort to better protect consumers and the internet as a whole, Drew said it was a “fairly dark road to go down.” The potential for hacking back can’t be used as an excuse for not fixing infrastructure.
As for what programs or certifications should be offered or are not offered enough, the experts agreed that embedded cybersecurity related to IoT bridges both software and hardware. This is an important subject for kids in high school thinking about college, as well as established professionals, such as the person who is an expert on building cars but has no clue about building security into cars.
There were suggestions such as regulations being enforced by the U.S. and other countries. Even if nothing was decided, the subcommittee is far more aware of IoT being used in cyber attacks.
DHS and NIST release IoT security guidelines
Other agencies are also getting into IoT security. Yesterday, National Institute of Standards and Technology (NIST) finally released the official version of IoT cybersecurity guidelines (pdf), laying out specific system security engineering and testing processes.
DHS also released guidelines (pdf) yesterday for securing IoT. DHS Secretary Jeh Johnson said, “Securing the internet of things has become a matter of homeland security.” The guidelines are supposed to help companies “make informed decisions.”
You might not agree with that, but most everyone can agree with a statement by Robert Silvers, assistant DHS secretary for cyber policy: “You can't rely on a consumer to spend three hours to upgrade her toaster software. It's not going to happen.”