Interdependence: Good for community, bad for the IoT

Size matters. Which is one of the main reasons the Internet of Things (IoT) is, and is likely to remain, a very dangerous place.

“The embedded-system space makes the attack surface of the non-embedded space trivial by comparison,” said Dr. Daniel Geer, keynote speaker at the Security of Things Forum in Cambridge, Mass. on Wednesday.

Geer, chief information security officer at the venture capital firm In-Q-Tel and an adviser to U.S. intelligence agencies, added a partial caveat: “Perhaps I overstate that. Perhaps that is not true today,” he said. “But by tomorrow it will be true. In the embedded world, which makes the PC, phone and whatnot market seem trivial by comparison, performance stays constant while the cost goes down.”

The explosively expanding attack surface is not the only major reason for security risks on the IoT, he said. Another is diversity – the lack of it. Referring to what he called a “computer monoculture,” Geer noted that, “a cascade failure is much easier to detonate in a monoculture when an attacker only has to weaponize one bit of malware, not 10 million.”

[Related: In the digital ocean, there are more predators than protectors]

He said he is “entirely sympathetic” to the reason for that monoculture. “Making everything almost entirely alike is and remains our only hope for being able to centrally manage it all in consistent manner,” he said.

But, he said it is a clear risk-management decision, with major central control implications: “Would you rather have the inordinately unlikely event of an inordinately severe impact, or the day-to-day burden of everything being different all the time?” he asked, noting that the choice comes with a trade-off. “When we opt for monoculture by choice, we had better opt for tight central control,” he said.

A third major problem, Geer said, is that embedded devices tend to be long-lived, but also lack a remote management interface. “A fundamental question,” he said, “is whether immortal embedded systems are angelic or demonic.

Clearly, he leans toward the demonic view. “That combination – long-lived and unreachable – is the trend that must be dealt with and possibly even reversed,” he said, given that Advanced Persistent Threats (APTs) are, “easier in an environment where much of the computing is done by devices that are deaf and mute once installed, or where those devices operate at the very bottom of the software stack.”

Geer said decisions about whether embedded devices must, “self destruct by some predictable age or that remote management be a condition of deployment is, dare I say, the national policy question,” he said. “But in either case, the Internet of Things, which is to say the appearance of network-connecting microcontrollers and seemingly every device that has a power cord or a fuel tank, should raise hackles on every neck.”

That, he said, is because of the fourth problem:“The root source of risk is dependence,” and people and society are becoming ever more interdependent, “especially on the expectation of stable system state.”

That system, he said, is more fragile than most people think. “As society becomes more technologic, even the mundane comes to depend on distant digital perfection,” he said, using the nation’s food supply as an example.

“Our food pipeline contains less than a week’s supply, and that pipeline depends on digital services for everything from GPS-driven tractors to drone-surveilling irrigators to robot vegetable-sorting machinery to coast-to-coast logistics to RFID-tagged livestock,” he said.

“Is all the technological dependency and the data that fuels it making us more resilient or more fragile?” he asked.

There is no easy fix either, Geer said, noting that if an embedded system does not have a management interface, “then a late-discovered flaw cannot be fixed without visiting all the embedded systems, which is likely to be infeasible.”

But if it does have such an interface, then an “opponent of skill will focus on that, and once a break is achieved will use those selfsame management functions to ensure that not only does he maintain control over the long interval, but you’ll be unlikely to know that he’s there.”

So, Geer suggested, embedded systems should be made more like humans in some ways. Those with no remote management interface, “and thus out of reach, are a life form, and as the purpose of life is to end, they must be designed so as to be certain to die at some fixed time.”

Those that do have such an interface, “must be sufficiently self protecting that they are capable of refusing a command.

“That is the core of my thesis,” he said, but added that, “the future obviously will not be so simple, nor am I making it out to be.”

Indeed, for the average home Internet user, it could be very uncertain. Geer said most routers are almost comically insecure, given that they have, “drivers and operating systems amounting to snapshots of the state of Linux, plus the lowest-end commodity chips extant at the time of the router’s design.”

They are cheap, but remarkably old, he said, and therefore highly exploitable. “There are numerous methods of attacking both the operating system and the device drivers, and to do so remotely,” he said. “It (the attack) need never be detectable by any means whatsoever from the interior of the network it serves.”

An attacker, he said, could then command the router to, “stop processing anything it henceforth receives, start flooding the network with a broadcast signal that causes other peers to do the same, and zero the onboard firmware, thus preventing reboot for all time.”

The only way for the user to “fix” the problem is to, “unplug all the devices, throw them in the dumpster and install all new ones,” he said.

And that, of course, won’t fix it either, because the new ones are, “likely to have the same vulnerability spectrum that made this possible in the first place. So this is not quick trip to big box store, but rather flushing the entire design space and pipeline inventory of every maker of home routers,” he said.

Geer said one way to deal with the problem is “a very important work now appearing under the title of ‘Language Theoretic Security,’ or LangSec,” which posits that for software to be trustworthy, it needs to be able to recognize valid inputs “as a formal language,” and reject the rest.

But, he said, “for complex input languages, the problem of full recognition of valid and expected inputs may be, in the formal sense, undecidable, in which case no amount of input checking or testing will suffice to secure the program. Many popular protocols and formats fell into this trap.”

And the bottom line, he said, is that the monoculture, as convenient and relatively low-maintenance as it is, may not be sustainable. “Is it time to say that software per device has to be as unique as possible?” he said.

That time may already be here, he said, noting the Moon worm, “that is now working its way through the world’s Linksys routers. It may not be that the forest might burn – it may be that it is already afire. It may be that we are one event away from being unable to distinguish a hostile action from an industrial accident, and that matters a lot, at least in Washington.”

Which means, he said, it may become mandatory, “to distribute software to endpoint devices based on diversity compiling on a ‘onesies’ basis.”

Otherwise, “in a world of rising interdependence, APTs will not be about the big-ass machines,” he said. “It will be about the little ones. It will not be about devices that have a host name and a console. It will go against the ones you didn’t even know about.”

And the only answer, he said, is to reduce the interdependence of billions of devices. “It cannot and will not be damped by any laying on of supply chain regulations,” he said.