GUEST POST WRITTEN BY
Dr. Mike Lloyd
The Internet of Things crashed into the old Internet on Oct 21st, and it wasn’t pretty. A specialized but fairly simple bit of malware known as Mirai was used to cause huge numbers of simple Internet-connected devices (cameras, home routers, baby monitors, etc.) to flood the infrastructure of a service provider called Dyn. This caused widespread collateral damage across the traditional world of social media and entertainment websites.
To get a sense for the nature of the attack, take a moment to imagine the chaos if someone were to call in an order to every pizza shop within a 25 mile radius, giving your address. All the pizza shops would be doing what they normally do, but the simultaneous activity would not just overwhelm your front door, it would snarl up streets for miles around. This is a fair analogy for the kind of DDoS attack in use here. The attack used simple devices, instructed to do simple things, but because there are so many of them, the combined effect caused havoc.
These attacks are not all that easy to defend against. It’s a kind of arms race – if you can handle a total load of X before your website cries “Uncle,” your attackers will scale up and find enough devices to send you twice X, or a hundred times X, or whatever it takes. A victim cannot scale up their capacity as fast as the attacker can find more endpoints. That’s the thing about the Internet of Things: there are an awful, awful lot of “things” out there, and people are connecting them with abandon. There are cloud services that offer something called “burst capacity” to help if you’re getting inundated, but several recent attacks have been able to overwhelm even these defensive offerings. The attackers simply infect more devices and generate more load. (Send more pizzas!)
So can we expect manufacturers of IoT devices to be responsible or held liable? Unfortunately, I predict only some weak progress there. When we talk about the Internet of Things, the term “things” implies vast numbers of mass-produced objects. Manufacturers at that scale face intense pressure to optimize costs – even saving one penny over a million devices adds up to a significant amount of money. As a result, makers use the simplest, easiest techniques they can, and we get low prices for smart devices. But for security, this is really bad news. The simplest, easiest approach is generally highly insecure – smart, adaptable defenses cost money.
We can hope for better as manufacturers face embarrassment and bad press, but this too is a meagre hope. Their customers are usually not the direct victims of the attacks, and those consumers generally prefer cheaper products over those with some abstract, hard-to-understand security benefit aimed at someone else. Could liability lawsuits work? Probably not, because the Internet is global, and product liability law is not. A manufacturer isn’t going to enjoy being sued in one or two countries, but it’s not going to cause them to take back all the product they have sold Internet-wide.
So manufacturers of IoT devices aren’t set up to make highly secure devices. But even if they were, we can see from the last decade or so of security research that even cleverly built devices will eventually have flaws discovered and exploited. So, the next challenge happens when a company ships a million (or a billion) of their things out into the Internet of Things, and later, someone uncovers a security flaw. How is the maker supposed to repair them? It’s infeasible to issue a recall, or ship them all back.
(Look at how hard it is to replace a faulty cell phone! Now do that for a device that isn’t supposed to be mobile, like, say, an in-ceiling video camera or light fixture.) We can imagine the manufacturer issuing a software update, but the devices will need to update themselves without human help. This gets us right back to the DDoS problem we started with – how does the manufacturer handle a million devices all asking for the new code at once? We know this can be solved – companies like Apple and Google do this routinely. But we also know it’s expensive and very difficult to make seamless.
Only big, wealthy companies do it successfully. So can we really expect endpoint makers to operate at that level? Even if we thought this was the way forward, it assumes the manufacturer sticks around to maintain the software for the lifetime of the device. Unfortunately, we know this is not likely either. Even worse, if all our smart devices are built to expect remote software upgrades, what stops the attackers moving on to this software update mechanism as their preferred attack surface? If you can find a weakness in that “security” mechanism, you can upload arbitrary software patches and take over the Internet of Things in a few quick steps – talk about hanging a “kick me” sign on the back of the Internet!
Add it all up, and we face a worrisome future of weak IoT devices. The makers are strongly motivated to keep the devices cheap, but flaws that cannot be fixed at scale are inevitable. The result is a network full of devices that can and will be abused.
It’s a pretty grim picture. We can’t expect the endpoints to be secure and immune to abuse. We can’t expect the targets of attack to be able to handle unlimited loads. And, as long as there is a limit, an attacker can leverage the raw scale of all these things to bring more “pizza” to your door than you can handle.
So is all hope lost? Not necessarily. There is a third element that we can use – the network itself. It’s the network effect of the Internet that created this problem, and it’s that same property that can be used to mitigate it. All it takes is a smart, resilient network that can be re-programmed to shunt load away when it’s identified as malicious. It’s not likely that this can be built into the network as a fully automatic feature – our track record with Artificial Intelligence is too poor for that. The attackers are people, and this makes them very creative – smarter than any fully automated defense system. It takes other people to figure out what the attackers are doing, what their motives and strategies are, and how best to combat them.
The challenge is that these defenders are limited in their ability to understand this wonder we’ve created called the Internet – it’s big, it’s complex, and it’s full of details. This is why the ideal path forward is to combine automated analysis of network behavior and network defense with skilled human operators who can judge, target, and act to make the network respond in a resilient manner. The ideal isn’t just a network where we detect too much pizza being sent to your house, and react by shutting down all pizza delivery city-wide to everyone for a while – this, very roughly, is what happened on Oct 21st. With finer grained controls and more high-speed automation, we can isolate just the malicious load, so that people can still get the pizza they actually want.
The physical analogy may break at this point – people delivering pizzas have cell phones, and so are fairly easy to recall. Packets on the Internet do not. The Internet is pretty good at re-sending important messages, so we can judiciously discard selected traffic. Doing this for cars on a real road is generally frowned upon. Still, one lesson remains true: this kind of challenge requires coordination between victims, sources, and traffic cops who can apply smart, appropriate, targeted controls.
For real pizza delivery people, we can reroute them away from the congestion and send them back. For Internet attacks, we aim for network-level responses – sink holes that can absorb and discard the unwanted traffic (the baby monitors and video cameras don’t want it back either). This takes planning for resilience – analyzing attack scenarios in advance, figuring out what is likely to break, and building the right mitigations. Humans find this difficult due to the complexity of modern networks, but humans armed with a detailed and accurate network model that can explain all the interactions and complex emergent behaviors really can make a more resilient Internet.