The Mirai strain of malware has focused a lot of attention on the Internet of Things, after a Mirai-infected botnet of IoT devices was used to cripple large parts of the Internet on Oct 21st. Huge numbers of simple Internet-connected devices (cameras, home routers, baby monitors, etc) were used to flood the infrastructure of a service provider called Dyn, causing collateral damage to a wide array of other dependent websites.
To get a sense for the nature of the attack, take a moment to imagine the chaos if someone were to call in an order to every pizza shop in a 25 mile radius, giving your address. All the pizza shops would be doing what they normally do, but the simultaneous activity would not just overwhelm your front door – it would snarl up streets for miles around. This is a fair analogy for the kind of DDoS attack in use here – simple devices, instructed to do simple things, but the combined effect causes havoc.
These attacks are not all that easy to defend against. The victim cannot easily scale up their ability to handle the load. There are cloud services who offer something called “burst capacity”, but several recent attacks have shown the ability to scale up to exceed even these defensive offerings – the attackers simply infect more devices, generate more load, and overwhelm the new capacity too. (“Send more pizzas!”)
So can we expect the manufacturers of the IoT devices to be responsible, or to be held liable? Unfortunately, I predict only some weak progress there. When we talk about the Internet of Things, the term “things” automatically implies vast numbers of mass produced objects. Manufacturers at that scale face intense pressure to optimise costs – even saving one penny over a million devices adds up to a significant amount of money. As a result, makers use the simplest, easiest techniques they can, and we appreciate this in the low prices for smart devices. But for security, this is really bad news – the simplest, easiest approach is generally highly insecure.
We can hope for better as the manufacturers face embarrassment and bad press, but this is a weak force – their customers are generally not the direct victims of the attacks, and those customers generally prefer cheaper products over those with some abstract, hard-to-understand security benefit aimed at someone else.
In a sense, it’s the 19th Century concept of the tragedy of the commons, updated to the 21st Century. Could liability lawsuits work? Probably not, because the Internet is global, but product liability law is not. It’s certainly inconvenient for a manufacturer to be sued in one country, but it’s not going to cause them to take back all the product they have sold Internet-wide.
So manufacturers of IoT devices aren’t set up to make highly secure devices. But even if they were, we can see from the last decade or so of security research that even cleverly built devices will eventually have flaws discovered and exploited. This makes the next challenge – suppose a company shipped a million (or a billion) of their Thing out into the Internet of Things, and then someone uncovers a security flaw. How is the maker supposed to repair them?
It’s infeasible to issue a recall, or ship them all back. Look at how hard it is to replace a faulty mobile phone! Now do that for a device that isn’t supposed to be mobile, like, say, an in-ceiling video camera or light fixture. We can imagine the manufacturer issuing a software update, but the devices will need to update themselves without human help. This gets us right back to the DDoS problem we started with – how does the manufacturer handle a million devices all asking for the new code at once?
We know this can be solved – companies like Apple and Google do this routinely now. But we also know it’s very expensive and very difficult to make it seamless – only big, wealthy companies do it successfully. So can we really expect endpoint makers to operate at that level? Even if we thought this was the way forward, it assumes the manufacturer sticks around to maintain the software for the lifetime of the device, but unfortunately we know this is not likely either. Even worse, if all our smart devices are built to expect remote software upgrades, what stops the attackers moving on to this as their preferred attack surface? If you can upload arbitrary software patches, you can take over the Internet of Things in a few quick steps if you can find a weakness in that “security” mechanism.
Add it all up, and we face a worrisome future of weak IoT devices. The makers are strongly motivated to keep the devices cheap, but flaws are inevitable, and flaws essentially cannot be fixed at scale. The net result is a network full of devices that can be abused.
It’s a pretty grim picture. We can’t expect the endpoints to be secure and immune to abuse. We can’t expect the targets of attack to be able to handle unlimited loads, and as long as there is a limit, an attacker can leverage the raw scale of the Internet to bring more “pizza” to your door than you can handle.
So is all hope lost? Not necessarily. There is a third element that we can use – the network itself. It’s the network effect of the Internet that created this risk, and it’s that same property that can be used to mitigate it. All it takes is a smart, resilient network that can be re-programmed to shunt load away when it’s identified as malicious. It’s not likely that this can be built in to the network as a fully automatic feature – our track record with Artificial Intelligence is too poor for that. The attackers are people, and this makes them very creative – smarter than any fully automated defense system. It takes people to figure out what the attackers are doing, what their motives and strategies are, and how best to combat them.
The challenge is that these defenders have limits in their ability to understand this wonder we’ve created called the Internet – it’s big, it’s complex, and it’s full of details. This is why the ideal path forward is to combine automated analysis of network behavior and network defense with skilled human operators who can judge, target, and act to make the network respond in a resilient manner. The ideal isn’t just a network where we detect too much pizza being sent to your house, and hence shut down all pizza delivery to everyone for a while – this, very roughly, is what happened on Oct 21st. With finer grained controls and more high-speed automation, we can isolate just the malicious load, so that people can still get their pizza.