Last week I attended the RSA Security conference in San Francisco. It's the premier conference for security professionals, and more than ever, vendors. Lots and lots of vendors.
In any case, I was there to learn more about security and IoT. One of the speeches I wanted to catch is now available and I encourage you to take time to watch it. It's from Bruce Schneier who we wrote about here and here.
Bruce used the platform to continue his call to the industry to get involved with policy when it comes to security and IoT, arguing that the real world consequences of doing nothing should not be ignored. He stated, "The more we connect things to each other, the more the vulnerabilities affect each other." The Dyn attack, the Mirai botnet and video cameras are a great example of this. Bruce describes this as a cascade of failures, where no one system is at fault, leading to a connected world of residual insecurity.
He believes that a lot of people in the industry are working on it and they are doing good work on IoT security, but as he argued in the past, when it comes to low-cost Internet connected devices (cameras, consumer electronics and other far-flung sensors) neither the buyer or the seller are interested in getting the latest security patch. In short, the cost of failure and the cost to fix does not favor security updates or investment.
Free market idealists hate regulation, but they are becoming necessary, Schneier says. “Governments are going to get involved, regardless. The stakes are too high.”
After watching it at least three times, I decided to share the main concepts with the readers of TechTalks. Here are the key takeaways, which I’ve taken the pain to elaborate on.
Everything is now a computer
“Everything is now a computer,” Schneier said at the beginning of his remarks, after which he gave examples about how our phones, refrigerators, ATM machines and cars have in essence become computers that perform functions in the physical world.
“And this is the Internet of Things, and this is what caused the DDoS attack we’re talking about,” he continued.
IoT devices are much more different from objects with a little silicon and electronics baked in. We’re talking about devices that are sometimes running fully functional operating systems and are enjoying broadband internet connections.
And as we all know, computers are smart—but they’re also hackable.
So what it comes down to is that soon, everything around you, from your toaster to your lawn mowing machine, fridge, light bulb and door lock can be hacked and used directly (against you) or indirectly (against others) for evil purposes.
And then Schneier went on to “give four truths” from the world of computer security—which he extended to “everything security”—that apply to everything.
Attack is easier than defense
This was Schneier’s first premise. As the saying goes in cybersecurity jargon “cybersecurity experts have to win every battle. Hackers only have to win once.”
But it was his next phrase that said it all.
“Complexity is the worse enemy of security,” he said. “And this is especially true for computers and the internet.”
Attackers find methods to use software and operating systems in malicious ways that were never imagined by their developers. This is partly due to security flaws found in the source code or the simple fact that the basic functionalities embedded in those software can be combined in innumerable ways.
So said in another way, you have to plug every security hole—hackers only have to find one.
Interconnections introduce new vulnerabilities
This is an extension of the complexity concept.
“The more we connect things to each other,” Schneier said, “the more vulnerabilities in one thing affect other things.”
And he went on to give accounts of some of the cyberattacks that made their fame in recent years, including the Target hack, and of course the Dyn attack, in which the hackers exploited vulnerabilities in several systems to stage their attack.
“Vulnerabilities like this are hard to fix because no one system might be at fault,” Schneier explained.
In many cases a flaw in one system might not be critical per se, but when that system or component is combined or connected to another one, the same vulnerability might open up new ways to cause harm.
And we’re entering a world where abstraction is playing an increasingly important role in creating software and hardware. Blackbox systems connect over the internet and allow access to their data and functionality without having full knowledge of their vulnerabilities.
The internet empowers attackers
“The internet is a massive tool for making things efficient,” Schneier said, “and that’s also true for attacking. The internet allows attacks to scale to a degree that’s impossible otherwise”
The Internet of Things has taken that scaling power to the next level. It was true for the Dyn attack, as well as a host of other recent DDoS attacks that were based on IoT botnets.
In terms of efficiency, Schneier underlined the fact that hackers have an easier time sharing their knowledge and experience thanks to the internet. The source code for the Mirai botnet, which was used to stage the Dyn attack, has been released and is now available for all to use.
And for those who don’t have the knowledge to make use of the source code and create their own IoT botnet, they can rent one at an affordable price. “I don’t recommend it,” Schneier said.
And that’s what the Internet of Insecure Things is leading us.
Schneier: “There’s real risk to life and property. There’s real catastrophic risks.”
The economics don’t trickle down
“Our computers are secure for a bunch of reasons,” Schneier said—and that’s relatively speaking (my own comment). “But it doesn’t happen for these cheaper devices.”
There are many reasons that IoT devices are created with less security. Schneier named a few:
Low profit margins: Manufacturers are doing their best to lower the costs, and therefore pack the devices with cheaper and less secure components, and firmware and low-end operating systems that can’t run security software.
IoT devices are offshore: Many devices are treated in an install-and-forget manner. How many times do you check the logs for your thermostat? Also, no sane person leaves their desktop computer or smartphone in an unprotected environment. But IoT devices are made to be installed in the open and left unattended. And yet in many cases, these same devices sport storage and computation capabilities that rival those of mobile and desktop computers, to say nothing of their broadband internet connections.
No dedicated security teams: Many of the manufacturing companies don’t allocate resources and funds to securing their devices, because as some will honestly admit, “Consumers don’t pay for security. They pay for functionality.” And vetting code and hardware for security can be costly. Also, we’re in the “Gold Rush” phase of the IoT industry’s development, where every new kid on the block is in a hurry to ship a connected device to the market before their competitors do, so naturally, things such as security take a backstage seat.
Devices can’t be patched: Desktop and mobile operating systems are regularly updated and patched to fix security holes. The same can’t be said about IoT devices. In many cases, the mechanism is nonexistent, while in others, it’s so arduous that consumer will simply forego applying them. And let’s not forget that these are install-and-forget products. And as Schneir reminded in his remarks, many of these “things” such as fridges and cars will not be replaced for a long time—some, never. This means they’ll remain vulnerable for the rest of their lives, causing potential damage to their owners and others.
What needs to be done?
“The government has to get involved,” Schneier said. “What I need are some good regulations.”
I agree, but I would also extend the point and say “Everyone has to get involved,” and that includes manufacturers, who should get serious about securing their devices, or suffer the consequences. It also concerns ISPs, who should do more to spot and block botnet traffic. And consumers should become more savvy on cybersecurity in general and demand more security from manufacturers.
But of course, the government has to play a regulatory role that will ensure implementation.
“For the first time, the internet affects the world in a direct, physical manner,” Schneier said. “When it didn’t matter—when it was Facebook, when it was Twitter, when it was email—it was OK to let programmers, to give them the special right to code the world as they saw fit. We were able to do that. But now that it’s the world of dangerous things… maybe we can’t do that anymore.”
I liked that phrase, and I think we ought take it seriously.
Over on MotherBoard, noted cryptographer, computer security and privacy specialist, and writer, Bruce Schneier pens his thoughts on the recent gaping holes in security for Internet connected devices. When Bruce speaks, people listen.
First, if you haven't been following the recent DDoS attacks using IoT devices, read this. In short, IoT devices have been comprised to attack networks.
It's so bad that Bruce is calling out the IoT market for failing to secure their devices and machines that connect to the Internet and is asking for government intervention.
What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.
He continues that security has been built into many our computers and smartphones because there is money to invest in security, the same can't be said for low margin embedded systems like digital video recorders or home routers. Security is not their expertise. Even worse, he adds, most of these devices don't have any way to be patched.
He argues the market can't fix this because neither the buyer nor the seller cares. Government must step in and solve the problem says, Schneier.