IoT chickens come home to roost

Chickens roosting

Security awareness moves forward in moments – uneven heaves and lurches that happen when bad code and bad ideas that have spread unhindered for years suddenly manifest into a clear and present danger.

October has been convulsed by just such a lurch – a movement caused by the heft of a few billion chickens coming home to roost in the shape of Mirai, the botnet behind a couple of truly staggering DDoS (Distributed Denial of Service) attacks on journalist Brian Krebs and DNS provider Dyn.

Last week’s attack on Dyn saw users unable to access popular sites like Twitter, Reddit and Spotify in what Reuters described as a “stunning breach of global internet stability”.

Botnets are huge networks of innocent, everyday computers that have been hacked and press ganged into service as malicious cloud computing platforms.

What makes Mirai special is that the everyday computers caught in its web are Things we’re not used to calling computers – such as routers, printers and webcams.

Thanks to the commodification of computing power and network access, billions of new Things that didn’t used to be computers have recently become computers and joined the internet.

This extraordinary migration goes by the name of the Internet of Things, or IoT for short, and in its short but impressive life it’s already gained a reputation for harbouring too many vendors that act like the last fifteen years of computer security best practice never happened.

But then perhaps that’s what happens when you call computers Things (or Clouds) instead of computers.

That historical myopia was writ large on Monday when internet camera maker and unintentional supplier of Mirai components Hangzhou Xiongmai ordered a recall of its affected products.

I applaud the company for taking the problem seriously, and doing something serious about it, but the problem it’s planning to fix in its products is that it shipped with default passwords – in 2016!

And seriously, how did we get an IoT where watches/cameras/printers/kettles/catflaps can be controlled from smartphones and pwned from the other side of the world but updates are being done by sneakernet?

I’ve seen no more succinct a summary of what’s required to secure the IoT than that provided by Chester Wisniewski in his article debunking some Mirai botnet myths:

What’s needed is industry standards and best practices, including thoroughly testing devices for security issues before shipping them to consumers, abiding by best practices and making sure that there is a clear mechanism for patching bugs – and that mechanism must include notifying the owner of the device.

Step back in time one year and those words could be Google talking about Android, the world’s most popular smartphone operating system, as the company realised that 400 million users couldn’t get their updates.

Three years ago it could be the WordPress community discussing WordPress, the world’s most popular software for running wesbites, as they finally got tired of watching users sleepwalk into botnets.

Four years ago it might have been Oracle discussing Java, the world’s most popular programming language, as it was bedeviled by vulnerabilities and besieged by crooks.

Or rewind fully fifteen years and it could be Microsoft, at that point makers of the world’s most popular just about everything, staring into the abyss as flagship products like Windows, IIS and Internet Explorer were pecked to death by hackers feasting on their poor security.

Bill Gates turned his company on its head, and likely saved it, with his root-and-branch Trustworthy Computing initiative.

He kicked it all off with an email that could have been the last word, if only people had read it.

The similarity with Chester’s remedy for the IoT is striking:

Our new design approaches need to dramatically reduce the number of such issues that come up … We need to make it automatic for customers to get the benefits of these fixes. Eventually, our software should be so fundamentally secure that customers never even worry about it.

And although he didn’t know he was writing a missive to software programmers, web developers, App creators, IoT vendors, it turns out he was:

In the past, we’ve made our software and services more compelling for users by adding new features and functionality … but all those great features won’t matter unless customers trust our software.

So now, when we face a choice between adding features and resolving security issues, we need to choose security.

Yes Bill. Yes we do.

Industry analysts put the number of IoT devices in-the-wild at over 6 billion (that’s three times more IoT devices than smartphones) and we can expect that number to grow to 20 or even 30 billion by the end of the decade.

They aren’t all bad, and they aren’t all going to get zombified and recruited into a botnet, but Mirai’s already making us rethink what we call a big DDoS with somewhere in the region of 50,000 devices.

Do you want an IoT of twenty or thirty billion devices in neatly sub-divided, hard-to-update and easy to exploit software monocultures? No, me either, so let’s start by dropping this Things nonsense and call the IoT what it is and always was, the internet, and act accordingly.

In the meantime here are some useful things that you can do right now to make the IoT a slightly less baskety case.