The Ghost of IoT Yet to Come: The Internet of (Insecure) Things in 2017
I have endeavored in this ghostly little essay to raise the ghost of an idea which has been haunting me these last few months.
The latest Hype Cycle for Emerging Technologies tells us that IoT is short of the Peak of Inflated Expectations and five to ten years from the Plateau of Productivity. But already it presents some wonderful cautionary tales. They range from funny stories about spending 11 hours trying to boil water for tea to more alarming accounts, such as the record-breaking Distributed Denial of Service (DDoS) attack against reporter Brian Krebs’ website, a subsequent (and also record-breaking) attack on Dyn (a provider of DNS services infrastructure critical for the operation of the Internet) that brought down the Internet on the East Coast, and -- still more recently -- an attack on home DSL routers that knocked nearly a million German users offline. All of these attacks have something in common: vulnerable, Internet-connected devices that were exploited by the Mirai Botnet or its variants.
If the holiday product ads are any indication, we can assume that many Internet-connected devices will be unwrapped in the coming weeks. We can also safely assume that the software on these new gadgets won’t be any less vulnerable. This is the specter of IoT yet to come. This is what keeps me up at night.
To the cameras vulnerable to SQL injection, DVRs with unchangeable default passwords, hackable home security systems whose firmware cannot be upgraded, and routers whose configurations can be changed without authentication over a clear-text connection, I say: “I fear you more than any other specter.” The question is what is to be done?
With the looming threat of larger and more damaging attacks, we could embrace Neo-Luddism, giving up or actively destroying technology. This would neutralize the threat but this “solution” is as impractical as the prediction is unrealistic. Alternatively, one could make the equally unrealistic prediction that we’ll suddenly get better at writing code and all these vulnerabilities will magically disappear.
In the spirit of seasonal generosity, I offer “gifts” you can give yourself. Admittedly, they’re more in the vein of sensible shoes than flamboyant gestures like a giant UHD OLED flat screen TV. Some assembly is required, but they are durable and deliver long-lasting benefits.
Are you a product or program manager? Take your cue from Benjamin Franklin: “One line of preventative code is worth 100 lines of remedial code,” a conservative estimate but a good place to start. Security and security lifecycle must be part of your product design or minimum viable product (MVP). This may sound daunting, but it’s easier (and, better still, cheaper) than it sounds. Skeptical? John Overbaugh at InfoSecure.io has some great recommendations for SDLC on a Shoestring. In terms of cost, keep this in mind: a failed security audit in the verification stage of the product lifecycle that results in late-stage design and engineering changes is less expensive than having to redesign and reengineer a product after it has shipped.
Are you a developer or software engineer? Poorly implemented crypto is just as bad as no crypto. Do the Cryptopals Crypto Challenges. Use these eight exercises to refine your understanding of cryptography in software, including how to identify, exploit, and then avoid cryptographic weaknesses. Take a penetration testing course because it is a certainty that somebody’s Red Team will attack your software, so it might as well be yours. Like the Crypto Challenges, learning the ways that applications are attacked will teach you to avoid the most common mistakes and help you write better code.
Are you a network or security architect, engineer, or operator? It’s high time you started minding your MANRS. Yes, everyone tries to be on their best behavior during the holidays, but the Internet Society’s Mutually Agreed Norms for Routing Security provide a simple framework for keeping the “I” in IoT on its best behavior the whole year round. The MANRS recommendations outline four expected actions for participants, and everyone responsible for a network needs to be doing the second: preventing traffic with spoofed source IP addresses. The DDoS attacks we saw in 2016 could easily have been mitigated if traffic from spoofed addresses had been dropped closer to the Internet edge.
If you’re looking for a bigger undertaking, your New Year’s resolution should be to get serious about network segmentation. Vulnerable IoT devices provide an attack surface and pivot point for attacking other parts of your infrastructure. Network segmentation is not a trivial undertaking, but it’s your best tool for protecting your network from hackable IoT devices.
In the end, there is one prediction to proffer. As Scrooge observes, “Courses will foreshadow certain ends, to which -- if persevered in -- they must lead.” If we don’t start doing things differently, the IoT will become like the chains binding Marley and the other phantoms: “made link by link, and yard by yard; girded on of our own free will and of our own free will worn.”
Of course, Scrooge continues, “if the courses be departed from, the ends will change,” perhaps allowing the vast means of usefulness and all the good to which IoT is susceptible to become reality.
“Assure me that we yet may change these shadows you have shown me.”
James Plouffe is a Lead Architect with MobileIron and a Technical Consultant for the hit series Mr. Robot who cribs liberally from the work of Charles Dickens, as well as other authors, and who owns a kettle which is electric but has no Wi-Fi. He’s in the Twittersphere: @MOBLAgentP