IoT Security Is A Mess That Will Take An Age To Fix

Barely a month since Brian Krebs' website was temporarily knocked offline by an — at the time — historically large Distributed Denial of Service (DDoS) attack another, even larger, DDoS attack has caused havoc with websites all day.

This latest attack has targeted DNS provider Dyn. Sites including Twitter, Spotify, and Reddit were reportedly suffering due to the attack on Dyn. The source of the attack appears to be similar to that of the one that attacked Krebs: millions of poorly secured Internet of Things devices, such as security cameras and Digital Video Recorders.

The ease with which hackers can exploit security vulnerabilities in these cheap and plentiful devices to enslave them into million-strong zombie armies is disturbing. It threatens the reliability of the Internet upon which millions of people have come to depend.

This isn't a new issue. Exploiting vulnerabilities in the Internet's mechanisms was known about at least as far back as 2005. There have been flaws in Philips' lightbulbs, Google's Nest, and basically everything else, according to HP back in 2015.

Paul Vixie, one of the Internet's founding fathers, issued warnings about it back in 2012 while the DNS Changer botnet raged. Since then, botnets and DDoS attacks have become orders of magnitude larger and more destructive. The flood of new Internet connected devices only increases each year, as the hype train gathers speed and those with dreams of striking it rich join in with this latest gold rush.

The problem is extremely difficult to solve, and at its heart is an economic conundrum.

The security flaws are in the software, rather than a simpler material or design flaw in a purely hardware product. New issues can be discovered years after the original product was created. Manufacturers stop supporting older devices, and don't release new software for them, because why should they? Security is challenging to do well, which increases the cost. Consumers demand new features and lower prices, and to be slower and more expensive (though more secure) means death for the company that attempts it.

Consumers don't value this kind of security, because the flaws do not directly affect them. If your IP connected camera becomes part of a botnet, it continues to do its regular job as well, so you may not even know of its enslavement. It is in the slaver's interests to keep their activities hidden from the zombie device's owners, the better to keep their enslaved botnet alive.

Restrictions on being able to break anti-copyright-infringement mechanisms has the unintended consequence that consumers do not fully own the devices they buy, so fixing it themselves is difficult if not illegal, even if they do decide to do so out of a sense of civic duty. ISPs bear the brunt of the costs, as it is their networks that have to transport the gigabits (and edging up to terabits) of bogus traffic generated by these botnets. If they quarantine infected customers, they have to deal with the inevitable support calls from angry customers demanding to know why they can't access Netflix.

If we do impose some sort of liability on those who build Internet connected devices, how far does that liability go? What of individual developers who spin up virtual machines in cloud services in order to try out some new idea, or learn how to write some new service? Should a fledgling startup be responsible for flaws in the Linux kernel of the VM they put online for their new SaaS service? If scale of deployment is the problem, how many devices do you get to ship before the liability kicks in?

How does claiming against the responsible party work in a global world full of mismatching laws that barely cope with the online world as it is?

A concerted, global response to a major issue is not unprecedented. We, as a species, managed to deal with polio and the Ozone hole with reasonable speed, but tackling climate change hasn't exactly been a home run. Any legal or governmental response will, by its very nature, be complex and drawn out, and it's not clear that we have the time.

Let's just hope we can figure out something before botnets render the current system unusable.

My thanks to Richard Chirgwin for helping me research the history of this awful situation.

This article first appeared in Forbes.com here.