In many cases, straightforward changes to device development, distribution, and maintenance processes can prevent the distribution of IoT devices that suffer from significant security and privacy issues. BITAG believes the recommendations outlined in this report may help to dramatically improve the security and privacy of IoT devices and minimize the costs associated with collateral damage. In addition, unless the IoT device sector—the sector of the industry that manufactures and distributes these devices—improves device security and privacy, consumer backlash may impede the growth of the IoT marketplace and ultimately limit the promise that IoT holds.Although the report is right that following its recommendations would "prevent the distribution of IoT devices that suffer from significant security and privacy issues" there are good reasons why this will not happen, and why even if it did the problem would persist. The Department of Homeland Security has a similar set of suggestions, and so does the Internet Society, both with the same issues. Below the fold I explain, and point out something rather odd about the BITAG report. I start from an excellent recent talk.
I've linked before to the work of Quinn Norton. A Network of Sorrows: Small Adversaries and Small Allies is a must-read talk she gave at last month's hack.lu examining the reasons why the Internet is so insecure. She writes:
The predictions for this year from some analysis is that we’ll hit seventy-five billion in ransomware alone by the end of the year. Some estimates say that the loss globally could be well over a trillion this year, but it’s hard to say what a real number is. Because in many ways these figures can’t touch the real cost of insecurity on the Internet. The cost of humiliation and identity theft and privacy traded away. The lost time, the worry. The myriads of tiny personal tragedies that we’ll never hear about.These large numbers conflict with estimates from companies as to the cost of insecurity. As I mentioned in You Were Warned, Iain Thomson at The Register reported that:
A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought – typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision.Note, however, that 0.4% of global corporate revenue is still a whole lot of money flowing to the bad guys. The reason for the apparent conflict is that, because companies are able to use Terms of Service to disclaim liability, the costs fall largely on the (powerless) end user. Norton uses an example:
Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues.
One media report in the US estimated 8,500 schools in America have been hit with ransomware this year. Now, the reason why I think it’s really interesting to point out the American figures here is this is also a national system where as of last year, half of all students in US public schools qualify for poverty assistance. Those are the people paying these ransomwares. And it’s hard to get a real figure because most schools are hiding this when it happens.Her audience was people who can fix the security problems:
most people who are pulling a paycheck in this field are not interacting with the pain that most people are experiencing from network insecurity. Because you end up working for people who pay. ... That high school can’t afford anyone in this room. And that means that so much of this pain and insecurity in the world isn’t readily visible to the people who work in the field, who are supposed to be fixing it.The potential fixers are not putting themselves in the shoes of those suffering the problem:
Because in the end, one of the conflicts that comes up over this, one of the reasons why users are seen as a point of insecurity, is because getting the job done is more important than getting it done securely. And that will always be in conflict.This is where Norton's talk connects to the BITAG report. The report's recommendations show no evidence of understanding how things look to either the end users, who are the ISP's customers, or to the manufacturers of IoT devices.
First, the view from the ISP's customers. They see advertising for, webcam baby monitors or internet-enabled door-locks. They think it would be useful to keep an eye on baby or open their front door from wherever they are using their smartphone. They are not seeing:
WARNING: everyone on the Internet can see your baby!or:
WARNING: this allows the bad guys to open your front door!They may even know that devices like this have security problems, but they have no way to know whether one device is more secure than another and, lets face it, none of these devices is actually "secure" compared to things people think of as secure, such as conventional door locks. They all have vulnerabilities that, with the passage of time, will be exploited. Even if the vendor followed the BITAG recommendations, there would be windows of time between the bad guys finding the vulnerability and the vendor distributing a patch when the bad guys would be exploiting it.
They are definitely not seeing a warning on the router they got from their ISP saying:
WARNING: this router gives the bad guys the password to your bank account!After all, they pretty much have to trust their ISP. Nor are they seeing:
WARNING: This device can be used to attack major websites!Even if the customer did see this warning, the fate of major websites is not the customer's problem.
Customers aren't seeing these warnings because no-one in the IoT device supply chain knows that these risks exist, nor is anyone motivated to find out. Even if they did know they wouldn't be motivated to tell the end user either prior to purchase, because it would discourage the purchase, or after the purchase, because thanks to Terms of Service it is no longer the vendor's problem.
Expecting end users to expend time and effort fixing the security issues of their IoT devices before disaster strikes is unrealistic. As Norton writes:
If you are sitting in this room, to some degree people are paying you to use a long password. People are paying you to worry about key management. If you are a trash collector or radiologist or a lawyer, this takes away from your work day.Second, the view from the IoT device manufacturer. In June 2014 my friend Jim Gettys, who gained experience in high-volume low-cost manufacturing through the One Laptop Per Child project and the OpenWrt router software effort, gave a talk at Harvard's Berkman Center entitled (In)Security in Home Embedded Devices. It set out the problems IoT device manufacturers have in maintaining system security. It, or Bruce Schneier's January 2014 article The Internet of Things Is Wildly Insecure — And Often Unpatchable that Jim inspired are must-reads.
The IoT device supply chain starts with high-volume, low-margin chip vendors, who add proprietary "binary blobs" to a version of Linux. Original device manufacturers (ODMs), again a low-margin business, buy the chips and the software and build a board. The brand-name company buys the board, adds a user interface, does some quality assurance, puts it in a box and ships it. Schneier explains:
The problem with this process is that no one entity has any incentive, expertise, or even ability to patch the software once it’s shipped. The chip manufacturer is busy shipping the next version of the chip, and the ODM is busy upgrading its product to work with this next chip. Maintaining the older chips and products just isn’t a priority.The result is:
the software is old, even when the device is new. For example, one survey of common home routers found that the software components were four to five years older than the device. The minimum age of the Linux operating system was four years. The minimum age of the Samba file system software: six years. They may have had all the security patches applied, but most likely not. No one has that job. Some of the components are so old that they’re no longer being patched.Because the software is old, many of its vulnerabilities will have been discovered and exploited. No-one in the supply chain has the margins to support life-long software support, quality assurance and distribution. Even it were possible to provide these functions, a competitor providing them would price them selves out of the market. The BITAG recommendations would work in a different world, but in this one the supply chain has no ability nor resources to implement them.
Bruce Schneier recently testified to the House Energy & Commerce Committee, pointing out the reason why, even if the BITAG recommendations were in effect, the problem wouldn't be solved:
These devices are a lower price margin, they’re offshore, there’s no teams. And a lot of them cannot be patched. Those DVRs are going to be vulnerable until someone throws them away. And that takes a while. We get security [for phones] because I get a new one every 18 months. Your DVR lasts for five years, your car for 10, your refrigerator for 25. I’m going to replace my thermostat approximately never. So the market really can’t fix this.There are already enough insecure IoT devices on the network to bring down the Internet. Millions more are being added every week. And they aren't going away any time soon.
So, to conclude, what is odd about the report? As far as I can see, there is nothing in the report from the Broadband Internet Technical Advisory Group about what the Broadband Internet industry can do to fix the security issues the report raises. It lays the blame for the problem squarely on the IoT device industry. Very convenient, no?
There clearly are things the broadband industry could do to help. Intel's Schrecker has made one proposal, but it is equally impractical:
As for coping with the threat we face now, courtesy of millions of pathetically insecure consumer IoT devices, Schrecker’s proposed solution sounds elegantly simple, in theory at least: “Distribute, for example, gateways. Edge gateways that can contain a DDoS and are smart enough to talk to each other and help contain them that way.”ISPs haven't deployed even the basic BCP38 filtering, which would ensure that packets had valid source addresses, and thus make DDoS attacks traceable. But they're going to buy and deploy a whole lot of new hardware? Note that the Mirai DDoS botnet technology has recently been upgraded to spoof source addresses:
Propoet also advertised another new feature, which is the ability to bypass some DDoS mitigation systems by spoofing (faking) the bot's IP address. Previous versions of the Mirai malware didn't include this feature.The upgraded technology is used in a botnet four times bigger than the one that took out Dyn last month. It rents for $50-60K/month, nothing compared to the damage it can do. Mirai has been updated with some zero-day exploits to which somewhere between 5M and 40M home routers appear to be vulnerable. Estimating 30% utilization of the 5M resource at $50K/month suggests Mirai-based botnets are a $2.2M/year business.
2sec4u confirmed in a private conversation that some of the newly-spawned Mirai botnets can carry out DDoS attacks by spoofing IP addresses.
Schrecker is right about the seriousness of the DDoS threat:
If the operators behind these IoT-enabled botnets were to “point them at industry” instead of smaller targets such as individual journalists’ websites, as happened with infosec researcher Brian Krebs, the impact on the world economy could be “devastating”, he added.ISPs could do more to secure IoT devices, for example by detecting devices with known vulnerabilities and blocking access to and from them. But this would require a much higher level of user support than current ISP business models could support. Again, an ISP that "did the right thing" would price themselves out of the market.
There is plenty of scope for finger-pointing about IoT security. Having industry groups focus on what their own industry could do would be more constructive than dumping responsibility on others whose problems they don't understand. But it appears in all cases that there is are collective action and short-termism problems. Despite the potential long-term benefits, individual companies would have to take actions against their short-term interests, and would be out-competed by free-riders.