Thursday, June 7, 2018

The Island of Misfit Toys

The Berkman Center's Johnathan Zittrain has a New York Times editorial entitled From Westworld to Best World for the Internet of Things starts:
Last month the F.B.I. issued an urgent warning: Everyone with home internet routers should reboot them to shed them of malware from “foreign cyberactors.”
Below the fold, some details and a critique of  Zittrain’s proposals for improving the IoT.

Bruce Schneier (a 2014 Wired article) and my friend Jim Gettys (a 2014 Berkman Center talk) have been running around with their hair on fire about the problem of vulnerable home routers and other Things in the Internet for at least four years. Here is Schneier:
Typically, these systems are powered by specialized computer chips made by companies such as Broadcom, Qualcomm, and Marvell. These chips are cheap, and the profit margins slim. Aside from price, the way the manufacturers differentiate themselves from each other is by features and bandwidth. They typically put a version of the Linux operating system onto the chips, as well as a bunch of other open-source and proprietary components and drivers. They do as little engineering as possible before shipping, and there’s little incentive to update their “board support package” until absolutely necessary.

The system manufacturers – usually original device manufacturers (ODMs) who often don't get their brand name on the finished product – choose a chip based on price and features, and then build a router, server, or whatever. They don't do a lot of engineering, either. The brand-name company on the box may add a user interface and maybe some new features, make sure everything works, and they're done, too.

The problem with this process is that no one entity has any incentive, expertise, or even ability to patch the software once it's shipped.
Zittrain has three suggestions. The first tries to address the costs of abandoned software:
Companies making a critical mass of internet-enabled products should be required to post a “networked safety bond” to be cashed in if they abandon maintenance for a product, or fold entirely. Insurers can price bonds according to companies’ security practices. There’s an example of such a system for coal mining, to provide for reclamation and cleanup should the mining company leave behind a wasteland.

For internet-connected appliances, “reclamation” can entail work by nonprofit foundations to maintain the code for abandoned products, creating an “island of misfit toys,” in the parlance of the famed 1964 Rankin/Bass stop-motion Christmas special. Proceeds from redeemed bonds would go to these foundations to maintain the products, like the way the Mozilla Foundation has transformed the 1998 Netscape browser long after its originators left the scene.
The second addresses what happens if the Thing can no longer talk to the Internet:
A second intervention would require networked products modeled after analog counterparts to work even without connectivity. A smart coffee maker shouldn’t be so clever that it can’t make coffee without internet access. Switchover to non-connectivity mode will not merely help prevent things from becoming useless when the internet goes down, or if the original vendor disappears or jacks up service prices. It can also provide a soft landing for appliances that reach the end of their supported life cycles while still beloved by owners.
A third addresses the problems of vendor lock-in:
Finally, networked devices made by different vendors need to be able to communicate with one another — the way that, say, Mac and PC users seamlessly exchange email. That prevents a household from becoming locked into a single vendor for all its appliances. It also prevents us from flocking to one or two vendors whose compromise could cause widespread consequences.
$15.99 home router
The picture shows the problem with these, and every proposal to impose regulation on the Things in the Internet. It is a screengrab from Amazon showing today's cheapest home router, a TRENDnet TEW-731BR for $15.99:
  • There's no room in a $15.99 home router's bill  of materials for a "network safety bond" that bears any relation to the cost of reclamation after TRENDnet abandons it.
  • There's no way any home router, let alone a $15.99 one, can work without connectivity.
  • The whole function of a home router is interconnection. 
Anyone who has read Bunnie Huang's book The Hardware Hacker will understand that TRENDnet operates in the "gongkai" ecosystem; it assembles the router from parts including the software, the chips and their drivers from other companies. Given that after assembly, shipping and Amazon's margin, TRENDnet's suppliers probably receive only a few dollars, the idea that they could be found, let alone bonded, is implausible. If they were, the price would need to be increased significantly. So on Amazon's low-to-high price display the un-bonded routers would show up on the first page and the bonded ones would never be seen.

Yes, it is possible that the FCC could force routers sold in the US to be bonded. But the idea that consumers in the rest of the world would pay significantly more for bonded routers to solve a problem that they never see is equally implausible. And the router-based botnet that takes down Facebook doesn't need US routers, there are plenty of vulnerable routers elsewhere. This is a global problem, not one that can be fixed by US regulators alone.

Many other Things in the Internet are currently less of a problem than routers, because they typically retain at least some functionality if they are disconnected, and they likely cost more than $15.99. But this advantage is rapidly disappearing. One major trend in cost reduction is to dispense with switches, lights, displays and other user interface components and outsource the device's UI to the consumer's smartphone. A cheap drone and a cheap endoscope are the two most recent products I purchased of this kind.

Both are non-functional without their "app", and part of the reason they're so cheap is likely to be that the flow of privacy-violating information back to the manufacturer is a big part of their profit margin. It is, for example, for cellphone manufacturers, as reported by Gabriel J.X. Dance, Nicholas Confessore and Michael LaForgia in the New York Times:
Facebook has reached data-sharing partnerships with at least 60 device makers — including Apple, Amazon, BlackBerry, Microsoft and Samsung — over the last decade, starting before Facebook apps were widely available on smartphones, company officials said. The deals allowed Facebook to expand its reach and let device makers offer customers popular features of the social network, such as messaging, “like” buttons and address books.

But the partnerships, whose scope has not previously been reported, raise concerns about the company’s privacy protections and compliance with a 2011 consent decree with the Federal Trade Commission. Facebook allowed the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders. Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing, The New York Times found.
So, yes, Zittrain's ideas are positive. They're just inadequate to the scale of the problem. As competition drives down the price of the Things, the mis-match between their margins and their potential externalities will continue to increase.


The router malware the FBI is warning about is a professional job. Open source botnet software like Mirai has made it possible for amateurs to amass large zombie armies of routers, web-cams, and other Things in the Internet. Sometimes the amateurs make amateur mistakes which hamper their efforts, such as the buffoons behind the Owari derivative of Mirai:
Ankit Anubhav, of Newsky Security, said researchers with the company were able to take over the MySQL server used to control the Owari botnet – thanks to its creator leaving port 3306 open and the username and password as root.
At other times the amateur mistakes might have devastating consequences, as Robert Morris' mistake did.


David. said...

Bruce Schneier's Router Vulnerability and the VPNFilter Botnet has details on the reason why the FBI asked people to reboot their routers:

"So if it won't clear out the malware, why is the FBI asking us to reboot our routers? It's mostly just to get a sense of how bad the problem is. The FBI now controls When an infected router gets rebooted, it connects to that server to get fully reinfected, and when it does, the FBI will know. Rebooting will give it a better idea of how many devices out there are infected."

David. said...

Catalin Cimpamu's Someone Is Taking Over Insecure Cameras and Spying on Device Owners describes another example of the supply chain complexity behind the IoT:

"Many brands of webcams, security cameras, pet and baby monitors, use a woefully insecure cloud-based remote control system that can allow hackers to take over devices by performing Internet scans, modifying the device ID parameter, and using a default password to gain control over the user's equipment and its video stream.

In the last nine months, two security firms have published research on the matter. Both pieces of research detail how the camera vendor lets customers use a mobile app to control their device from remote locations and view its video stream."

David. said...

"Google's entire Home infrastructure has suffered a serious outage, with millions of customers on Wednesday morning complaining that their smart devices have stopped working.

At the time of writing, the service is still down, and appears to have been knackered for at least the past 10 hours." reports Kieran McCarthy at The Register in Not OK Google: Massive outage turns smart home kit utterly dumb

David. said...

"Like Mirai, IoTroop is designed to create a global botnet from IoT devices. More insidiously than Mirai, though, IoTroop uses infected IoT devices to search for and infect other devices -- which means that once it gains a foothold inside of a network, it can (and almost certainly will) rapidly spread itself to many other connected devices. Arguably even worse, IoTroop isn't just useful for building a botnet. Its structure is such that, once a device is infected, it sits and waits for its command-and-control server to send it code to execute. ... The reality is that researchers still do not know the intended usage of IoTroop, and likely will not know until detectable payloads are delivered by hackers and found by researchers.

The scale of the threat posed by IoTroop also equals its scope: Because IoTroop spreads itself, it grows exponentially rapidly. It's currently known that devices from at least twelve manufacturers are vulnerable, ... Indeed, the list of devices it has already infected is in fact large enough that the Check Point researchers have discovered it in approximately 60% of corporate networks."

From Why IoTroop / Reaper Remains a Persistent Threat. The details from Check Point are in IoTroop Botnet: The Full Investigation.