Oh, goody:
Researchers from Dalhousie University (Canada) and the Weizmann Institute of Science (Israel) have published a working paper detailing a proof-of-concept attack on smart lightbulbs that allows them to wirelessly take over the bulbs from up to 400m, write a new operating system to them, and then cause the infected bulbs to spread the attack to all the vulnerable bulbs in reach, until an entire city is infected.
Note that the attack doesn't spread via the Internet. Rather, it spreads by built-in wifi that bypasses your home firewall. This is bad, bad juju:
First, the facts. Those websites went down because their domain name provider — a company named Dyn — was forced offline. We don't know who perpetrated that attack, but it could have easily been a lone hacker. Whoever it was launched a distributed denial-of-service attack against Dyn by exploiting a vulnerability in large numbers — possibly millions — of Internet-of-Things devices like webcams and digital video recorders, then recruiting them all into a single botnet. The botnet bombarded Dyn with traffic, so much that it went down. And when it went down, so did dozens of websites.
Your security on the Internet depends on the security of millions of Internet-enabled devices, designed and sold by companies you've never heard of to consumers who don't care about your security.
The technical reason these devices are insecure is complicated, but there is a market failure at work. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. These devices will affect every aspect of our lives, because they're things like cars, home appliances, thermostats, lightbulbs, fitness trackers, medical devices, smart streetlights and sidewalk squares. Many of these devices are low-cost, designed and built offshore, then rebranded and resold. The teams building these devices don't have the security expertise we've come to expect from the major computer and smartphone manufacturers, simply because the market won't stand for the additional costs that would require. These devices don't get security updates like our more expensive computers, and many don't even have a way to be patched. And, unlike our computers and phones, they stay around for years and decades.
An additional market failure illustrated by the Dyn attack is that neither the seller nor the buyer of those devices cares about fixing the vulnerability. The owners of those devices don't care. They wanted a webcam — or thermostat, or refrigerator — with nice features at a good price. Even after they were recruited into this botnet, they still work fine — you can't even tell they were used in the attack. The sellers of those devices don't care: They've already moved on to selling newer and better models. There is no market solution because the insecurity primarily affects other people. It's a form of invisible pollution.
Bruce Schneier says that we need government regulation to address this. I think that's a bad idea - any regulation seems unlikely to have enough security technical requirements to make much difference. A better approach is to address the market failure - if the ISP were required to drop customers who had devices that were used in these attacks, the end customer would very quickly care rather a lot about whether their light bulbs were secure.
Good points...
ReplyDeleteI hate to say this could destroy the entire Internet, but this could destroy the entire Internet. If it's undependable when it's most needed because of Botnet attacks, what good is it?
ReplyDeleteBut saying we don't want government regulation and then address the market failure by regulating the ISPs is still government regulation. If ISPs did it on their own: fine. I'd think they'd want to.
Is there a way to breakup these DDOS attacks from the defensive side? Seems to me, someone who figured that out would make a pretty penny.
I agree that regulation is probably not the best answer, but how does the end customer go about figuring out whether their light bulbs are secure? I can easily decide not to buy a Nest thermostat (as in oh HELL no), but I don't want to need IT credentials.
ReplyDeleteIt's probably a given that I need to get out of The Bunker more often, but....."internet connected lightbulbs"? internet connected lightbulbs? What's next ? "Internet connected....," no, never mind, this is a family blog, children may be reading.
ReplyDeleteAn "internet connected refrigerator" is just plain stupid; I'm at a complete loss to rank where lightbulbs fall on that chart. Hell, handbaskets, etc.
Back into The Bunker....
Your suggestion about having the ISPs address this issue is spot on. Think about distributed pollution, like particulates from a smokestack without a precipitator. In a truly free (libertarian) market, the particulates from the smokestack landing on my property and causing whatever damage would be considered a trespass. My only need is to analyze the particulates and show scientifically that they came from that company's smokestack. The company can then either install a precipitator (or other solution to keep the particulates from escaping), or pay me an agreed-upon sum to put up with it.
ReplyDeleteIn this case, no amount of money can compensate, so the particulates must be prevented from leaving the factory. So the ISP says, "No internet for you!" until the offending devices are removed or neutralized. This puts the onus of action where it belongs, on the careless consumer. You want to have nice things? Don't track your particulates into other folks' living rooms.
Eventually, some companies will make IoT devices with sufficient security (if possible) and manage to price them so that some people with more money than brains still want to buy them. Or some soon-to-be-wealthy entrepreneur will come up with a technological fix I am too ignorant to think up. I know economics, not networks.
Uhh...Nosmo. There are already a bunch of Internet connected...intimate devices.
ReplyDeleteSome have had problems with a leak... Of data due to a poor privacy policy and just plain stupidly(ie., chat and commands sent in plain text.)