back to article No wonder we're being hit by Internet of Things botnets. Ever tried patching a Thing?

Internet of Things devices are starting to pose a real threat to security for the sensible part of the web, Akamai's chief security officer Andy Ellis has told The Register. Speaking in the aftermath of the large DDoS against security journalist Brian Krebs, Ellis elaborated a little on the makeup of the botnet which took down …

  1. Stevie

    Bah!

    All your website are belong to lightbulb.

    Told ya so.

  2. Richard Jones 1
    WTF?

    Naming Error

    IOT, sorry, that should be Internet Direct Integration of Threats Including Chaos, IDIoTIC.

    Unmanaged and largely unmanageable device with just enough smarts to be dangerous flung out where they can do most harm and little benefit, what could go wrong?

  3. frank ly

    Oh wow

    "He also said that IoT devices ought to be “deployed in a fashion that makes them automatically udpate and keep themselves secure all the time.” "

    My inner miscreant is salivating (or some other bodily fluid) at the thought of that happening.

    1. Tom Paine

      Re: Oh wow

      Why? Haven't you heard of code signing?

  4. Anonymous Coward
    Anonymous Coward

    "download an executable to my desktop and run it"

    "download an executable to my desktop and run it" actually means: set up a virtual machine (VM), install a "supported" version of some commercial operating system in that VM, set up networking on and for the VM, then run the crappy untrusted executable.

  5. Anonymous Coward
    Anonymous Coward

    When are they going to include all the 'smart' meters in this? They would make one hell of a botnet.

    1. Richard Jones 1
      WTF?

      @Ivan how do you know they are not already being bot hearded? I thought that they were connected via mobile access so apart from crashing mobile networks what is more likely to happen?

      I do not know what they are capable of doing, hence the question. They might be too dumb to do anything much, but other experience suggests that will not be the case, an over capable off the shelf part more likely.

  6. Jeroen Braamhaar
    Happy

    Acronymize please!

    Insecure

    Default

    Internet

    of

    Things

  7. Don Dumb
    Terminator

    Step #1 Missing

    The process to install the patch is missing the most difficult bit -

    Step #1 - vendor produces and issues patch on their website.

    I didn't think that the process of patching sounded that difficult. However, this is all completely academic if the vendor doesn't ever consider supporting the device, let alone issue patches for a 'reasonable' period - that reasonable period being a lot longer than the support durations of even most IT company policies.

    People expect appliances to last for longer than a decade, if they are a Thing On The Internet, that means they need to be supportable for that period (either by the manufacturer or by a third party). If the government is serious about 'Cyber' being one of the big threats, then they need to back this up with policy and regulations.

    Patching just isn't something that the novice is aware they actually need to do and the old fashioned principle of "if it's not broken don't fix it" conflicts with the principle of regular patching. Getting people to do the patching isn't anywhere near as difficult as getting them to even consider it in the first place.

    1. Stoneshop
      Mushroom

      Re: Step #1 Missing

      Step #1 - vendor produces and issues patch on their website.

      Step 1a - If no vendor support, patch with C4 or ClF3

    2. ecofeco Silver badge

      Re: Step #1 Missing

      Exactly Don Dumb.

    3. Doctor Syntax Silver badge

      Re: Step #0 Missing

      Find out if vendor still exists.

      1. fidodogbreath

        Re: Step #-1 Missing

        Find a vendor who gives a sh!t about security.

  8. c1ue

    Patching only the first step

    Patching sounds good - except that attackers will start inserting attacks via patching mechanisms.

    This in turn requires code signing. Which in turn requires more CPU/memory power on the IoT.

    Which in turn will result in every IoT device being a full on mobile CPU.

    Which in turn makes the patching process more difficult and expensive.

    The real issue isn't patching IoT - it is the ridiculous idea of sticking everything onto the Internet with the assumption the functionality improves.

    Every move to "secure" IoT has countermoves long ago thought up by attackers, and the fundamental asymmetry of attack resources vs. defense capability - especially in IoT - is not going to change.

    1. DNTP

      Re: Patching only the first step

      Eh let's just take the easy option and make people legally liable for any misuse of their IoT devices. I hear that's working out great for home wireless routers. If a kid these days is smart enough to get on Facebook he's smart enough to write his own security patches for the family light bulbs.

      1. DainB Bronze badge

        Re: Patching only the first step

        Really ? I did not realize that all kids now know how to reverse engineer and write low level code for micro controllers and it takes them roughly 1 second per device to do so.

        Nice to know that IoT devices are not the only dumb things with Internet access.

      2. phuzz Silver badge
        Facepalm

        Re: Patching only the first step

        @DNTP

        Careful with that sarcasm there kiddo, it's a bit to subtle for folks around here.

  9. Michael Jarve

    Is patching even a good idea?

    Given how little thought goes into thinking about security in the first place, I would not doubt that in many cases the cure might be as bad as the disease, at least from the standpoint of end-users. When Microsoft can force an service pack, update, Anniversary Upgrade that can bork whole classes of devices in one go, foisted upon the world whether they want it or not, I hold little hope that the 12 monkeys writing code for (to join the zeitgeist) IDIoTIC devices will not merely add to the Chaos.

    1. Brian Miller

      Re: Is patching even a good idea?

      Patching is a great idea, when it's done right. But usually it's done with the same forethought that went into creating the software in the first place. I.e., none.

      A while back, an anonymous researcher used the IoT to map out all of the corners of the Internet. At that time, I and everybody else paying attention, realized that all of these IoT devices would make a hell of a botnet, or mining net, or whatever else you wanted. And now we have Akami being nailed until they screamed.

      What can be done now? Shut down service to the people with the unsecured IoT devices. Unfortunately, that takes effort at the ISP level, and there's not much chance of them doing anything without legal penalties being implemented. And that takes time.

      There is no good solution that doesn't involve effort. People are going to buy these cameras, point them at the baby, open a port in their home router, and tell Grandma to have a look. No manufacturer is going to put time into securing a $20 device, even if it can be easily hacked to DDOS world+dog.

      There's no penalty for bad security.

    2. Doctor Syntax Silver badge

      Re: Is patching even a good idea?

      @ Michael Jarve

      Of course, following up on your idea that an update might bork the device that can be seen as a benefit. It removes the device from ant botnets it's in.

    3. Tom Paine

      Re: Is patching even a good idea?

      Not to worry -- if the updates b0rk (or brick) the Thing in question, it goes into a cupboard or the recycling. Result, one less vulnerable Thing. Which would be good. Arguably the world would be improved if MOST "things" were bricked, anyway.

  10. fidodogbreath

    does the widespread use of an IoT botnet mean that the whole concept of IoT security is fatally flawed?

    No, of course not; a concept has to exist before it can become flawed.

    1. ma1010
      Holmes

      does the widespread use of an IoT botnet mean that the whole concept of IoT security is fatally flawed? Do we need to trash it all and start over?

      Yes.

  11. dnlongen

    Make secure the default state

    IoT security has been a bit of an inside joke for years, but up to now the joke has for the most part been on the owner or user of a device. My pacemaker could be hacked - but hey, it's my pacemaker and my heart, right? That changes when webcams and fridges are conscripted into a giant DDoS weapon.

    In the US, Peiter Zatko (better known as "Mudge") is building a "CyberUL" that could define standards for reasonably securable things. At the risk of appearing to pimp my blog, I suggested some basic standards a year ago (https://www.securityforrealpeople.com/2015/09/what-if-connected-devices-were-secure.html) that are every bit as appropriate today. As c1ue suggested, patching is only one part of the puzzle:

    1. Installation processes should establish a non-default password unique to the owner. Default passwords are an extremely common way of breaking into connected devices; if turning a product on for the first time involves choosing a password - even a weak password - that eliminates this gaping back door.

    2. Products should have automated software and firmware updates available, enabled by default, and *guaranteed for the reasonable lifetime of the product.* How often do home users update their wireless routers, or Internet-connected washing machines? How many smartphones languish with known vulnerabilities simply because the manufacturer chooses not to push updates after a year (or at all)?

    3. Features that impact privacy should be clearly presented so the owner can make an informed decision whether to use the feature. Trading personal information for a service (or a mobile game) is not inherently a bad idea - but it should be a conscious decision.

    4. Features that involve significant safety or privacy risk should be properly isolated from Internet access. Chris Roberts' "flying sideways," and Charlie Miller and Chris Valasek's research into cellular access to vehicle controls, brilliantly demonstrate the danger when this is overlooked.

    5. Documents and content originating from outside the system or device should be automatically untrusted. For example, Windows tags files downloaded from the Internet with a "zone" marking; Microsoft Office products treat these documents as untrusted and disable macros and interactive content by default.

    In each of these cases, an informed consumer may have the choice to override the defaults. I can choose to execute a macro in an Internet document, or to connect my home security system controls to the Internet, but it requires intentional choice, rather than default behavior.

    1. Bronek Kozicki
      Flame

      Re: Make secure the default state

      The one problem with automated firmware updates is that they present "ultimate backdoor". Ultimate, because I cannot imagine a way around it. Just like someone could steal Microsoft's private key (unlikely, but not impossible) to build a "rogue Windows update", so could someone steal keys used to sign the updates of the vendor. The only option is to trust that these keys are well protected (and so are DNS servers pointing to where the updates are served from), and I have big problem with that, in the context of IoT vendors ...

      1. dnlongen

        Re: Make secure the default state

        That is a key issue. automated updates require a degree of trust ... a degree of trust that is not always (perhaps even not often) justified. I've done a few bug disclosures specifically for abusable autoupdate routines :-/

        Still, I don't see that consumer IoT devices can be secured at all without building that trustworthy model, and then automating things.

    2. Doctor Syntax Silver badge

      Re: Make secure the default state

      One problem with 2. is that it assumes the manufacturer continues to exist for the reasonable lifetime of the product. It would need some sort of code escrow and bond scheme to enable a 3rd party to take over maintenance.

      1. Bronek Kozicki
        Paris Hilton

        Re: Make secure the default state

        Or even better, a legal requirement for all IoT firmware to be open to customers (or just plain open source). This would discourage people who should not be in this business in the first place, and encourage innovation in actual hardware, as opposed to "USP features" implemented only in software. This would next lead to keeping the firmware simple, which also means easier to secure (not to mention robust) - it is a win-win situation. It might even eventually lead to standardization of parts of firmware.

    3. fidodogbreath

      Re: Make secure the default state

      Installation processes should establish a non-default password unique to the owner.

      So, your grandma is supposed to create unique, complex passwords for her fridge, washer, dryer, toaster, and each individual light bulb? Good luck with those tech support calls. "(sigh) No, grandma, we've been over this. The password for your night light is qZm~7*#dHwU_a. Don't use 0%3Y7_bX-lJr5^, that's for the meat thermometer."

      Features that impact privacy should be clearly presented so the owner can make an informed decision whether to use the feature. [...] Features that involve significant safety or privacy risk should be properly isolated from Internet access.

      Those features do not exist to benefit the device owner. They exist to collect data which will be monetized by the manufacturer. As long as that's the IOT business model, the only time "informed consent" will occur is the purchase decision.

  12. DainB Bronze badge

    Ahaha. Nice one. Of course your random manufacturer of badges for Chinese made IoT kettle does care about it security and knows how to do it properly. Do you also expect them run in-house security audit team and check every kettle for factory planted malware or backdoors ?

    1. Doctor Syntax Silver badge

      "Of course your random manufacturer of badges for Chinese made IoT kettle does care about it security and knows how to do it properly."

      Remember the bit about a CyberUL? If they wanted to get them to market they'd have to know, just as how they should know about electrical safety of said kettle.

      OK, dangerous goods do get onto the market but when they do and the dangers are discovered the local Del boys vendors get stock seized or maybe they get prosecuted and the public gets warned.

      1. fidodogbreath

        Remember the bit about a CyberUL? If they wanted to get them to market they'd have to know, just as how they should know about electrical safety of said kettle.

        Right. So the no-name cyber-kettle manufacturer slaps on a fake CyberUL sticker, right next to the fake UL, CE, and ROHS ones, and it's back to business as usual.

  13. Anonymous Coward
    Anonymous Coward

    Just wait until the Uk has all these smart meters up and running!

  14. cantankerous swineherd

    digital by default eh? massive DoS attacks no bad thing if it makes govt and big business reopen shops and offices with people in them.

  15. Kev99 Silver badge

    Just ask the Cat in the Hat about things, especially Thing 1 and Thing 2

  16. David Roberts
    Mushroom

    Not mentioned so far

    What about all the startups which go mammaries skywards after a year or so?

    Who maintains their kit?

    You have paid a shed load of cash to fully automate your home with bleeding edge technology and the manufacturer goes bust. It all works. Do you say "Ah, well, that's life." and rip it all out and start again? Do you buggery. You keep it running until something fails. In fact until enough things fail that you are seriously inconvenienced.

    You cannot rely on the device or the manufacturer for long (or even short) term support. The security has to be external to the device, and constantly evolving. Something which can be configured to provide a buffer between the Internet and your in house devices. The home router already has the basics there. It should certainly be able to detect if your home network is helping in a DDoS attack and mitigate.

    However the main problem remains; how do you get people to give a shit about security?

    This drifts into the whole issue of PCs enrolled in botnets. If a botnet is discovered and taken over it is perfectly possible to trash the PCs involved. This would be a wakeup call but illegal in most countries. Until there is a realistic penalty for running a compromised device nobody is going to give a shit about security.

  17. ecofeco Silver badge

    It's too late

    IoT has already lost the war.

    The patches will not come fast enough, nor will they be effective, as been proven over and over in our current environment and people will forget to update them or flat out, will not if there are too many hoops to jump through.

    So it's game over. DOA.

    Fuck the IoT fanbois. Fuck them to death. Morons. Because this will not stop them from doing their damnedest to sell them anyway and the average person will have no clue. One would almost think it was deliberate...

  18. IanCa

    home routers a better line of attack

    for many ISP's these are supplied or at least recommended devices, so pressure can be applied on a relatively small number of organisations (compared to I-Things) to produce a new firmware for them with an enhancement to their firewall / Upnp policy rules.. something along the lines of:

    detect the OS of newly connected device - nmap OS scan.

    If windows, default to outbound allow. That caters for the non-technical majority who (rightly) expect their windows machines to automatically work.

    If linux or any embedded relation, default to outbound deny.

    If you are running linux at home as an endpoint, you have clue, so you know how to go into your router and add the rules you need to use it.

    If its an embedded IoThingy then it will ask the router to open ports....

    At this point the router puts an HTTP capture on the browsing sessions from any windows endpoint, redirecting them to the router admin page, saying that the IoThingy asked for access, do you want to approve it? There should also then be a pre-canned rulebase to allow access to the various manufacturers sites so the Thing can do its Thingness without having full internet access. with a lookup of the Thing's mac address as well, the vendor can be resolved and a rule list suggested.

  19. User McUser
    Megaphone

    IOT is poorly named

    What is currently called the Internet of Things should more rightly be called "Putting Things on the Internet." A proper "Internet of Things" would be devices in my house that communicate with *each other* and receive instructions from me via the Internet through a managed gateway device attached to my router.

    At no point should any of these devices ever get direct unfettered access to the Internet for reasons which should be obvious if you read this article.

    1. Mahhn

      Re: IOT is poorly named

      100% agree. Because the reality of patching all these devices is, that it will "never" happen for most of them.

      If a device is built to auto patch, there should be a manual activation. As in an physical update button, with a little sticker that says something like, Press when connected to internet, do not power off for 20 min, then reboot. The little sticker, should be in 36 languages too, lol.

  20. HellDeskJockey

    Users are Key

    It doesn't matter how many patches you offer if users will not use them. Also IOT tends to be difficult to patch. Several things need to be done.

    Offer upgrades with patches. Create an incentive to patch.

    Punish those who don't patch shut down the device or add legal issues.

    Require manufacturers to provides support. A simple way would be to require that a failing company as part of the bankruptcy either make arrangements to patch things or open source the code.

    Also people need to realize that not everything needs to be on the net. I have electronic locks but they are local control only and that is not likely to change. I need to unlock the door when I am in front of it not from remote locations. My lighting control likewise sits behind a firewall so as not to be hacked. It works great when I am home.

    We need people to realize that while "being on the net" may have it's benefits there are risks as well.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like