The all enveloping genre that is known already as the Internet of Things is fast becoming labelled as being the fastest threats to emerge on our communal radar. Presenting a disorganised chaos of hard to own and manage assets delivering potentially the biggest and most arduous to secure threat fabrics ever seen in information technology.
Come with me on a trip as we turn the hands of time back to 1934 and to visualise a classification system still in use today, based on decisions made over eighty years ago when technology and communications were in their infancy. Lets explore why to not do something in the near future will destroy the promise of IoT before it has a chance to get started.
Attacks such as those seen on OVH, Brian Krebbs and now DynDns are the very start, without standardisation, without collaboration and concerted effort we may be judged in years to come as squandering opportunities to deliver flexible safe computing for the next generation.
In the 1920s and 1930s communications firms, telegraph companies and emerging radio broadcasters globally were all finding their communal feet. Existing legislation on commerce dating back to the late 1880s in the form of the ICC (The Interstate Commerce Commission) was originally conceived to manage and to counsel and prevent the ambitions of companies across America seeking to monopolise the pace of railtrack and to provide regulations on their running and operation.
The ICC by the 1930s did not scale to take into account the technological revolution that even in its embryonic state showed the promise of making the world smaller overnight. The Post Office with its Telegraph Rights, the ICC, and the Federal Radio Commission all wrapped up and became one with what would be known as the FCC. So in 1934 The Federal Communications Commission was born. North America all of a sudden had an all encompassing standards body, which would blaze a trail for countries all over the world to emulate.
If you turn over any piece of computer equipment in the US and for export (so globally) you will see an FCC rating, the FCC even today being the standards body responsible for standards implementation within its public safety and enforcement role, eighty two years after it’s inception.
Since then we’ve seen other standards bodies, CE - from the European Commission signifying their “New Approach” methodology for device manufacture and testing, UL - Underwriters Laboratories, the EMC standards for electromagnetic devices or EN standards around electrical manufacture and quality assurance. Other countries such as Australia and Canada have other systems too. However, the FCC has stood the test of time for everything from radio broadcast and spectrum management, emergence of telecommunications standards. However when it comes to the Internet of Things it’s legs fall off.
The majority of devices today, that make up the provisioned devices that are thought of as making up the predominance of the IoT global estate are often cheaply manufactured. They're mass produced dime a dozen fast to market appliances. Many mimicking products that are more expensive and playing catchup with cloned or copied devices. Many use commodity small footprint OS that may once have found their basis in Linux and Open Source communities but have been sufficiently bastardised and forked into an unsupportable image to satisfy the commodity hardware or storage footprint allowed for device operation.
Many of these devices are not connected to always on networks and have no methodology to autoupdate (where the supplier provides that functional capability). Many ship with default passwords that users then fail to change. Many that are connected to IPv4 networks have never had updates or the updates don’t address the serious underlying security weaknesses and the versions of SSH or promiscuous daemons or services running on them. These core issues as we have seen over the last month first with the attack on the Akamai hosted site where Brian Krebbs was taken offline, then round two hitting OVH, Freenode and others and then last Friday where DynDNS was all but taken offline in the latest iteration of this now almost predictable rush to launch DDoS, then creating a huge internet real estate impact.
And nowhere is there an applicable standards body or international body that polices devices prior to shipping or at the point of manufacture to ensure device hardening. Failure to prove off security concepts and issues with the developer / manufacturer are ever present. If this was concerning the manufacure of vehicle airbags or making a childseat the issue would be entirely addressed.
What we have are companies rushing to get devices to market for consumer consumption, be that Google with their acquired Nest and Home products, Amazon with Echo are all probably at the higher end of the marketplace appreciating their users are often not that conversant with securing anything they buy. Certainly devices from manufacters such as Eurotech, Evrythng and others embrace the use of PKI and TLS and have got the authentication right at point of design and provision. We aren’t addressing those but the plethora of companies from China to Malaysia, from Hungary to Thailand which are shipping devices with dated aged insecure OS platforms. These are almost always given less thought than the packaging that they ship in or the plastics used in manufacture. Aged versions of Busybox, twelve year old SSH vulnerabilities and services turned on that should never be listening.
The IPSO Alliance, The Industrial Internet Consortium, FiWare, Open Daylight IoDM, Hypercat, The All Seen Alliance, I could go on but I won’t, the list of “standards bodies” and consortia grows almost by the month. The one thing that is for sure is that they have one thing in common, none of them are relevant and making any impact on the root problem.
For this to be impacting it has to be done at the import/export level and we have to have government and industry backed assistance to make it happen. Turning the clock back to 1934 and working with the relevant governments and agencies will be the only way of enforcing change on commodity hardware vendors who are about the units shipped not the units hacked.