The Internet of Things crashed into the old Internet on Oct 21st, and it wasn’t pretty. A specialized but fairly simple bit of malware known as Mirai was used to cause huge numbers of simple Internet-connected devices (cameras, home routers, baby monitors, etc.) to flood the infrastructure of a service provider called Dyn. This caused widespread collateral damage across the traditional world of social media and entertainment websites.
To get a sense for the nature of the attack, take a moment to imagine the chaos if someone were to call in an order to every pizza shop within a 25 mile radius, giving your address. All the pizza shops would be doing what they normally do, but the simultaneous activity would not just overwhelm your front door, it would snarl up streets for miles around. This is a fair analogy for the kind of DDoS attack in use here. The attack used simple devices, instructed to do simple things, but because there are so many of them, the combined effect caused havoc.
These attacks are not all that easy to defend against. It’s a kind of arms race – if you can handle a total load of X before your website cries “Uncle,” your attackers will scale up and find enough devices to send you twice X, or a hundred times X, or whatever it takes. A victim cannot scale up their capacity as fast as the attacker can find more endpoints. That’s the thing about the Internet of Things: there are an awful, awful lot of “things” out there, and people are connecting them with abandon. There are cloud services that offer something called “burst capacity” to help if you’re getting inundated, but several recent attacks have been able to overwhelm even these defensive offerings. The attackers simply infect more devices and generate more load. (Send more pizzas!)
So can we expect manufacturers of IoT devices to be responsible or held liable? Unfortunately, I predict only some weak progress there. When we talk about the Internet of Things, the term “things” implies vast numbers of mass-produced objects. Manufacturers at that scale face intense pressure to optimize costs – even saving one penny over a million devices adds up to a significant amount of money. As a result, makers use the simplest, easiest techniques they can, and we get low prices for smart devices. But for security, this is really bad news. The simplest, easiest approach is generally highly insecure – smart, adaptable defenses cost money.
We can hope for better as manufacturers face embarrassment and bad press, but this too is a meagre hope. Their customers are usually not the direct victims of the attacks, and those consumers generally prefer cheaper products over those with some abstract, hard-to-understand security benefit aimed at someone else. Could liability lawsuits work? Probably not, because the Internet is global, and product liability law is not. A manufacturer isn’t going to enjoy being sued in one or two countries, but it’s not going to cause them to take back all the product they have sold Internet-wide.
So manufacturers of IoT devices aren’t set up to make highly secure devices. But even if they were, we can see from the last decade or so of security research that even cleverly built devices will eventually have flaws discovered and exploited. So, the next challenge happens when a company ships a million (or a billion) of their things out into the Internet of Things, and later, someone uncovers a security flaw. How is the maker supposed to repair them? It’s infeasible to issue a recall, or ship them all back. (Look at how hard it is to replace a faulty cell phone! Now do that for a device that isn’t supposed to be mobile, like, say, an in-ceiling video camera or light fixture.) We can imagine the manufacturer issuing a software update, but the devices will need to update themselves without human help. This gets us right back to the DDoS problem we started with – how does the manufacturer handle a million devices all asking for the new code at once? We know this can be solved – companies like Apple and Google do this routinely. But we also know it’s expensive and very difficult to make seamless. Only big, wealthy companies do it successfully. So can we really expect endpoint makers to operate at that level? Even if we thought this was the way forward, it assumes the manufacturer sticks around to maintain the software for the lifetime of the device. Unfortunately, we know this is not likely either. Even worse, if all our smart devices are built to expect remote software upgrades, what stops the attackers moving on to this software update mechanism as their preferred attack surface? If you can find a weakness in that “security” mechanism, you can upload arbitrary software patches and take over the Internet of Things in a few quick steps – talk about hanging a “kick me” sign on the back of the Internet!
Add it all up, and we face a worrisome future of weak IoT devices. The makers are strongly motivated to keep the devices cheap, but flaws that cannot be fixed at scale are inevitable. The result is a network full of devices that can and will be abused.