Yesterday saw a major distributed denial-of-service (DDoS) attack against the DNS infrastructure that crippled the internet for much of the east coast. This attack disabled internet access for much of the Northeastern US, as well as other areas. These sorts of attacks are nothing new; in fact, this attack came on the anniversary of a similar attack fourteen years ago. Yesterday’s attack is nonetheless significant, both in its scope and also in the role of the growing internet of things (IoT) in the attack.
The attack was facilitated by the Mirai malware suite, which specifically targets insecure IoT devices, applying a brute-force password attack to gain access to the machines and deploy its malware. Such an attack would almost certainly fail if directed against machines with appropriate security measures in place and on which passwords had been correctly set. IoT devices, however, often lack such protections, are often left with their default login credentials, and often go unpatched (afterall, who among even the most eager adopters of IoT can say that they routinely log in to every lightbulb in their house to change the passwords and download patches). Yesterday, we saw the negative consequences of the proliferation of these kinds of devices
Public Health and Pollution Analogies
Industry regulation- whether self-imposed or imposed by the state -is an widely-accepted practice among modern societies. The case for this practice lies in the reality that some actions are not limited in their effect to oneself and one’s customers, but rather that they have a tangible effect on the entire world. Bad practices in these areas leads to systemic risks that threaten even those who have nothing to do with the underlying culprits. In such a situation, industry faces a choice of two options, one of which will eventually come to pass: self-regulate, or have regulations imposed from without.
Two classic examples of such a situation come in the form of public health concerns and environmental pollution. Both of these have direct analogs to the situation we now face with insecure IoT devices and software (in)security in the broader context.
IoT and Pollution
After the third attack yesterday, I posted a series of remarks on Twitter that gave rise to this article, beginning with “IoT is the carbon emissions of infosec. Today’s incident is the climate change analog. It won’t be the last”. I went on to criticize the current trend of gratuitously deploying huge numbers of “smart” devices without concern for the information security implications.
The ultimate point I sought to advance is that releasing huge numbers of insecure, connected devices into the world is effectively a form of pollution, and it has serious negative impacts on information security for the entire internet. We saw one such result yesterday in the form of one of the largest DDoS attacks and the loss of internet usability for significant portions of the US. As serious as this attack was, however, it could be far worse. Such a botnet could easily be used in far more serious attacks, possibly to the point of causing real damage. And of course, we’ve already seen cases of “smart” device equipped with cameras being used to surreptitiously capture videos of unsuspecting people which are then used for blackmail purposes.
These negative effects, like pollution, affect the world as a whole, not just the subset of those who decide they need smart lightbulbs and smart brooms. They create a swarm of devices ripe for the plucking for malware, which in turn compromises basic infrastructure and harms everyone. It is not hard to see the analogies between this and a dirty coal-burning furnace contaminating the air, leading to maladies like acid rain and brown-lung.
Platforms, Methodologies, and Public Health
Of course, few consumers really care what sort of language or development methodology is used, so long as they get their product, or at least the current conventional wisdom goes. When we consider the widespread information security implications, however, the picture begins to look altogether different. Put another way, Zuckerburg’s addage “move fast and break things” becomes irresponsible and unacceptable when the potential exists to break the entire internet.
Since the early 1900’s, the US has had laws governing healthcare-related products as well as food, drugs and others. The reasons for this are twofold: first, to protect consumers who lack insight into the manufacturing process, and second, to protect the public from health crises such as epidemics that arise from contaminated products. In the case of the Pure Food and Drug act, the call for this regulation was driven in a large part by the extremely poor quality standards of large-scale industrial food processing as documented in Upton Sinclair’s work The Jungle.
The root cause of the conditions that led to the regulation of food industries and the conditions that have led to the popularization of insecure platforms and unsound development methodologies is, I believe, the same. The cause is the competition-induced drive to lower costs and production times combined with a pathological lack of accountability for the quality of products and the negative effects of quality defects. When combined, these factors consistently lead nowhere good.
Better Development Practices and Sustainability
These trends are simply not sustainable. They serve to exacerbate an already severe information security crisis and on a long enough timeline, they stand to cause significant economic damage as a result of attacks like yesterdays, if not more severe attacks that pose a real material risk.
I do not believe government-imposed regulations are a solution to this problem. In fact, in the current political climate, I suspect such a regulatory effort would end up imposing regulations such as back-doors and other measures that would do more damage to the state of information security that they would help.
The answer, I believe, must come from industry itself and must be led by infosec professionals. The key is realizing that as is the case with sustainable manufacturing, better development practices are actually more viable and lead to lower eventual costs. Sloppy practices and bad platforms may cut costs and development times in the now, but in the long run they end up costing much more. This sort of paradigm shift is neither implausible nor unprecedented. Driving it is a matter of educating industrial colleagues about these issues and the benefits of more sound platforms and development processes.
Yesterday’s attack brought the potential for the proliferation of insecure devices and software to have a profound negative effect on the entire world to the forefront. A key root cause of this is an outdated paradigm in software development that ignores these factors in favor of the short-term view. It falls to the infosec community to bring about the necessary change toward a more accurate view and more sound and sustainable practices.