A couple of weeks ago, one of the largest measured botnet attacks hit OVH, a web host. The attack was likely targeting one of OVH’s clients but at one point it was measured as delivering over 1 terabit per second.
At that scale we’re really running out of relatable comparisons. It’s equivalent to serving 400 thousand full-HD video streams at once. That’s the best I can do. If you aren’t metric yet, that’s something like thirty football pitches or a hundred and twenty gills. Maybe a league and some cubits? An unimaginable bandwidth to most people.
Adapted by Oli from original art by Tom-b CC BY-SA 3.0 or GFDL, via Wikimedia Commons
This traffic wasn’t coming from traditional sources like zombied Windows machines or hacked corporate servers, it came from cheap security cameras that people had stuck to their houses, given them internet access and they’d promptly been hacked. Why? The software inside these things is junk.
And this sort of vector is increasingly common. Most household’s “white goods” appliances are available in some form of connected “Internet of things” version these days. Not to mention TVs, DVRs, baby monitors. We’re shunting millions of these things online every year without any sort of plan of what to do with them when they’re all infected.
Though there are multiple layers of critical failure here —cheap manufacturers abandoning products, ISPs that ignore bad traffic, and targets who don’t report every attack back to every ISP— even if consumers wanted to monitor these devices, it’s still too bloody hard for a technically adept person to monitor what’s happening on their own network, using consumer hardware.
There are plenty of commentators saying “we need to rethink IoT security” —and we do— but the simple fact is we’ve been so focussed on making home networking “simple” (everything, everywhere, all the time) things got out of control. We need to rethink basic network security, we need mechanisms for monitoring our own networks built into consumer router software and most importantly, we need to stop giving things full access by default.
Once that mechanism is in place, we can deny network access until we’ve centrally cleared a devices based on what it is, and give it sensible access levels:
- A guest’s smartphone might only warrant Internet access, not local network access.
- A smart fridge only needs to access to manufacturer and shops’ APIs, not the local network.
- A TV only needs access to EPG APIs and streaming services (and inbound access from network devices)
- Your child’s computer could have filtered Internet access and not even that after 8pm.
- A security camera only needs signed access to the manufacturer’s domain for updates (or federation).
- Your NAS could host something online but you could limit who connected by network or country, or certificate.
The interface for this could be so simple. Devices could announce intentions to the router: I’m a fridge and I want to visit this domain and the network owner could very quickly verify or tweak those network permissions like an phone apps prompt you during installation/use. Even complicated scenarios can be handled with simple questions in mere seconds.
Layer on some certification. Samsung have a private key. Their fridge publishes a JSON blob and signs it and sends that to the router. The router can then validate the JSON against that signature, check the certificate is still valid and not revoked, and then just automatically allow that traffic through. Obviously there have to be rules here that don’t let ALLOW all-style rules through, with the punishment being the revocation of certificates.
Building this this isn’t hard. Give me a modest 4-figure budget and a few weeks and even I could have a demo system up. What’s hard is doing it on a CPU from the 90s and 16MB of RAM, convincing ISPs this is important, convincing consumers that being bugged about connecting devices [and paying for that privilege] is better. They’re not hard problems, they’re insurmountable.
And while that’s the standard and unless something completely catastrophic happens, that’s not going to change. Given we’re putting more and more medical devices (seemingly with the same approach to security as IP cameras), we are going to see people die as a result of this.
Save some time and effort and just shut it down now, guys, the Internet is dead.
Just while you’re here, lazyweb, do any of you know of a powerful-but-low-energy ARM/MIPS board that supports a VDSL2 modem and wifi (or multiple mpci) with 10GBe, for £200-300? Writing this has me genuinely interested in building my own router again.