Oli Warner About Contact Oli on Twitter Subscribe

When did we stop caring about basic network security? We need to act before it’s too late.

Tuesday, 4 October 2016 ddos security

Another day, another crippling botnet attack from yet another army of conscripted IoT devices.

As we continue to shovel piles of crappy abandoned devices onto our networks, why aren’t we monitoring and curtailing what these devices do on our networks? Why don’t we care any more? Have we given up on network security?

A couple of weeks ago, one of the largest measured botnet attacks hit OVH, a web host. The attack was likely targeting one of OVH’s clients but at one point it was measured as delivering over 1 terabit per second.

At that scale we’re really running out of relatable comparisons. It’s equivalent to serving 400 thousand full-HD video streams at once. That’s the best I can do. If you aren’t metric yet, that’s something like thirty football pitches or a hundred and twenty gills. Maybe a league and some cubits? An unimaginable bandwidth to most people.

Adapted by Oli from original art by Tom-b CC BY-SA 3.0 or GFDL, via Wikimedia Commons

This traffic wasn’t coming from traditional sources like zombied Windows machines or hacked corporate servers, it came from cheap security cameras that people had stuck to their houses, given them internet access and they’d promptly been hacked. Why? The software inside these things is junk.

And this sort of vector is increasingly common. Most household’s “white goods” appliances are available in some form of connected “Internet of things” version these days. Not to mention TVs, DVRs, baby monitors. We’re shunting millions of these things online every year without any sort of plan of what to do with them when they’re all infected.

Though there are multiple layers of critical failure here —cheap manufacturers abandoning products, ISPs that ignore bad traffic, and targets who don’t report every attack back to every ISP— even if consumers wanted to monitor these devices, it’s still too bloody hard for a technically adept person to monitor what’s happening on their own network, using consumer hardware.

There are plenty of commentators saying “we need to rethink IoT security” —and we do— but the simple fact is we’ve been so focussed on making home networking “simple” (everything, everywhere, all the time) things got out of control. We need to rethink basic network security, we need mechanisms for monitoring our own networks built into consumer router software and most importantly, we need to stop giving things full access by default.

Once that mechanism is in place, we can deny network access until we’ve centrally cleared a devices based on what it is, and give it sensible access levels:

The interface for this could be so simple. Devices could announce intentions to the router: I’m a fridge and I want to visit this domain and the network owner could very quickly verify or tweak those network permissions like an phone apps prompt you during installation/use. Even complicated scenarios can be handled with simple questions in mere seconds.

Layer on some certification. Samsung have a private key. Their fridge publishes a JSON blob and signs it and sends that to the router. The router can then validate the JSON against that signature, check the certificate is still valid and not revoked, and then just automatically allow that traffic through. Obviously there have to be rules here that don’t let ALLOW all-style rules through, with the punishment being the revocation of certificates.

Building this this isn’t hard. Give me a modest 4-figure budget and a few weeks and even I could have a demo system up. What’s hard is doing it on a CPU from the 90s and 16MB of RAM, convincing ISPs this is important, convincing consumers that being bugged about connecting devices [and paying for that privilege] is better. They’re not hard problems, they’re insurmountable.

And while that’s the standard and unless something completely catastrophic happens, that’s not going to change. Given we’re putting more and more medical devices (seemingly with the same approach to security as IP cameras), we are going to see people die as a result of this.

Save some time and effort and just shut it down now, guys, the Internet is dead.

Just while you’re here, lazyweb, do any of you know of a powerful-but-low-energy ARM/MIPS board that supports a VDSL2 modem and wifi (or multiple mpci) with 10GBe, for £200-300? Writing this has me genuinely interested in building my own router again.