From the comments, on cyberattacks

As someone who does software and hardware, I don’t think we are anywhere near the point where a mix of hardware and software in everyday things will give us anything more than sorrow. We are already seeing rather scary things with the Internet of Things: Denial of service attacks larger than anything we’ve ever seen, because networked software is often faulty, and selling it only in hardware means vulnerabilities stay forever. It’s not just that someone can take over your CCTV camera, or the system controlling your lightbulbs, but that their computing power can be used to attack any business or individual at any time.

We have seen attacks this week that were large enough to shut down any online payment processor. For instance, imagine that the set of people with the resources for launching those attacks wanted to stop Hillary from taking online donations for as long as possible: I’d not bet against them being able to do that for a couple of weeks at the least, and that’s today. Every day more devices with weak security and no updates are sold. We see records of attack strength beaten every month: Akamai has trouble handling them today. The more devices we sell, the bigger the weapon we are handing out, and we are lacking any mechanisms to increase security because incentives are all wrong.

That is from Bob.

Comments

Well, Bob isn't up on the latest. IoT companies are just beginning to take advantage of new services available from the telecoms at pretty cheap rates. Basically, you can now buy a cell modem that connects you to AT&T or Verison's cell towers, but then connects to a private VPN on the back end. This VPN terminates at your datacenter, wherever that is. This means that a company's IoT devices no longer need to communicate over the public internet at all. This makes them orders of magnitude harder to hack and useless for DDOS attacks and the like. Since all traffic from those devices comes through the network of the company that owns them first, the company can just not route the traffic to the internet, stopping all sorts of potential compromise, including DDOS. The rates on data, especially for IoT things that don't use a lot of bandwidth have come down drastically to as low as a couple bucks per month for very low bandwidth devices.

The telecoms already have a million or more of these deployed, but they expect, within a couple years, that a million PER MONTH will roll out to IoT-related companies. The company I work for already has a few of these in test and they are living up to their advertising so far...

That's great, but I don't see it putting a stop to wifi-based devices. You really think this approach is not just going to be important, or dominant, but take near total control of the market?

I don't know, even if you take out all of the lightbulbs, refrigerators and cars there are still a ton of devices people will want connected via TCP/IP. The biggest DDoS attack will always just be occurring as long as the number of devices is at an all time high. The last one was with CCTV as Bob mentioned (http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/).

Two things:
1. Check out CyberGreen (https://www.cybergreen.net/) who are doing great things about measuring the potential risk your network poses to others. Smart, hard working people with a good perspective on the collective action problem.

2. Things will only get worse as long as there is demand for attacks and it is cheaper to build insecure software. Cisco, for example, has a full web server in their routers. That is a lot of unnecessary attack surface that can be used for exploit or malice.

Sure are a lot of Roberts in this thread.

If IoT companies cared enough about security to jump through hoops like cellular based hardwired VPNs, IoT security wouldn't be a huge problem in the first place as they would already be avoiding writing their stuff in C, having universal default passwords, building in backdoors for their convenience, etc. Those methods will never be as cheap or easy as the status quo of using the user's Wifi.

A VPN will not stop DoS attacks, it's just another loop or layer for traffic to go through. It helps with anonymity, nothing more.

According to his theory, it means that the DDOS traffic has to go through the vendor network, who will quickly have incentive to shut it down.

I guess I don't see the point. If some Anonymous hackers want to take down a VPN server (which are well known,and governments like China try to block them all the time) they can do so, and all IoT traffic through said server would be affected. But, if Anonymous wants to take down "IBM corporation" then I guess a VPN server is useful, assuming Anonymous does not know what VPN server IBM is using.

If it's a private VPN it's not really IoT. There are still many true IoT devices that will pose a security risk, even if the VPN model is popular, and that's the point of the article.

See: today's Bloom County

The momentum for home IoT seems much as Bob says. Rob might be right that commercial systems are improving .. but we just had that hacked Tesla (admit I only glanced at that story).

Companies have been dealing with this kind of attack for more than a decade. Sure, IoT increases volume but the threat is basically the same. There is no doubt in my mind that the risk is much, much smaller than the benefit provided. Trying to say otherwise is like saying that "fake" calls (prank calls, telemarketing, etc.) are enough reason for society not using the telephone...

While I have not yet stopped using the telephone, I have stopped answering unidentified callers. I can easily a post-anonymity future of the Internet where unsigned traffic is relegated to a seedy basement of here there be dragons.

Sure, I have no doubt that anonymous traffic will be more and more controlled as time goes by, along with other tech that makes identity harder to hack (i.e., IPV6). I mean, let's not forget that currently the biggest threat to companies (and government) is weak passwords and social engineering...

This is how people will learn to treat Infosec the same as personal hygiene.

However, the fact that millennials are not comfortable with the terminal will probably bring much more horror than the IoT plague.

Too late now...

People may instead to treat personal hygiene the same as they treat infosec

We've been through far worse and so far everything is fine. Obviously transitioning from a stultifying laziness into a productive life won't be easy. But again, when you dig into the history of western civilization(the only one I know) you see that people are very surprising creatures.

When I listen to Beethoven or Bach, I am always, consistently surprised that it was written such a long time ago.

More recently I'd say that Antonio and Tarkovsky proved that we're still living, breathing human beings. At the end, we have achieved and survived so much. Why should we necessarily die now? Especially now, when life is so easy.

A good explanation of IoT DDOS attacks and the cost of defending them is provided in this article:

https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/

The blogger's site was recently taken down by a DDoS attack that was directing 620 Gb/s of queries to the site. He estimates that this could be generated using thousands of unprotected IoT devices, and that there are already tens of millions of such devices available to be exploited in that fashion.

As someone who also does "software and hardware" (whatever that means) I would point back to the challenger shuttle disaster. A statistical analysis on the fault tolerance of each component by each engineer show, and Richard Feynman (the theoretical physicist in charge of the Rogers Commission report) showed a 1 in 100 chance of failure, while every bureaucrat and manager insisted it was 1 in 10,000.

High level languages resting on layers of abstraction, software resting on layers of package dependencies, bloat, constantly affected by firmware and package updates, pushed to market with rapid agile techniques. We should be happy enough it all works. The truth is we don't have secure systems because the market doesn't want them badly enough. Designing a truly secure system is not worth the opportunity cost; the development time, the features, the convenience. Clinton had our governments most secure systems at her disposal, she chose to use a server in her basement.

> their computing power can be used to attack any business or individual at any time.

This is a load of FUD. Black hats are subject to the laws of economics just as anyone else, and in that sense hacking is a lot like pick pocketing or assassination. Its a target of opportunity crime. Those who are hit by pick pockets are generally the ones stupid enough to walk around with their wallet hanging out their back pocket. To pick the pocket of a specific person on a specific date at a specific place is extremely difficult, just as hacking them would be.

Guccifer had to read a lot of material on Sydney Blumenthal and Hillary Clinton to guess their passwords, and I doubt they were using particularly strong ones.

>Clinton had our governments most secure systems at her disposal, she chose to use a server in her basement.

.... in violation of every law imaginable, and with predictable results.

Of course, she did not care one lick about safeguarding national secrets; she just wanted to wipe the server when she was done with it.

In violation of every law imaginable.

Fortunately, violating imaginary laws only causes imaginary convictions.

So, if you rotate an imaginary conviction 90 degrees to the right, you get a real one, right?

DDoS attacks don't need someone to specifically target a moment of your weakness. They just flood you with packets from all over.

No but they aren't hacking either. They are the digital equivalent of a mob going into the street and blocking traffic. In the real world we simply don't call that an "attack", even if they are driving the speed limit or parking their cars on the road and leaving them there, or leaving junk in the street, we call it civil disobedience or a protest. Now that sort of thing is distasteful, and I would advocate arresting people blocking the roads like that, it still isn't an "attack!".

Likewise a DDOS probably should be punished by law, but conflating it with hacking using a shrill term like "cyber attack" plays on peoples ignorance.

From the original quote:
> imagine that the set of people with the resources for launching those attacks wanted to stop Hillary from taking online donations for as long as possible

Imagine a set of people standing outside an arena preventing Trump supporters from attending a rally, oh right that happened. Same damn thing, different medium.

If I can do something online that shuts down your servers, puts you out of business, prevents your product from functioning correctly, etc., then it's an attack. Perhaps not an attack you want to consider (because it's hard to block without re-engineering a bunch of internet protocols), but it's still an attack--just as real as one where the attacker compromises your server and sabotages it in some way that shuts you down for a week.

Bob is guilty of a cloud-centric view of the IoT and until we un-bias ourselves from the cloud, security will remain problematic for the IoT. For example: there's no inherent reason that your Nest thermostat needs to be controlled via the cloud - if Google wanted to let you, it could allow direct P2P access to it via WiFi direct on your phone. But it doesn't because a) the cloud is someone's idea of how to monetize hardware innovations like a smart thermostat, and b) because cloud software is so much easier and cost effective to write and maintain than, say, a local area solution. So while hardware development costs are dropping and the cloud is making it so, so easy for non-hardware people to write "software" for embedded hardware devices like a fitness wearable, the tradeoffs in security and performance continue to multiply as cloud databases expand.

A related issue is the age of some of the wireless technologies being relentlessly promoted for the IoT (WiFi and Bluetooth for starters) which were never intended for the IoT (they are for streaming large files like audio or video) and come replete with security and performance issues. Another commenter waxed on about how the cellular carriers are coming to our rescue, foisting yet another cloud-based paradigm on us that is also designed to help silicon vendors squeeze every last bit of revenue out of product lines that shouldn't even be used for IoT.

In spite of all of this, we are in the top of the 1st inning in the IoT and the opportunities to rationalize entire industries are stunning. And more disruptive than the industrial revolution.

I keep thinking the real innovation behind IoT is the idea that people will stop buying lightbulbs (or whatever) in a one-time purchase, and instead will have a continuing business interaction with the company that provided them. It's nicer to collect subscription fees (or demand some money to upgrade to the next version of the software) than to make one-time sales. I haven't quite figured out what customers get from it, though.

I think the commodities-as-a-subscription is sort of the 1.0 version of consumer IoT, particularly what we see from Amazon. But really this is less an IoT innovation than just another tentacle of Amazon's first rate supply chain capabilities where we can say "Alexa, order me more paper towels" and it shows up at your doorstep tomorrow. Or today. This is handy, for sure, but I don't think this even begins to show what the IoT will do for us.

The biggest stakeholders in the subscription IoT business are the cellular carriers, who are currently working overtime to figure this out. So far, their best efforts have been battery-unfriendly and costly devices with .. a subscription! Billions of new IoT "subscribers". But to your point about what customers get from it: not much. When there are non-subscription products that do the same thing as the carrier's service, but at a present value that is almost always a fraction of what the carrier is extracting, it's hard to see how the carriers win unless they find regulators who can chase the players operating in unlicensed spectrum out of the business. I expect them to try. And fail.

Hello everyone! I was a bit in Tyrone mode in my post.

There are uses of the IoT that are relatively safe, security-wise. Instead of being sold to consumers, they are for internal company use, and are treated just like servers: They are built for one company, upgraded by security teams and all that. However, that's not the biggest area of growth that we change the way we live. It will help run factories, warehouses and farms a bit better. That said, everything is hackable to an actor that is tenacious enough. I've been part of cleaning up a data breach coming from China to a company everyone here would recognize, which focused on taking trade secrets. Anyone that goes that deep could easily take control of the IoT devices that company uses and do whatever they want to them.

However, that's not where IoT makes a difference: That's on consumer devices, and in those, the incentives I described apply: They are never patched, they are connected to the internet, and the manufacturers have few incentives to fix that. I described a real situation from the other day: An attack made by commandeering 145k hacked CCTV cameras. Every year we'll have more internet connected devices that are not updated because incentives don't align. It's not important to the manufacturer because they just sell the devices to consumers. Consumers won't sue them, because having your device participate in an attack will not deteriorate its utility in any way: A DDoS that plants to be successful won't use much bandwidth on each device anyway, to make it harder to defend from. The only loser is the company that suffers the DDoS, and they will have trouble using legal avenues to get compensation. Therefore, this seems like a problem that is better solved through regulation, but good luck with that.

As to for Professor Cowen's question, the answer is that there in computer security, a lot of the thinking happens behind closed doors. You'll find individual articles here and there from people working in security companies, and talks in places like DefCon, but it's a world that both has trouble coming to grips with the interactions they need with legislators. There's also the issue of not wanting to paint a target on yourself: As earlier commenters mentioned above, a great way to get DDoSd is to say valuable things about computer security. Even raising concerns about this might get someone using attacks as a form to extract money from companies going after you: They probably don't have quite the 1Tb firepower that we saw in the OVH, but they will soon. Successful startups that you have covered in this blog before have such attacks marked as a major technical risk in their reports to investors, right next to the risk of a major data breach.

If you really want more details, I'd talk to those CEOs and the venture capitalists that fund them. I know a few that visit DC semi-regulary to talk with regulators and government officials and read you religiously.

On the one hand, everyone (especially the experts) seem very concerned about cyber attacks; on the other hand, everyone can't wait for autonomous cars to take them to where they hope (the emphasis on hope) to go. People will believe anything, "safe" autonomous cars whizzing around the streets at 60-70 mph being the most ridiculous of the things people will believe.

Comments for this post are closed