Clouds are tricky things. It’s hard to tell where the foundations of a cloud reside. You could point at the physical infrastructure. Some of the best side-channel attacks target hardware. There is the operating system that runs everything. And there is the middleware, billing, hypervisors, drivers and web front ends. The potential attack surface of a cloud service provider (CSP) or consumption market platform is gigantic.
The internet of things is even worse.
In part I of this series, I wrote about how a “cloud” project I worked on a few years ago went sideways. Of course, CSPs build their platforms on a master plan. Like a planned community, it is architected down to the minutest detail, and a phased rollout of services are thought out and integrated with their identity management suites. They protect the management plane through layers of proxied services, and deploy open source or open security architecture security technologies.
Unfortunately, IoT devices have none of this. Of course, since the clouds they are connected to are consumption-based they meet some of the basic requirements. But protecting the management plane is impossible because it exists on the same network that people are passing their data through.
Simply put, there is no separation of the data and management planes. Which is a problem.
That’s because cameras, home routers, wireless access points, DVRs and a myriad of locks, thermostats and lighting mechanisms are all accessible through the same connection you browse YouTube through. I call that “building in the trailer park.”
I understand that there is a need for inexpensive automation and services at home. Just like some people need inexpensive housing with convenient access to the city, with the ability to move the building if necessary.
There is nothing necessarily wrong with that. The problem is that tornadoes seem to be especially adept at finding trailer parks.
I’m writing the last of this blog as we prepare for a tropical storm to hit the South Coast. There are details and preparations and plans that need to be made to defend even a well-made home in a neighborhood of well-made and cared-for properties. Then there is the care and feeding of the occupants that needs to be planned for. The analogy between trying to protect a home network designed around a vulnerable architecture and defending a dwelling that is measured in single and double widths seems appropriate.
Finding an alternative way to mitigate IoT security issues continues to elude most manufacturers. The home firewall market, for example, is its own worst enemy. The code they use is old, unpatched and often contains more holes than the cheese found in Western Europe. There is no concept of separating IoT devices from the computers on the network, for example, which ought to be a fundamental procedure. Modern CSPs separate tenants, and even many functions and applications. But the comingling of the public cloud with the IoT cloud is a huge gamble. When combined, they make up something that has the potential destructive capabilities of a really bad storm cell over the Great Plains.
It is not dividing by zero as much as it is multiplying by zero.
The looming tornado threat found its first form with the Mirai botnet. Mirai is a collection of “hacked” home routers, DVRs, IP-based CCTV cameras and many other small devices that run operating systems that share a lot of fallibilities. Hackers are able to remotely load them with tools that enable them to hack other similar devices. Because these tools have unrepairable vulnerabilities built into them, even if a user reboots a device to clear it, it will likely be reinfected very quickly.
This network of infected devices can then be used to attack webservers, load balancers, DNS servers and all the other parts of the internet people tend to take for granted because they are “just supposed to work.” Like a tornado, these network storms have managed to take down large portions of the internet over the past year. Verisign, an owner of many of the top-level DNS servers, noted that its largest attack was clocked at 680 gigabits per second.
That is nearly the entire bandwidth of long-haul connections for the West Coast.
Preventing this would only require a handful of manufacturers to decide to emphasize defense rather than participating in the race-to-the-bottom, or the exclusive focus on speed and cost. If the public understood that their home routers can be used by criminals to snoop in on them, jump into their unprotected child monitors and grab at bank account information they leave in text files on their computers, IoT manufacturers would be forced to clean up their business.
Did you know that the internet has a weather report?
The internet can experience floods, tornados and even scorching droughts. Each of these can affect adjacent areas. Drought, for example can be caused by gigantic firewalls and government limitations placed on the internet in various regions. As a result, it causes those portions of the internet to become unused or start to die.
Tornados are caused by botnets that can fill areas of the internet that are the equivalent of the American Midwest, like broadband networks. Like the dust bowls of the 1930s, broadband networks discourage the upstream serving of data. Just like over-farming creates infertile land, broadband networks are created merely for consumption and not serving, which means those IoT devices with basic server functionality built in are able to create a problem that can escalate rapidly and without much chance to shut it down.
Perfect storms are rare, resulting from a confluence of the worst possible causes. Tying a home to a cement pad, for example, helps it survive severe weather. Likewise, networks need to be built on a secure foundation. Of course, that means a little more will need to be paid for those devices, and more planning for security will need to take place if a person, for example, plans to automate their home or provide services for their family. In addition to building on a secure foundation, such things as practice, training, drilling and standard operating procedure testing are the only things that can truly prevent a disaster from happening, but that may be a generation away from possible. To start, however, IoT device manufacturers need to commit to better security so that the internet weather can be predictable and sunny, with blue skies every single day.
This was originally posted in Tech Target's IoT Agenda