We’ve allowed just about anyone to ship new attack vectors (a.k.a. “IoT devices”) with zero responsibility for making them secure.
Last Friday’s daylong cascade of cyber attacks highlighted an issue that until now has largely been a discussion point on security-specific blogs and forums: The internet, and thus much of our modern way of life, is in a precarious state.
DDoS attacks are one of the oldest tricks in the cyberattack book. Coerce a bunch of unsuspecting machines into sending gobs of data at a target and bam!, the target is down. Defenses have gotten better, and there are plenty of services that can deflect run-of-the-mill attacks. But the bad guys aren’t content with sticking to run of the mill.
Security guru Bruce Schneier warned last month that bad actors are probing some of the fundamental layers of internet technology for vulnerabilities and testing for defence capacities. And security expert Brian Krebs, who reports on vulnerabilities, bad actors, and fishy “security” services, experienced one of the largest DDoS attacks seen to date.
That attack may have been the result of hundreds of gigabytes of data per second being lobbed at his site not by hacked computers, but by “Internet of Things” devices — a botnet living in our shiny new gadgets — things like IP cameras and digital video recorders (DVRs). And it appears that we saw this again yesterday with the attack on Dyn’s DNS service, disrupting popular consumer sites and services like Twitter, Spotify, Sony’s Playstation Network and EA, along with many others.
When the personal automobile hit the roads, it was a free-for-all. If you could buy a car, you could drive said car. There were no rules governing safety or emissions. It took decades before the National Traffic and Motor Vehicle Safety Act was passed, and the National Highway Traffic Safety Administration was created to ensure that vehicles sold were held to safety standards and that manufacturers were liable in the event of malfunctioning features. Once on our shared roads, cars are recalled for defects and if they fail inspection or smog tests, they’re taken off the road. Why aren’t we advocating the same level of oversight for our shared internet?
We do not have decades to wait for the government to create and enforce security standards for connected devices. The internet powers global commerce, communication and innovation. It is critically important to the stability of financial markets and overall economy. Yet we’re squeamish about enforcing standards that could mitigate some of its increasingly debilitating threats. As a result, we’ve allowed just about anyone to ship new attack vectors (aka “IoT devices”) with zero responsibility for making them secure. It’s bad enough that these devices put the owner’s data and privacy at risk, but we’ve just shown that they can also impact our broader shared internet infrastructure.
Good security practices take time, money and expertise (all of which are in short supply) to apply and maintain. Short of us spinning into an altruistic utopia, that willingness will be born out of assigned responsibility — and monetary penalties.
Device manufacturers should be held accountable for their devices’ behaviors out in the wild. Without clear accountability, we’re going to continue shipping easy-to-use, yet wildly vulnerable devices. Examples of manufacturer requirements should include:
- An end to common default passwords. It’s more work, but every device should start with a different administrative password and require it be set to an even more secure one when first used in the wild. It sounds obvious, but today you can control a huge number of home devices via a simple search for “default password.”
- Impactful alerts for vulnerabilities. These devices will certainly use software that has vulnerabilities, but how does a consumer know these problems are found? Anyone out there constantly hitting refresh on the manufacturer’s device support page to find out? I didn’t think so. Manufacturers must be responsible for getting alerts to their buyers similarly to how car makers handle priority vehicle safety recalls. And if the warnings are not heeded within a set amount of time, the device should be disabled.
- Self-patching software. Even the lowest-cost camera, Wi-Fi access point or DVR must ship with self-patching software. We can’t have vulnerability-laden devices all over the place just waiting for the bad guys to take them over. And it’s not the owners’ faults — the patching experience for these devices is often miserable, assuming that you even knew it was needed. It’s time to require that these devices meet a minimum standard around simple and automatic patching.
- Information sharing. It’s both good and bad news that so many internet-connected devices have so much software in common. It’s bad in that a zero-day exploit can instantly put myriad devices at risk. It’s good in that we can more proactively monitor and protect them using common processes and coordinated patches. Device manufacturers should be required to share findings regarding vulnerabilities and attacks with their peers. Done properly, it can help other manufacturers protect their products and give the cybersecurity industry a head start in preventing any resulting attacks.
Once upon a time, the prevailing idea was that stringent standards and regulation would stifle the promise of the internet. But as attacks like the ones against Dyn’s DNS service are illustrating, the promise of the internet might very well depend on them.
Steve Herrod is a managing director at General Catalyst, investing in infrastructure- and developer-centric companies. Prior to joining the firm, Herrod was CTO and SVP of R&D at VMware, where he played an integral role in growing the engineering team to more than 3,000 people. Reach him @herrod.