The Internet of Threats revisited
Everyone is talking about the Internet of Things. Connecting household applications (yes, applications, appliances is so 1990s) to a network hasn’t been more fun than now. Also measuring things is great. Today most sensors are deployed to generate endless streams of data because we can, not because there is a need for it. And I haven’t even talked about the information security aspect yet. Let’s take a step back into 1995/1996. Those were the days of the first browser wars. Jamie Zawinski has a quote of the Law of Software Envelopment on his web site.
Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can.
The proof of concept was undertaken by creating the Netscape Mail and News client. Processing email once was an art only done by specialised software (also known as email clients). Despite its age email is still a major way of communicating. It’s less instant, but who likes to attend messenger apps that constantly ring? Exactly. To rephrase the law or phrase a corollary, the Internet of Things might produce something like this.
Every device attempts to expand until it can send data to the Internet. Those devices which cannot so expand are replaced by ones which can.
Let’s do a test. Count the sensors of the devices right near you. Multiply this number by the number of devices connected to a network. Multiply by two if one of these networks is connected to the Internet. There you go, we now have a metric. The higher the number, the more modern your environment is. Probably. Now let’s take a step back. Information security experts keenly wait for the Internet of Things to be deployed. Ubiquitous networked devices with code running on them and interfaces are the epitome of exposure. You probably now the term exposure from incidents like the Three Mile Island partial meltdown, Fukushima Daiichi nuclear disaster, or the Goiânia accident. The remark is not meant to bash new technologies. It’s just a reminder that the security people (regardless if nuclear, biological, military, or information/data is involved) always think about exposure and the resulting attack surface. Once you connect a device to a network, it is exposed. You suddenly have to deal with data driven attacks that play by the rules, at least superficially, or crazy code that floods your system with random data. Since few code has security on the top 3 design features, things will happen eventually. In addition a lot of networked computing is based on little black boxes we don’t know much about. We have gotten used to not knowing what a particular chip set actually does. Past DeepSec conferences have featured presentations about malicious hypervisors in hardware.The Internet of Things features a lot more little black boxes along with broken protocols, bad security design, and lots of exposure. Before you start ranting about the current state of affairs, there will be no fix. Devices with network capabilities will be shipped, deployed, connected, attacked, and exploited. This is the cycle of life. Why should the IoT take a shortcut? Everything that will happen to your networked refrigerator has already happened to web servers, databases, VoIP systems, telephones, office software, and printers. Information security is not about what happens if; it’s about what to do when it already happened.
If you know some brave IoT designers, users, or vendors, please tell them to drop by at the next DeepSec conference. We should talk. Unfortunately they don’t answer our emails, so please spread the word.