Pisspoor IoT security means it'd be really easy to bump off pensioners
Oi, digi-utopians. Start putting your house in order, says CW event speaker
Two things are fixed on everyone's minds when it comes to the Internet of Things: security and law. How does industry overcome the threats posed by these two hurdles?
Speaking at yesterday's Cambridge Wireless IoT event in London, Max Heinemeyer from Darktrace was all in favour of automating away the security problems.
He advocated letting machine learning take the strain of countering IoT malware – precursors to the gigantic botnet that floored infosec journalist Brian Krebs' website earlier this week – and the emerging threat of hijacks and botnets.
“When I think about these new technology solutions,” said Heinemeyer, “I think what can save us from the IoT problem is to let machines do the heavy lifting. If you’ve ever worked in a security operations centre with signature detection systems, it’s not possible to keep them up to date manually.”
I've told you about a problem, now here's the solution
A former member of the Chaos Computer Club hacker collective in Germany, Heinemeyer was – conveniently – able to put forward a machine learning solution made by his employers which just so happens to be a solution to the IoT security problem. He emphasised how, once installed, it learns how the client’s network operates over a period of two to three weeks and then act on unusual activity from there.
“Earlier we heard of the DDoS attack against Brian Krebs with an IoT network. I jumped onto a client’s network and it took me three minutes to find an IoT device trying to attack Krebs,” said Heinemeyer, who identified the culprit device as a CCTV camera.
Infamous “security tools” outfit Hacking Team was infiltrated by an IoT device modified to exploit a zero-day vulnerability, continued Heinemeyer, who gave a similar example of how one of Darktrace’s customers was attacked: “It wasn’t an attacker from the internet. Someone used chodan.io to find a fingerprint scanner. What he did then was guess the default admin password – which was [username] admin, [password] admin – got access to the administration toolkit, then used this to pivot into the main network.”
Regular Reg readers will recall how former Autonomy exec Mike Lynch is backing Darktrace. HP bought Autonomy for $11bn in 2011 and later had to write down its value by $8.8bn, allegedly as a result of accounting malpractice overseen by Lynch. Lynch denies the claim and is defending an ongoing lawsuit brought by HP last year.
Killing pensioners, two keyboard taps at a time
Where does government and regulation fit in with the IoT, then? The 50-strong audience heard from Derek McAuley of the University of Nottingham, who left your correspondent with a vague sense of unease about the whole shebang.
“We already live in a world where there’s a massive amount of regulation,” said McAuley. He – quite correctly – characterised a whole raft of companies from Facebook to Amazon to local cab firms as not technology companies per se, but rather companies that happen to use technology – an important difference.
“There will be regulation on IoT in certain spaces,” he said. “We actually have to look at the individual sectors and the Things within these sectors and say ‘what regulation applies’?”
Highlighting the US Federal Trade Commission’s webpage on “what to know about webcam hackers” and talking about how the FTC cracked down on firms selling shonky webcams with little or no built-in security features, McAuley said: “The regulation that was applied was nothing to do with technology, it was to do with consumer protection. Sanctions were applied and many of those companies shut down the next day.”
He continued on this theme, highlighting how real-world regulations already apply to the Internet of Things – or rather, can be made to apply to it – and warned that the biggest challenge may not be impending regulation or security challenges alone, but also user confidence.
“Year on year, trust in companies’ use of our data is declining. Every time there’s another crappy IoT device out there, this will only encourage this reduction in trust. We need a radical plan of action here and it’s not just the IoT world. As far as consumers are concerned, ‘Someone's doing shit with my data that I don’t like.’ We only need some more Daily Mail incidents to cause real trouble,” he declared, to general nods of agreement.
FUD? Not so much – hyperbole masks a real problem here
Showing the audience a schematic of someone’s connected house “pulled randomly from the internet,” complete with automatic garage doors, self-ordering fridge, the whole works, McAuley said: “What could go wrong with that?” The next slide was a news story titled “Automatic garage door openers: hazards for children,” and went on to explain a nasty incident where junior had got hold of a remote control and squashed himself in the garage door.
“Unlike privacy,” he said, “you’re not going to be able to get fuzzy at the edges here. There’s one thing that’s common across the whole world: if you kill children with your technology, people are going to get angry and they’re going to come after you.”
If you really take it to extremes, McAuley pointed out, you could even leverage the IoT as a real-world attack vector.
“What we’re getting with the IoT is actuation in the real world. If I take a bunch of thermostats offline for 24 hours in the UK in winter, I’ll probably kill a bunch of pensioners. There’s your cyber terrorism attack.”
Was all this a cynical doom-and-gloom look at the Internet of Things and its future? No, but it's the things that need to be taken into account now. It's all very well building smart kettles and self-ordering fridges and all that sort of guff, but unless industry bucks its ideas up and starts designing in security from the start, and paying proper attention to privacy – instead of a 60-page EULA no bugger will read before clicking “agree” – things, and Things, will get worse before they get better.
“Will the new era of technology solve all our problems? No, but it helps,” concluded Darktrace's Heinemeyer. ®