Thanks, IoT vendors: your slack attitude will get regulators moving

Last Friday's Mirai botnet attack against Dyn must force everybody's hands – vendors, regulators, and Internet infrastructure operators.

It's going to be a while before research gets as far as attribution to an attacker, but in the meantime, there's plenty of culpability to go around.

Two things are clear, however: the freewheeling idiots of the Internet of Things business need the fear of regulation put into them – and so do network owners and operators.

Vendors

We don't just mean the specific vendor, XiongMai, named by Flashpoint as making the cameras exploited by Mirai. Buggy cameras and DVRs, to pick out just one product segment, are all over the place.

Since the White House asked Mudge to create a “Cyber UL” last year, the industry got busy with a flurry of activity designed, we suspect, to prove it could handle things without Washington getting involved.

Within a month, the industry formed a committee, in the Online Trust Alliance.

Then it formed another, the IoT Security Foundation.

Then another, the Open Connectivity Foundation.

The Industrial Internet Consortium, late to the party, recently came up with its own guidelines.

What are the outputs from all of these talking-shops? Nowhere near enough.

The Online Trust Alliance needed 15 month to finally come up with a vision for IoT security.

The IoT Security Foundation promises best practice guidelines by the end of this year.

The Open Connectivity Foundation has gone further, opening certification labs this month to let its members certify products (including one at Underwriters Laboratory in the US), and has published an open source software framework.

It's just as well for the various vendor love-ins that Mirai happened after last week's conference with the National Telecommunications and Information Administration, or vendors might have genuinely been hauled over the coals.

Why are there so many mostly slow-moving IoT security gatherings?

Partly it's because nobody wants to standardise their interfaces or APIs when Google (try Threading or Weaving your way to a thorough understanding of where Brillo fits, and why Nest doesn't like any of them), Apple (HomeKit), Samsung (SmartThings), LG (SmartThinQ), or Amazon still all reckon they can corner the market.

And as we said, partly it's probably to prove to the Feds that regulation isn't needed.

Too late, everybody: Mirai proves you're not going to march in step without a whip at your back. The world knows your products can at least pass a standard, basic security test suite, and will get recalled if they can't.

And while things move slowly in Washington, we're heartened that Mudge's efforts have given rise to research to try and quantify security risks, here.

Internet infrastructure companies

From the edge to the core, Internet minnows and whales knew that DNS can be blasted by a botnet, because it's happened before – when DNS-changer-infected PCs attacking the system were quarantined in a then-unprecedented cooperation between Internet companies and the FBI.

Paul Vixie was at the heart of that response, and is so disheartened by things that in March of this year, he suggested governments get involved, by way of penalties for network operators that don't block attack traffic.

The Internet Society (ISOC) warned last year that the Internet is in danger from the IoT, and while it's put forward routing security proposals, the MANRS initiative needs a lot more members before it could prevent something like the Dyn outage.

ISOC warned in 2014 that network owners' failure to implement the BCP 38 anti-spoofing standard (authored in 2000) puts the internet at risk.

It's no surprise, though: another key measure to secure the DNS, DNSSec, was first written in 1997 and after nearly 20 years has gone nearly nowhere.

DNS Changer proved that network operators can put responses in place: that Dyn succumbed to the Mirai botnet is because they choose not to.

The Internet is too embedded in nearly every business operation for repeats of the Dyn attack.

Operators who have known how to fix the DNS, and IoT vendors who don't care about security, are both inviting the heavy hand of regulation. ®