Security of the Internet of Things (Part III)

As we said in Part I, "While the conversion of 'things' to malicious purposes makes for dramatic Hollywood scenarios,  most devices will not be vulnerable to either takeover or malicious use, much less both.  However, all those that are vulnerable to takeover can be exploited for their computer function or capacity. This function and capacity can be compromised and turned against the host network for a variety of attacks ranging from simple,spoofing through denial of service to brute attacks against passwords and cryptographic keys.  Moreover, the sheer number of things will dwarf the number of general.purpose computers. It is this that we will argue is the most serious risk."

This risk results in part from the generality and flexibility of the "chips" used to implement the "things," the appliances.  Much of the design and implementation of the appliance will involve stripping away and hiding this gratuitous capability.

It will result in part from the method chosen for installation, setup, initialization, administration, or to deal with implementation induced flaws or vulnerabilities. We have already seen a number of cases where the appliance itself, e.g., medication dispenser, worked as intended but the administration capability, dosage setting, was vulnerable to takeover.  The appliance function was purpose-built but the administration was done via capabilities, e.g., Telnet, ftp, optionally included in the underlying operating system.  This kind of gratuitous functionality, often included without proper consideration of its security or its impact on the security of its environment, the Internet, will dramatically weaken the Internet.

This functionality will be used to mount denial of service attacks, spam, and brute force attacks against passwords and cryptographic keys. This is not speculation on my part; this vulnerability has been demonstrated and the attacks reported. This functionality will be included, in part, because developers and vendors are reluctant to give up control, realize that problems will arise in the future because consumers may look to them for remedies, and because it is cheap to do.  If the problem is in the software, we may just fix the software just like we have been doing in information technology for two generations.

This is very different from the way that we have dealt with problems in traditional purpose built hardware-only appliances.  By default we have dealt with safety flaws in traditional appliances and other products with product "recalls,"sometimes by repair but even more often with replacement.  Often we have done this even where computer chips have been used.  We have simply replaced the chip.  We have not attempted to patch the software, either locally or remotely.  However, as "chips" have become cheaper and more powerful, we have succumbed to the temptation to treat them like personal computers.

One must act locally but should think globally.  If one wishes to use the Internet, one should do so responsibly.  That includes not attaching weak, vulnerable, or even gratuitous capability to the Internet.  Problems will arise and we must deal with them but we should do so in the most conservative possible manner.  Consider the following strategies for fixing problems:

• Replace hardware and software.
• Replace all software and data (like iOS apps) from a secure server, recognized (VPN, public key) by the device.
• Replace software only, retain data.
• Patch software using a secure server.
• Patch using remote control of function on the device.
• Make patch available to owner to apply at his discretion.

These are equal in terms of their ability to fix the problem. They vary in their economics.  However, they vary considerably in their security.  Even if the problem is limited to the software, in a world of cheap chips, replacing both as a package may be the most efficient way to repair it.  Moreover, as a strategy it can reduce the attack surface of the device to the minimum.