Security Economics of the Internet of Things

Brian Krebs is a popular reporter on the cybersecurity beat. He regularly exposes cybercriminals and their tactics, and consequently is regularly a target of their ire. Last month, he wrote about an online attack-for-hire service that resulted in the arrest of the two proprietors. In the aftermath, his site was taken down by a massive DDoS attack.

In many ways, this is nothing new. Distributed denial-of-service attacks are a family of attacks that cause websites and other Internet-connected systems to crash by overloading them with traffic. The "distributed" part means that other insecure computers on the Internet -- sometimes in the millions­ -- are recruited to a botnet to unwittingly participate in the attack. The tactics are decades old; DDoS attacks are perpetrated by lone hackers trying to be annoying, criminals trying to extort money, and governments testing their tactics. There are defenses, and there are companies that offer DDoS mitigation services for hire.

Basically, it's a size vs. size game. If the attackers can cobble together a fire hose of data bigger than the defender's capability to cope with, they win. If the defenders can increase their capability in the face of attack, they win.

What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the Internet as part of the Internet of Things.

Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.

Our computers and smartphones are as secure as they are because there are teams of security engineers working on the problem. Companies like Microsoft, Apple, and Google spend a lot of time testing their code before it's released, and quickly patch vulnerabilities when they're discovered. Those companies can support such teams because those companies make a huge amount of money, either directly or indirectly, from their software­ -- and, in part, compete on its security. This isn't true of embedded systems like digital video recorders or home routers. Those systems are sold at a much lower margin, and are often built by offshore third parties. The companies involved simply don't have the expertise to make them secure.

Even worse, most of these devices don't have any way to be patched. Even though the source code to the botnet that attacked Krebs has been made public, we can't update the affected devices. Microsoft delivers security patches to your computer once a month. Apple does it just as regularly, but not on a fixed schedule. But the only way for you to update the firmware in your home router is to throw it away and buy a new one.

The security of our computers and phones also comes from the fact that we replace them regularly. We buy new laptops every few years. We get new phones even more frequently. This isn't true for all of the embedded IoT systems. They last for years, even decades. We might buy a new DVR every five or ten years. We replace our refrigerator every 25 years. We replace our thermostat approximately never. Already the banking industry is dealing with the security problems of Windows 95 embedded in ATMs. This same problem is going to occur all over the Internet of Things.

The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.

What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.

Of course, this would only be a domestic solution to an international problem. The Internet is global, and attackers can just as easily build a botnet out of IoT devices from Asia as from the United States. Long term, we need to build an Internet that is resilient against attacks like this. But that's a long time coming. In the meantime, you can expect more attacks that leverage insecure IoT devices.

This essay previously appeared on Vice Motherboard.

Slashdot thread.

Here are some of the things that are vulnerable.

EDITED TO ADD (10/17: DARPA is looking for IoT-security ideas from the private sector.

Posted on October 10, 2016 at 10:26 AM • 69 Comments

Comments

VekOctober 10, 2016 10:48 AM

Of course, this would only be a domestic solution to an international problem. The Internet is global, and attackers can just as easily build a botnet out of IoT devices from Asia as from the United States. Long term, we need to build an Internet that is resilient against attacks like this. But that's a long time coming. In the meantime, you can expect more attacks that leverage insecure IoT devices.

That of course begs the question: How do you actually build an Internet that is resilient against such attacks? What protocol changes could we make to accomplish this, without causing an explosion of state? I'd love to see an essay on that :)

TedOctober 10, 2016 11:08 AM

There is an interesting eBook available in NATO’s Cyber Defence library that discusses the international aspects of establishing cyber norms.

‘International Cyber Norms: Legal, Policy & Industry Perspectives’
Anna-Maria Osula and Henry Rõigas (Eds.), NATO CCD COE Publications, Tallinn 2016
https://ccdcoe.org/multimedia/international-cyber-norms-legal-policy-industry-perspectives.html

Some of the chapters include:
2: The Nature of International Law Cyber Norms
5: Beyond ‘Quasi-Norms’: The Challenges and Potential of Engaging with Norms in Cyberspace
7: Confidence-Building Measures in Cyberspace: Current Debates and Trends
10: Technological Integrity and the Role of Industry in Emerging Cyber Norms
11: Key Concepts in Cyber Security: Towards a Common Policy and Technology Context for Cyber Security Norms
APPENDIX 1: Cyber Security Norms Proposed by Microsoft

Nick JohnsonOctober 10, 2016 11:10 AM

There's a third option: ISPs can start disconnecting customers with insecure devices until they fix or remove them. ISPs _do_ care, because its their bandwidth being consumed.

EricOctober 10, 2016 11:13 AM

Unless ISPs start cutting off customers with hacked IOT devices, I see nothing changing.

One the other hand I would note that some of the techniques that they use for amplification are a result of DNS supporting lookups over UDP as well as TCP. It may well be that some ISPs might simply stop routing UDP DNS requests out onto the open internet. Or perhaps upstream DNS servers might stop listening to the DNS UDP port. I guess I would see such steps as yet another band-aid (much like how open SMTP relays are no longer used). And while it might be somewhat effective in reducing the problem that the bad guys are currently using, it won't stop them from trying to find another one, and it obviously doesn't help to solve the more general problem of IOT devices with security problems.

RaphOctober 10, 2016 11:26 AM

The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work

Device owners don't care at all that nefarious strangers can access and possibly modify the operation of devices that may provide further access to sensitive data?

The DDoSers may not have caused any problems for the device owners this time. But if those hackers could gain access, so could others with different intentions.

Ed BearOctober 10, 2016 11:33 AM

I own a couple of IoT devices which came to me via a Kickstarter project I backed. They're still sitting in their boxes because I have no way to vet these potential Bot Hosts. Is there any software available that would let me bring them up and vet their security?

SpellucciOctober 10, 2016 11:56 AM

I agree with @Nick Johnson. Standards bodies, instead of individual governments, could govern this kind of device behavior. If a standards body adopted a standard wherein devices must be certified to be able to operate on a network, routers everywhere, including at ISPs, could conceivably block uncertified traffic.

Craig HeathOctober 10, 2016 12:13 PM

"the only way for you to update the firmware in your home router is to throw it away and buy a new one."

That's not even mostly true; all the routers I've ever had in my home have supported installation of new firmware. The more valid point is that the vast majority of home users will (quite reasonably) never bother finding out how to login to the admin console of their routers to update the firmware. The router I currently have, I'm pretty sure, does have firmware updates pushed to it without my input, but that however is a double-edged sword.

Incidentally there's a good article on MalwareTech, "Mapping Mirai: A Botnet Case Study" which shows the majority of the affected devices are a particular type of CCTV camera - do we know for definite whether they have a firmware update facility or not?

bcsOctober 10, 2016 12:34 PM

> "The IoT is insecure so we need more government regulation."

Really? How does that follow?


> "When we have market failures, government is the only solution."

Dead. Flat. Wrong.

In fact there is a formal name for that: https://en.wikipedia.org/wiki/False_dilemma

And another thing, any solution to an internet problem that depends on governments will fail, because only some of them will get it right; the rest will either do nothing, get it wrong, or do something worse than nothing like use the situation as a weapon.

> "Long term, we need to build an Internet that is resilient against attacks like this."

Ok, that's more realistic, but why not make that the near term solution as well?

There is little chance any government is going to deploy a working solution to this in any short amount of time, and no chance that very many will. And as is pointed out, it's going to be 10-30 years before we managed to flush out all of the millions of insecure device already out there. Even if shipping insecure devices is a death sentence for the company that did it, you will still have it happen from time to time, so there will always be a non-trivial number of insecure devices that the system will need to be secure in the face of.

rookieOctober 10, 2016 1:05 PM

Phones are also insecure, many are sold and soon forgotten by their manufacturers leaving users with a device full of _known_ security holes.

This can only be solved with laws requiring manufacturers to support the devices they sell for a minimum amount of time, I'd say a minimum of three years after the last device is sold.

Maybe then things would improve and at the same time reduce the churn of new models for the sake of releasing new models, which would be good for the environment.

Ross SniderOctober 10, 2016 1:08 PM

Not sure that "government" is the solution, as is suggested in this post.

"Government" is something we need to keep out of embedded devices: the cameras and microphones and biological devices that we will be introducing, en masse, into our homes.

Acknowledged that there is a market failure. But we need to keep away from "we must do something; this is something; let's do it" logic that will give state police and intelligence authority over the stewardship of the mass of incoming personal devices.

Kyle RoseOctober 10, 2016 1:56 PM

In the same post, Bruce manages to assert that government is the only solution to this problem, and that the problem can't be solved by government because it crosses international borders, including borders into places that won't ever implement any serious disincentives to bad engineering and lack of support. Huh?

The problem here has two main elements:

  1. There will always be insecure devices.
  2. Those insecure devices are on the same network as high-value assets.

We can't do anything about the former: there will always be garbage. The question is whether we can do something about the latter, in a way that does not give additional tools to repressive regimes (not just China and North Korea, but also England and France) for global content filtering.

Getting government involved will inevitably lead away from a free and open internet to compulsory connection licenses required for access. As a result, we can't pursue standardization of any solutions that impose path-level restrictions on packet transit, such as requiring per-packet signatures that can be verified by devices along the path between endpoints.

The biggest bang-for-the-buck here is going to be in developing protocols that do what users need and that have least-privilege permissions by-default. That may include the development of a policy framework that allows home/office routers to pull permissions/firewall rules from manufacturers in an automated fashion, with local overrides where the network administrator sees fit. The key is that the default configuration---in which the user buys the router, installs it in his or her home without even looking at the docs, and puts a bunch of IoT devices on the local network---be to put those rules in place without any intervention by the end user. If upstream rules are no longer available from the authoritative source, the IoT device is quarantined and effectively dead to the world.

Combined with manufacturer liability for device malfunction and/or negligence, this should be a good bit of incentive to get things right in functioning markets and tort jurisdictions, which hopefully means it'll just percolate everywhere else by virtue of being the path of least resistance.

stevenOctober 10, 2016 2:15 PM

Some ISPs may decide that 'unlimited' packages were a bad idea and go back to monthly limits, or billing by usage (which is often true already of mobile connectivity). Then it really becomes the owners' problem to identify, fix, disconnect or power off compromised devices. It's not necessarily fair to them (if the device vendors are actually at fault), but it would at least prevent the issue being ignored indefinitely.

IPv6 (and getting rid of IPv4 NAT) is a wonderful opportunity to help identify the specific devices that are the source of an attack. IPv6 SLAAC addresses even encode the OUI-48 identifier of the manufacturer, which would be very interesting to analyse. ISPs would be in a position to block traffic from malfunctioning devices, rather than entirely disable a customer's connectivity in these situations.


A separate point: if there are only a finite number of vulnerable devices out there, numerous bad guys may be in competition for their resources. These initial large, focused attacks might be impossible after some time, if the devices are already being used by various groups to attack hundreds of other targets. At that point, likely more damage is being done at the sender's side than to the recipients.

(That is, unless the initial attacker can lock the devices down in some way, to retain exclusive use of them. But then at least, if they are caught or otherwise lose access, the devices might be left in a more secure state than they were in beforehand...)

Dan HOctober 10, 2016 2:28 PM

"Google spend(s) a lot of time testing their code before it's released"

Google's Chrome isn't an IoT device, but it is regularly on the US-CERT list of high vulnerabilities. So I wouldn't say Google is above any other company when it comes to security.

John Wayne's Evil TwinOctober 10, 2016 2:41 PM

Suggesting that government can cure this is like suggesting that a combover can cure baldness.

Even if they could pass effective laws, they'd probably have a 20,000-page rider attached that (a) enables even more government spying; (b) helps some corporate cronies to further line their pockets; or (c) designates February 30th as National More Toxic Crap in Pacifiers Day.

And, either way, the lawyers are passing out the party hats.

ISPs? Some. Maybe. Then again, when one of the largest ISPs in the country is now setting their new customers' default wifi AND email passwords as the customer's home phone number, you've gotta figure Larry the Cable Guy is running their itsec.

Alternate UniverseOctober 10, 2016 3:18 PM

They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them.

Or how about letting DDoS victims get liability leverage up the stream? Sure, the manufacturers are at the head of the stream, but the product purchaser is next down from there. We don't need to ruin their carreers and label them criminals, but how about disconnecting or throttling their internet until they turn the device off. This would obviously encourage the next step, of the product purchaser complaining to the product manufacturer.

That sounds like how capitalism was taught to me in grade school. Between Schneier not entertaining that theory and last night's POTUS debate 2/3... I don't have the highest hopes for the near term policy future on The Cyber.

zOctober 10, 2016 3:19 PM

Even if we trusted the government to A.) do the right thing and B.) do it competently--neither of which is a sane assumption--legislation can never keep up with technological progress. The laws they pass today will be obsolete tomorrow, but will still be enforced. How do you even begin to legislate security? It's a complete nightmare.

You could make the company legally responsible for vulnerabilities in their product, but what if the vuln is in a 3rd party library? What if it's in the hardware? What if it's introduced by a government on purpose?

You could make them responsible for damages resulting from the hack of their product, but now you have the same problem above, plus the possibility of misconfiguration by the owner.

You could mandate certain languages (Ada or SPARK for example), protocols, ciphers, etc, but that would stifle progress to a standstill, and would quickly become obsolete. If you had required companies to use TLS 1.0 a few years ago, there's no way the law could move fast enough to allow the use of 1.1, 1.2, etc. It's hopeless and dangerous.

You could ignore all of these problems anyway and just do all of the above, but then we're still no better off because foreign governments just won't do it. And if you think the UN can solve anything like this, then you're about 70 years late to the party.

On top of that, how do you even enforce any of this? Attribution is already damn near impossible, and proving guilt would be even harder. Then you also set up a perfect opening for backdoors and strongarming of private companies by the government, since if the government is given the power to prosecute, it also has the power to coerce. We need less of this, not more.

The only thing that legislation can do is make things worse.

Michael HorowitzOctober 10, 2016 3:30 PM

This is a router problem, IoT devices are only the symptom. Even given that an IoT device has an easily compromised web interface and that it has Telnet open with a default password, if the router firewall was blocking it, as it should, this would not be an issue.

Most likely IoT devices are made visible on the Internet by using UPnP to poke a hole in the router firewall. Many routers ship with UPnP enabled by default. This, to me, is the real problem.

As for the claims that router firmware can't be updated, how can Bruce be so wrong? How does no one at Motherboard not catch such an obvious mistake? Geeze. If anything, more and more routers are now able to self-update - they can download and install firmware automatically, much like a Chromebook.

David LeppikOctober 10, 2016 4:48 PM

@Vec: The Internet is a network of networks. If each network gateway would cooperate to block DDOS traffic, a DDOS attack would be much harder to pull off.

Before the Internet was commercialized, if any network misbehaved, the rest of the Internet would block it until the administrators cleaned up their act. This would block some legitimate traffic, but newbie administrators learned quickly. The same system killed off open SMTP (email spam forwarding) nodes.

It would be harder to implement today, but it could be done. You'd need a protocol (probably using public keys) for complaining of DDOS attack, so a blog post going viral doesn't trigger an alert. Then you'd need all the networks to enforce the DDOS blocking. Also, you'd somehow have to be able to tell a legitimate traffic spike from a DDOS; the most egregious attacks (e.g. false response headers) would be easier to stop, but it's ultimately an arms race.

The hardest part is getting the big players to agree. Residential ISPs don't want to annoy their customers by blocking traffic, nor do they have any incentive to do any work that they don't have to. And nobody wants to block the big ISPs, thereby blocking their customers.

And it's possible that large authoritarian countries care more about being able to cause a DDOS than about being connected to the Internet.

BJBOctober 10, 2016 5:11 PM

"If anything, more and more routers are now able to self-update"

The DSL/router/wifi device I got from CenturyLink is able to download updates.

In the six years I've been using it, how many updates were available?

Zero.

GregOctober 10, 2016 5:20 PM

I fear that your final paragraph contains the only real solution. politicos are not going to get it done.

Jesse ThompsonOctober 10, 2016 5:38 PM

@Nick Johnson

If ISP's *did* care, then this problem would already be solved. The reason that they don't (care so much that they make solving it bottom-line priority) is that the bandwidth involved never winds up being a problem for anybody on the source end, it's too distributed and too diffuse in that stage of it's development. It's only a problem for the target end, and they're the end that can't easily influence it.

On the source end an ISP would have to have some kind of razor to tell which kind of traffic is really Grandma trying to log into her AOL email and Nancy posting selfies to Flopbook and Jacob connecting to his pal Jim's homebrew Minecraft server (because all that traffic has to get through, and ideally with no added latency!) and which kind of traffic is Bob's HP printer sending out carefully crafted attack frames designed to coordinate with billions of similar packets coming from entirely unrelated ISPs but converging upon the same target during the same fraction of a second.

Short of maintaining a signature list of all known variants of attack traffic (itself a bit dated by definition since attackers will use crap white hats don't already know about a good percentage of the time) and adding to the DPI against every egress point (you've no idea how often I get into arguments with specific Net-Neutrality "defenders" who claim that DPI is literally Satan and should never be employed by an ISP under any circumstances! O_O) there's not a solution I've ever been exposed to to even *begin* to tell source DDoS traffic from ham.

And heck, if there were then I'm sure that Email (and forum) Spam filtering would be a solved problem along with it.

@Eric

The reason that DNS primarily uses UDP instead of TCP is performance during arguably the most performance-sensitive steps of network communication. No matter how fat your pipe is (and presuming no packet loss on your line), TCP's handshake mechanism guarantees that every recursive request will have at minimum double the latency that a UDP request would.

So while requiring TCP may improve security, I am certain that requiring certified mail would improve it even farther. Still not going to happen though.

@Raph

Device owners don't care at all that nefarious strangers can access and possibly modify the operation of devices that may provide further access to sensitive data?

Um.. no. No, they do not. "Device owners" as a broad category absolutely do not care about invisible threats evinced only by experts in fields they do not understand the negative ramifications of which have never happened to anybody that they know.

Here is the razor for whether or not the polity is too satisfied to make significant change: Do they have access to the breads and circuses that they expect? They do? Then they will not expend any effort on significant change. Analysis complete.

@Spellucci

If a standards body adopted a standard wherein devices must be certified to be able to operate on a network, routers everywhere, including at ISPs, could conceivably block uncertified traffic.

And routers are going to be able to discriminate "certified traffic" from "uncertified traffic" precisely how?

The potential to blacklist devices completely from having internet access also sounds like a ridiculous amount of power to bestow upon any one standard's body. Precisely what mechanism of checks and balances would prevent the body from giving in to corruption and extorting vendors just to allow their otherwise perfectly clean products online, or silence competitors or influence political communication in their favor?

@steven

IPv6 (and getting rid of IPv4 NAT) is a wonderful opportunity to help identify the specific devices that are the source of an attack.

Not to mention that whenever pornographic content flies across the wire or commercial pornographic servers and dating websites get accessed, ISP can determine whether it's little billy's laptop on the source end and make sure to immediately inform child protective services.

But gee, I sure am glad how it's somehow magically impossible for any infected device to fake or otherwise randomize it's source IP or Mac Address, or spoof the address of other relatively important devices on the network when initiating attack traffic.

Not to mention how nice it is that zero IPv6 soho routers will offer source-obfuscating NAT given that it's silly to imagine anybody desiring a modicum of privacy in their own home network. xD

@Dan H

Google's Chrome isn't an IoT device, but it is regularly on the US-CERT list of high vulnerabilities. So I wouldn't say Google is above any other company when it comes to security.

Apple fanboys (and probably marketing, but I can't be arsed to remember) used to try to push this line of thinking as well. "There don't exist any exploits to our software in the wild, therefor it is more secure!" Of course, there do exist exploits today. Does that mean they got less secure?

This is a simple hypothesis to test. Try putting a fully patched up to date copy of MacOS on the unfiltered internet right next to an unpatched, 10 year old copy and see which one gets pwnt first.

Alternately, pen test the pair of guinea pigs.

That's right. The version with more exploits listed while it was in active use is more resistant to attack than the one with fewer or no exploits listed while it was in active use.

Why should this even be surprising? Do you also look at two human beings and decide that the one covered in battle scars must be a wimp while the one with unblemished skin must be the badass?

Lack of exploits, just like lack of battle scars, tells you jack about how secure a system it. The only thing that it tells you about is underexposure.

Google Crome is the most popular implementation of the most popular networking application in mankind's history. That is a lot of exposure. Thus, exploits are inevitable no matter how well tested the product is before launch.

If you'd like to control for exposure, you'd first need to divide everybody else's exploit count by a factor of how many fewer people use that software and how much less surface area to attack it exposes.

For anything less than a complete OS distribution, that adjustment factor is bound to be pretty large.

@Alternate Universe

Or how about letting DDoS victims get liability leverage up the stream? Sure, the manufacturers are at the head of the stream, but the product purchaser is next down from there.

While I am not against this line of thinking in spirit, in practice you would be asking DDOS victims to wait in line behind the MPAA to figure out which IP address is which person, and whether or not proof of criminal activity sourced at a given IP address is proof of any particular person being responsible for it.

The vendor, at the very least, is far more easy to identify and to prove their hands are dirty, plus they tend to have pockets deep enough to enable them to distribute the accountability to every other involved party. :3

@z

You could make the company legally responsible for vulnerabilities in their product, but what if the vuln is in a 3rd party library?

What if you're suing a car company for wrongful death but the initial cause was in a third party component? Or, if you're concerned about "open source" then what if the component was built by the company but based on flawed designs found somewhere in the public domain?

In all cases, vendor is still primarily responsible for putting the public in danger of these faulty third party components. To whatever extent the liability rolls down hill (usually no legal extent in the open source situation, though negative PR is always available) they get to re-broadcast some of that liability to recoup their expense.

But in all cases they get to think twice before using lowest-bidder garbage to build their products out of.

What if it's in the hardware?

See above.

What if it's introduced by a government on purpose?

This one is more interesting, I come to the same conclusion as above but this time for different reasons.

It's not so much that the vendor "chose" for their product to get riddled with holes by the government (I'm sure if they had any real choice they would have passed on more fingers in the pie, and the government is never going to overly bribe whomever they could just as easily threaten instead), but such riddling remains a rain on the heads of all vendors that all vendors bear equally due to no easy alternative, but also due to no meaningful consequence to them.

Thus, making the consequence real to the vendor would at least improve their incentive to push back against dangerous governmental interference with their products, as well as moving market demand to wherever that happens the least. That's an unfair mountain of pressure to apply to any one specific vendor, sure. But this is a policy that would affect all vendors and their competitors equally, so it's really the collective industry picking up the tab and that finally is a player big enough to exert counter-pressure against governmental malfeasance. :P

@Michael Horowitz

Most likely IoT devices are made visible on the Internet by using UPnP to poke a hole in the router firewall. Many routers ship with UPnP enabled by default. This, to me, is the real problem.

Well, first of all Bruce is at least including home routers in the same soup as IoT and listing them as among the problem.

But secondly, UPnP not being enabled by default would only shift the problem because next IoT vendors would either build customer-facing software that forces the hand of inept users into turning it back on again, or similar measures due to the IoT's inherent need to have dangerous levels of attack surface before they can offer the poorly crafted services they were even designed to offer.

Not to mention, whatever router doesn't pander to the lowest common denominator of "allow UPnP by default" faces people kicking up negative PR when their Amazon Button or Facebook Fridgemagnet stops working, but only when behind that router.

So ultimately that means that the state and nature of IoT remains an important part of the equation. The challenge of securing or even allowing UPnP is the actual symptom in the face of the difficult-to-secure perceived needs of both lazy users and lazy vendors. :3

Nick POctober 10, 2016 6:27 PM

@ Jesse Thompson

"there's not a solution I've ever been exposed to to even *begin* to tell source DDoS traffic from ham."

Actually, old Orange and Red books + products like DiamondTEK LAN had it covered. Here's a design from Boeing that applies older methods for all sorts of protection. Key features here are (a) ability to authenticate the source of the traffic, (b) ability to limit the speed it broadcasts, and (c) dedicated, hardened device to do both even if endpoint is malicious. They could build this stuff right into the routers/modems. When DDOS is detected, they limit or block any that they can. This is what Boeing EFW does in its design.

The ISP's could get together to require a solution like this to even connect to their networks. Maybe also an automated way of notifying whoever is responsible for that network block, too.

rOctober 10, 2016 6:59 PM

@Nick P, All,

Unfortunately, outside of maybe blocking the SMTP/HTTP/FTP ports in the late mid/late 90's I haven't seen any real effort outside of anti-spoofing from American ISPs. Can we really expect the people who 'har har har' their own users to take QoS seriously? It seems to me they're more interested in monetizing QoS than using it to stabilize/homogenize/securify their topology.

ab praeceptisOctober 10, 2016 7:07 PM

Nick P

Well spoken. But: Forget it. The ISPs are the problem. More precisely that (still significant) part of ISPs who don't care a rats ass or who find it too burdensome or too expensive or ...

Just look at the vast amount of hosters, who are ISPs at the same time. They have a Class C here, 1024 IPs there, yet another 1024 over there - and guess what the hoster will do: He'll just route whatever the hoster feeds who again more often or not will transport whatever he is fed with.

The fact that major segments of that market, both in terms of bandwith and in terms of services get ever more competitive doesn't help either. You might have a hard time finding a hoster who says "No" if you want to buy hald a rack but bring along your own IP range; quite the contrary, that'll make you his friends.

And routing in the messy barn? Simple: Whatever comes from inside gets pumped outside. If at all, those guys are concerned about not letting IN everything.
I know of more than 1 hoster running thousands of VPSs with 1 single techie guy and that guy has plenty to do just keeping the whole thing running somehow.

The root of that ugly beast is the committee people not thinking properly.

But I can tell you a quick fix that's not complete but that can kill 98% or so: Have the routers fill in the source IP field (and not the hosts themselves). So, evil guy on host 1.2.3.4 sends out a packet he says is coming from 9.8.7.6 ... and the router just stamps his real IP into the UDP packet anyway.

zOctober 10, 2016 7:13 PM

@Jesse Thompson

The car analogy doesn't work well for software. Consider the DNS vulnerability in glibc. Should every single vendor running Linux be held responsible for that? Same goes for OpenSSL with Heartbleed (among many others), and for bash with Shellshock. That stretches the concept beyond reason.

One could argue that the glibc, OpenSSL, or bash developers are responsible since it's their code, but it's free software. They aren't forcing companies to run it, and it's against the license terms of every FOSS license to hold the author responsible, for good reason. A car manufacturer enters into contracts with suppliers to provide components. In that case, the 3rd party manufacturer knows where their products are going, and they know what specifications they are to be made to. The car company, for its part, has direct say in the manufacturing quality, since they are paying for it and can choose to pay for better or worse products. However, I have security sensitive code on Github and don't even know who uses it.

education/mitigation|preventionOctober 10, 2016 7:16 PM

@Jesse Thompson

I disagree with this:

"Device owners" as a broad category absolutely do not care about invisible threats evinced only by experts in fields they do not understand the negative ramifications of which have never happened to anybody that they know.

A "think of the children" story usually works here:
http://www.networkworld.com/article/3106880/security/mom-discovered-twin-daughters-bedroom-being-streamed-via-live-camera-viewer-app.html

Now, how hard would it be to trace back the source IPs from the attack on Krebs? The service providers could easily notify suspected unwitting participants:

"During the last billing period, we noticed some unusual activity originating from your home network. Criminal actors have recently been using hijacked consumer devices for the purpose of [insert criminal activity here]. If you own any [insert list of commonly hacked devices, eg. DVRs/cameras], here is a list of resources to help you better understand the risks involved to you and your family: [...]"

Its not free for the ISPs, but shouldn't cost very much. I fear that if we stop trying to fix the users, they'll figure out how to fix themselves before this IoT mess is sorted out.

I also take issue with this point:

That's an unfair mountain of pressure to apply to any one specific vendor, sure. But this is a policy that would affect all vendors and their competitors equally, so it's really the collective industry picking up the tab and that finally is a player big enough to exert counter-pressure against governmental malfeasance. :P

But largely agree with the rest of what you said ;)

TedOctober 10, 2016 7:40 PM

As a part of the Department of Commerce’s Internet Policy Task Force, 131 groups were asked to comment on the ‘Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things’

These groups include the Alliance of Automobile Manufacturers, AT&T, Cisco Systems, Electronic Frontier Foundation, IBM, Microsoft, Telecommunications Industry Association, etc.

Their comments are listed here: http://www.ntia.doc.gov/federal-register-notice/2016/comments-potential-roles-government-fostering-advancement-internet-of-things

WardOctober 10, 2016 8:15 PM

I'm not a fan of Microsoft being any kind of frontrunner of the IoT. They're aggressive in the commercial mass surveillance space from Windows 10 to IoT surveillance that they're actively marketing to cities across the U.S. (such as New York City).

PeanutsOctober 10, 2016 10:16 PM

Can someone experienced with case law comment. Seems to me that should an owning party to a dangerous property knowing let the property harm persons or other property or person, case law is precisely clear enough

Wait until critical mass is sufficient and lawers will step in to take 80% of the tariffs

Government will wait until Lawers step in, that's what they are paid, to do, After which they will use the crisis to take another freedom (pick one at random)


The rest is gravy negligence a vain attempt try to not get seriously screwed while DDOS'es splinter the bits not protected by likes of Prolexic Akamai in to waste matter while the costs to maintain mitigation will skyrocket with costs passed along to consumers

Any weak link in a service delivery chain is a target

Mangesh BhamreOctober 10, 2016 11:23 PM

Thanks Bruce for pointing it. Very valid points.

Cheap devices do get the work done and don't bother to fix security for you. Once sold, their job is done.

Since working for Intel/McAfee for last 10 years, understands good security measures and most of IoT devices fails miserably.

This post strike me hard and as we(Open Netware company) have been working on solving this problem. I would like to stress on wi-fi router that we built for security.

"GENIE - Total Internet security" Wi-Fi router is our solution to home network security. It filters out phishing/malware/virus-infected sites/spyware/ransomware traffic to protect every device at home. Hardened router with secure DNS technology helps us to solve this problem.

Here is detail https://www.linkedin.com/pulse/how-secure-your-home-network-mangesh-bhamre

We have been working with ISPs to roll-out our routers and getting great responses. ISPs do understand security and are focused to make their setup better each day.

DroneOctober 10, 2016 11:42 PM

"What this all means is that the IoT will remain insecure unless government steps in and fixes the problem."

Yeah right, just like the Government stepped in and "fixed" Iraq, or the U.S. Healthcare Industry (just to mention just the tip of the iceberg).

Where are all the greedy Trial Lawyers? Why aren't they suing the companies that make all these crappy vulnerable Internet connected devices? (Maybe there's no money in it because the companies are all in China?)

rOctober 10, 2016 11:44 PM

@All,

Peanuts has a small point, when Michaelangelo "broke out" we had alerts on good morning america for dialup apple][e's. Melissa or ILoveYou? Not even close. Where's the consumer alerts for tp-link routers etc?

rOctober 10, 2016 11:46 PM

@Drone,

Make no mistake - the healthcare industry IS fixed, has been "fixed". But! In all likelyhood will not be fixed. If you don't believe me first look at your bill then turn on the news. That's the cold hard truth of the tip of the iceberg.

Todd KnarrOctober 10, 2016 11:48 PM

@vek: There aren't any protocol changes needed, really. See RFC 3704 for the sort of filtering that'd put a stop to a lot of DDoS attacks at the source. Notice the date on it, and the fact that it's still current. Then look at the date on it's predecessor. This ought to be standard practice for consumer ISPs.

MiksaOctober 11, 2016 3:43 AM

I don't understand the hostility against government involvement. Government interference wouldn't have to enable mass surveillance. At the simplest it would be enough for US government/FCC/some other suitable organisation to mandate that all IoT devices sold in US must install updates automatically and the manufacturer must provide security updates for 5 years after manufacture date, or face a fine.

This alone would improve the situation considerably and it would only force some extra work on the manufacturers, work that responsible manufacturers would do anyway. It wouldn't require more direct involvement from government, there would be no need for a cumbersome certification process before devices could be brought to market, a same way that CE marking doesn't require that electrical device conforms to the requirement, we trust the manufacturer's word and do recalls if they lied.

Not all governments would have to erect similar mandates either. If US had this mandate then a large portion of devices in other markets would conform to it too, because it wouldn't make sense to create different device for those markets. If EU and China had similar mandates, then there would be practically no market for non-conformant devices.

BobOctober 11, 2016 1:58 PM

"DDoS attacks are perpetrated by lone hackers trying to be annoying, criminals trying to extort money, and governments testing their tactics." I don't see hacktivists in any of the 3 groups. There's something I don't get about the fear of ddos, and I feel very ignorant about it... to me, they it seems like they can do more good than harm. What does krebs lose with a ddos? Some offline time, some users will not be able to read his blog, users that will probably come back again and again. What does visa lose with a ddos? Well... to me ddos seems like good ol anti establishment equality. Please, illuminate me, sincerely.

Does It MatterOctober 11, 2016 5:03 PM

@Craig Heath

"(Bruce Schneier:)the only way for you to update the firmware in your home router is to throw it away and buy a new one."

That's not even mostly true;

There are a remarkable number of similar glitches in this article. Details matter, especially here. This specific instance seems to be of an ordinary pattern of exagerating anecdotes without statistics to bolster a pre-formed conclusion.

Another at the top of my list was the lack of credit given to free and open source software and its many developers and contributors and testers across devices that contribute IMHO far more to security than the engineers at Google and Apple (or the neglected ones from Netgear and DLink).

Another minor one is the tactical use of the word 'crash' which again, anecdotally is no doubt true, but I suspect the statistics would reveal that the vast majority of devices subjected to DDoS attacks suffer no 'damage' that persists once the attackers stop the attack. Indeed, what I think is really needed from an education standpoint, is to try and get more people (like the audience of this article) to understand things at a basic level. At a basic level one understands DDoS by contemplating the abbreviation, perhaps next explaining the nostalgic trademark-into-common-verbiage of "slashdotting". Slashdotting==DDoS(minus intent to harm).

Another: "don't have a way to be patched"? I don't buy it. I think what people need to understand is that there are ways to patch these DVRs and Routers, but the manufacturers keep them secret and unavailable to users, presumably because they have some sort of informed belief that such will benefit their shareholders.

There were more, it was kind of sad really, like the current POTUS 'choices'...

@Bob

If I hadn't just expended my rant energy, I'd answer you. You sound like a troll. But it boils down to "it's not a black and white situation, it is a spectrum of issues, and you have to look in sufficient depth across the entire spectrum". Personally I believe the NSA understands the dynamics of DDoS much much better than they admit, and it is actually a smokescreen for spooky stuff.

Sancho_POctober 11, 2016 5:39 PM

@Jesse Thompson

”… there's not a solution I've ever been exposed to to even *begin* to tell source DDoS traffic from ham.”

Uh? Even from watching my router’s LEDs I can tell you the difference between DDoS and ham.
We don’t need DPI to watch a LED, and I guess it doesn’t need AI, too.

I don’t want the router / customer to do it, this would be insane.
Auto update isn’t a solution, it’s a problem (see Win 10). It could wipe out a country in seconds, by mistake or friendly state actor.

The ISP is responsible, see:
https://www.schneier.com/blog/archives/2016/09/brian_krebs_ddo.html#c6735100

BobOctober 11, 2016 7:55 PM

@Does It Matter

If you get your ranting energy back I will be pleased listening, I'm not trolling, I'm not asking rhetorical questions either. I've heard bruce saying something like "lately, I spend more time worrying about governments and corporations than criminals", krebs doesn't seem to think the same. Vulnerabilities are bad, no matter what they are used for, and they should be patched for that reason... but I couldn't finish reading krebs article because I was irritated by what I perceived as fearmongering with what to me is one of the things we should be worrying about less right now, the ddos kind of attacks itself. It's a subtle point I'm trying to point out, but maybe you understand. And I try to look in sufficient depth, maybe you can help me.

Clive RobinsonOctober 12, 2016 12:09 AM

@ Bruce,

What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.

Whilst I agree that a free market failure will not get fixed on it's own, as it is after all a "race to the bottom", I doubt the US Gov is a suitable candidate for resolving the problem, because it's part of the problem...

For instance you mention upgrading routers, well the FCC has in effect stopped people being able to upgrade the software on WiFi equipment due to "SDR Fear". Nearly all "Consumer Market" routers now contain a WiFi part as standard, and fear of FCC fear means that manufacturers will stop any kind of upgrading as this will be the cheaper option.

Further as others have noticed above the US Gov is effectively owned by the corporates. That is it is not unknown for coporate lawyers to write a draft and submitt it to an eager member of the US elected representatives, who's own staff will use the draft as the foundation of their legislative draft.

The problem is international in scope and the last thing the 5eyes want is international legislation that limits their ability to snoop. Thus as has been seen before the international Standards Bodies will get hamstrung from the get go.

Thus an economic solution might be favoured by some "distance cost" metric or equivalent. Unfortunately history indicates it will not be very successfull.

The simple fact is that the DoD APRA IP etc standards did not consider these problems, and were designed at a time when hardware resources were quite immature.

Thus possibly the best place to start solving these problems is with a "clean slate" rethink of the way we network systems together. What is certain is that neither Ipv4 or Ipv6 are designed to effectively deal with the problem either...


FigureitoutOctober 12, 2016 2:09 AM

Bruce
--You're hyperventilating about a DDOS attack on one site. Also, besides maybe your fridge, if someone flickers your lights, or burns your toast, or makes your house cold. End of the world eh? They'll get found eventually. Maybe your business needs some more regulations too, like you need some politicians telling you how to do your job. That's what you need, right? The smartest people are working on these problems, bringing in the gov't won't make it better. Also, you need to understand that security is like a front-and-center issue for IoT vendors. This is good for security industry, we almost need more breaches to get more investment.

GrauhutOctober 14, 2016 7:34 AM


SSHowDowN: 2 Million more Internet of Zombies drones:

"More importantly, the SSHowDowN Proxy attack exploits over a decade old default configuration flaw (CVE-2004-1653) in OpenSSH that was initially discovered in 2004 and patched in early 2005. The flaw enables TCP forwarding and port bounces when a proxy is in use.

However, after analyzing IP addresses from its Cloud Security Intelligence platform, Akamai estimates that over 2 Million IoT and networking devices have been compromised by SSHowDowN type attacks."

http://thehackernews.com/2016/10/sshowdown-iot-security.html

VinnyGOctober 15, 2016 6:51 AM

Would a blacklist approach (analogous to the Vixie/Real Time Black Hole efforts in the early days of spam) have any utility? Presumably, this could be implemented at or near to a targeted resource independent of government or ISP measures. It would most likely depend on a rogue IoT device owning a fixed or sticky IP address, or belonging to a router with such an address that controls a suitably small set of private devices (wouldn't want to block a slew of innocent and/or useful parties, but for a number of reasons I'd have no problem with isolating an entire household because of a single rogue device.) I don't have any handle on storage, processor, or bandwidth consumption to employ a blacklist of a large number of IPv6 addresses in this manner; I suppose that cold be an issue.
-VinnyG

DocOctober 15, 2016 8:02 AM

Sir;

You wrote: "But the only way for you to update the firmware in your home router is to throw it away and buy a new one."

You might want to check out http://www.dd-wrt.com/ I recently updated two new routers with dd-wrt. Its a dramatic improvement over the stock firmware in both features and security functionality.

Its very unusual for Bruce Schneier to publish something so factually incorrect.

Clive RobinsonOctober 15, 2016 10:54 AM

@ Doc,

Its very unusual for Bruce Schneier to publish something so factually incorrect.

It's not factually incorrect. You are upgrading "old hardware" the FCC with it's "SDR Fear" has mandated that software for the WiFi SDR shall not be modifiable by the end user....

Due to the way many of the consumer end routers are designed, it means manufacturers will now lockdown their software by code signing etc, which will mean in many cases of new hardware you can not load FOSS software.

Thus "upgrade via landfill" will be the only option for many routers in the very near future.

Don't expect the manufacturers to protest overy hard as it will mean increased revenue...

Clive RobinsonOctober 15, 2016 12:40 PM

@ Doc and others,

This is from a little over a year ago,

https://www.techdirt.com/blog/wireless/articles/20150831/07164532118/no-fcc-is-not-intentionally-trying-to-kill-third-party-wi-fi-router-firmware.shtml

It and similar articles caused a bit of a backlash at the FCC who went into huddle mode before issuing a change to the proposals.

However the change only partly solves the problem where the radio control software runs on.another MCU (similar to Smart phones). However for a SoC solution --most consumer routers-- the lockdown would still be required.

Thus the FCC got another backlash last year an the new rules were delayed. As far as I'm aware the new rules have not yet been finalised, but it was not looking good for SoC based routers last time I looked.

MKOctober 15, 2016 5:41 PM

IOT devices will have vulnerabilities. Even if they build some update mechanism to patch the device from time to time, the mechanism itself will have vulnerabilities. People knowing the update mechanisms would agree that running and maintaining trouble free updates is a very hard problem. I don't see hundreds of thousands of IOT device vendors doing it right all the time. The cost of failure to update will dissuade many from implementing it altogether. Hence the problem here is going to stay, unless there are some standards for the IOT platform or some dominant platform, like android, becomes the standard.

rOctober 15, 2016 7:41 PM

@MK,

RE: Update process

Exploits aside, you're kidding right?

Don't you think that if people like netgear and tp-link can include minorly effective automatic update processii enabled by a checkbox upon login that these even smaller companies with their ultra-flattened device trees could enable such features?

The problem is, nobody wants to give lifetime support.

Cheap devices are fire-and-forget. It's reasonably understandable but not very respectable in the face of closed source. If you're going to abandon your baby it needs to be given to the public once your interest in it has waned to the point of abondonment... but then again - we give our infants shaken baby syndrome because we don't want other parents to raise them better than we would have.

rOctober 15, 2016 8:02 PM

General Motors stops supporting it's vehicles directly after say 10 years, they allow you buy either from them (parts that are old stock) or basically reverse engineered replacements sourced from canada and china or a local mill wright.

What's your excuse?

They (excluding the current dear john(john deer) bs) essentially have accepted that if they no longer want their babies lots of other people can and do rear them.

rOctober 15, 2016 8:32 PM

So, let's assume that the problem leads immediately back to the device manufacturers not providing documentation ETC as per OpenBSD's life long complaint of certain hentities.

The manu's wouldn't make anymore money if they sold cut rate chipsets and never released an upgrade, what's more is they would even lose money if a) they provided LTS or b) provided source/reference information for a competitor to open up a new market for drop-in-replacement-
babies.

(a la https://en.wikipedia.org/wiki/A.I._Artificial_Intelligence)

It's a shame, I guess the hw manu's are seemingly forced into that ideological position.

rOctober 15, 2016 10:07 PM

@Doc,

dd-wrt is an option yes, is it the solution?

If it was then openwrt would've never been invented, which if I recall is an attempt at giving you the ability to actually control your device.

I think dd keeps certain things behind the curtain, but they **did** do the r/e work I'm assuming. props.

rOctober 17, 2016 7:45 PM

@Grauhut,

Thank you for clarifying that, I would mention Tomato but my experience with it is non-existent.

I believe there's others too, but that's drifting much further from the actual topic. I suppose my rant while on topic for the topic is not on topic considering the content/post technically speaking.

Clive RobinsonOctober 17, 2016 9:34 PM

@ r,

(excluding the current dear john(john deer) bs)

I'm assuming you mean "Deere" as in tractors R Us, and the battle to get legislation through in Nebraska to get the "DMCA" (17 U.S. Code § 1201) out of farming,

https://securityledger.com/2016/07/right-to-repair-fight-dmca/

I'm sure the geriatric Republican Tea Bagger John Howard Coble who introduced the DMCA --and having keeled over in harness last year[1]-- is probably having a big hollow laugh in his grave. Because he got the very slender majority to get his congress critter job on tub thumping protecting Carolina's tobacco farmers...

No doubt his supporters will blaim it on the World Intellectual Property Organization (WIPO) Copyright and Performances and Phonograms Treaties back in 1986. But 17 U.S. Code § 1201 went way beyond that, removing fair use and other norms that would protect researchers, which is part of the reason Matthew Green with EFF assistance is going after the DoJ,

http://www.whitecase.com/publications/article/electronic-frontier-foundation-brings-suit-over-anti-circumvention-provisions

[1] Apparently the old goat also pledged he would never take a pension from the sheeple, unlike the other congress crooks, thus he forfiled that promise by dying on the job...

rOctober 17, 2016 10:48 PM

@Clive,

Yes, and thank you. Doubly so.

While we may not have 100% documentation of these practices and condundrums, we are certainly successful at keeping these factors en light, even if we are just picking at scabs. If the legal system were a hardware manu (which it may be, see: http://www.behindthename.com/name/manu-1) those truly interested in security or privacy should be proud that we are bringing these points of oft ignored sources of friction and wear to light.

The final nail in the coffin as per who's side of this argument we're on is the following link:

;--------

motherboard.vice.com/read/galaxy-note-7-explosion-environmental-impact-recycling

;--------

It's obviously, very very obvious which position is the truly appropriate stance to take.

spibbitzOctober 22, 2016 5:30 PM

Every time a problem caused by private sector actors goes unfixed for many years due to neglect by those actors someone suggests, sensibly, that the government do something.

And suddenly a flock of quacking morons appears babbling, oh, no the gummint is the enemy! Business is sacred and needs to be be self regulating. Despite the fact that for 35 years this approach has proven to be intensely destructive. But quacking morons must quack. It's in their self interest: private profit socialized pain.

erltoichiOctober 24, 2016 2:15 AM

I respectfully disagree with Mr. Schneier here.
Firstly, the original Internet design architecture, or rather the design of Internet protocols (IP protocol suite) had a first level design goal, namely the interconection of existing, separately managed (non-IP) networks - the design of a unified network was explicitly not a goal.
It also had second level design goals among which were (see http://www.cs.princeton.edu/~jrex/teaching/spring2005/reading/clark88.pdf for details):
1.) Internet communication must continue despite loss of networks or gateways.
4.) Internet architecture must permit distributed management of its resources.
6.) Resources used in the internet architecture must be accountable.
We can already see from this that 1.) was of primary concern back then and it is clear that an architecture of the Internet as it exists today as one big unified network, with critical parts of the infrastructure concentrated in a few single places was not only not a design goal, but was explicitly a situation to be avoided.
Security was not a high priority because in the original design it was assumed that security would be managed by these separate networks and that only trusted hosts/networks would be connected (it was a DARPA/military project after all).
Nowadays, we live with basically one unified network, where the majority of platforms are not diversified at all but provided by a handfull of companies (i.e. Microsoft, Cisco, etc).
The problems of these platforms and software (i.e. protocols like TCP/IP, UDP/IP, or services like DNS, HTTP) are well known and while the quality of implementation is in general much better than it used to be, new releases introduce new vulerabilities and in general do not address the underlying design issues.
Secondly, while the Internet has scaled very well to this point, the problems that are due to the underlying design are starting to show. As Mr. Schneier pointed out here, security now on network level is all but impossible, simply because the Internet is a huge mess, where fixing one part is likely to break the whole network, and it is true that no one cares about security of endpoints anyway. This will not improve with all these new IoT devices - in fact, I believe that this will kill the Internet. Nowadays, the only way to secure your network is to disconnect yourself (i.e. your devices) as much as possible and implement security and connectivity only at the edges of your network.
Most individuals don't have the skills or resources to do that, and because of cost most organisations are not willing and not capable to do it.
As a consequence, you can today prepare yourself for the complete crash already.

Pressed RatOctober 24, 2016 11:49 AM

> "If anything, more and more routers are now able to self-update"

> The DSL/router/wifi device I got from CenturyLink is able to download updates.

> In the six years I've been using it, how many updates were available?

> Zero.

Exactly this. Many many cheap consumer routers never get firmware updates from the manufacturer. It isn't a matter of the device not supporting updates, but simply the lack of updates. Furthermore even if updates are available they often use old unpatched libraries with known vulnerabilities that haven't been fixed because the library vendor has moved on.

Bruce is right when he said this:

But the only way for you to update the firmware in your home router is to throw it away and buy a new one.

There are good consumer routers out there that run supported OSS software. But they are in the minority because they cost more.

Ultimately I think the ISPs are going to deal with this by disconnecting badly behaving ports. They already do it for email.

Sancho_POctober 24, 2016 5:08 PM

@Pressed Rat

@Bruce is right when he said “But the only way for you to update the firmware in your home router is to throw it away and buy a new one”

Nope, unfortunately not.
Be careful whenever you hear “buy”, whoever tells you …

… Oh yea, just throw away your old thingamajig and buy a new one, like this
luxury super cheesy D-Link DWR-932 B LTE router:
http://thehackernews.com/2016/09/hacking-d-link-wireless-router.html

and have fun!

gordoOctober 24, 2016 6:32 PM

City banks plan to hoard bitcoins to help them pay cyber ransoms
Experts say blue chip companies have decided it’s cheaper to deal with extortionists than risk damaging attacks
The Guardian | Jamie Doward | Saturday 22 October 2016 22.30 BST Last modified on Monday 24 October 2016 17.56 BST

“The police will concede that they don’t have the resources available to deal with this because of the significant growth in the number of attacks,” Moores said. “From a purely pragmatic perspective, financial institutions are now exploring the need to maintain stocks of bitcoin in the unfortunate event that they themselves become the target of a high-intensity attack, when law enforcement perhaps might not be able to assist them at the speed with which they need to put themselves back in business.”


[...]

“Big companies are now starting to worry that an attack is no longer an information security issue, it’s a board and shareholder and customer confidence issue,” Moores said. “What we are seeing is the weaponisation of these [hacking] tools. It becomes a much broader issue than businesses ever anticipted.”

https://www.theguardian.com/technology/2016/oct/22/city-banks-plan-to-hoard-bitcoins-to-help-them-pay-cyber-ransoms

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.