What Bruce Schneier Teaches Us about IoT and Cybersecurity
As if I haven’t said it a million times, IoT security is critical.
But just when I thought I had it all figured out, somebody comes along and sheds new light on this very important topic in a different way.
At a November 16 hearing held by the Congress Committee on Energy and Commerce in light of the devastating October 21 Dyn DDoS attack, famous cryptologist and computer security expert Bruce Schneier offered a new perspective on IoT security, which makes it easier for everyone to understand the criticality of the issue.
After watching it at least three times, I decided to share the main concepts with the readers of TechTalks. Here are the key takeaways, which I’ve taken the pain to elaborate on.
Everything is now a computer
“Everything is now a computer,” Schneier said at the beginning of his remarks, after which he gave examples about how our phones, refrigerators, ATM machines and cars have in essence become computers that perform functions in the physical world.
“And this is the Internet of Things, and this is what caused the DDoS attack we’re talking about,” he continued.
IoT devices are much more different from objects with a little silicon and electronics baked in. We’re talking about devices that are sometimes running fully functional operating systems and are enjoying broadband internet connections.
And as we all know, computers are smart—but they’re also hackable.
So what it comes down to is that soon, everything around you, from your toaster to your lawn mowing machine, fridge, light bulb and door lock can be hacked and used directly (against you) or indirectly (against others) for evil purposes.
And then Schneier went on to “give four truths” from the world of computer security—which he extended to “everything security”—that apply to everything.
Attack is easier than defense
This was Schneier’s first premise. As the saying goes in cybersecurity jargon “cybersecurity experts have to win every battle. Hackers only have to win once.”
But it was his next phrase that said it all.
“Complexity is the worse enemy of security,” he said. “And this is especially true for computers and the internet.”
Attackers find methods to use software and operating systems in malicious ways that were never imagined by their developers. This is partly due to security flaws found in the source code or the simple fact that the basic functionalities embedded in those software can be combined in innumerable ways.
Even highly secure operating systems such as the Apple iOS tend to spit out vulnerabilities every once in a while.
So said in another way, you have to plug every security hole—hackers only have to find one.
Interconnections introduce new vulnerabilities
This is an extension of the complexity concept.
“The more we connect things to each other,” Schneier said, “the more vulnerabilities in one thing affect other things.”
And he went on to give accounts of some of the cyberattacks that made their fame in recent years, including the Target hack, and of course the Dyn attack, in which the hackers exploited vulnerabilities in several systems to stage their attack.
“Vulnerabilities like this are hard to fix because no one system might be at fault,” Schneier explained.
In many cases a flaw in one system might not be critical per se, but when that system or component is combined or connected to another one, the same vulnerability might open up new ways to cause harm.
Many IoT manufacturers embed third party components into their products that are inherently insecure, and they don’t even know about it. I know of at least one Chinese company that was offering vulnerable white label DVRs and components to other companies, whose products were involved in the Dyn DDoS attack. Good luck recovering all those tens of thousands of devices.
And we’re entering a world where abstraction is playing an increasingly important role in creating software and hardware. Blackbox systems connect over the internet and allow access to their data and functionality without having full knowledge of their vulnerabilities.
The internet empowers attackers
“The internet is a massive tool for making things efficient,” Schneier said, “and that’s also true for attacking. The internet allows attacks to scale to a degree that’s impossible otherwise”
The Internet of Things has taken that scaling power to the next level. It was true for the Dyn attack, as well as a host of other recent DDoS attacks that were based on IoT botnets.
In terms of efficiency, Schneier underlined the fact that hackers have an easier time sharing their knowledge and experience thanks to the internet. The source code for the Mirai botnet, which was used to stage the Dyn attack, has been released and is now available for all to use.
And for those who don’t have the knowledge to make use of the source code and create their own IoT botnet, they can rent one at an affordable price. “I don’t recommend it,” Schneier said.
The for-rent cybercrime business model is gaining traction. Recently, hackers put up a ransomware-as-a-service platform to allow wannabe hackers to cash-in on cyber extortion.
“This is more dangerous as our systems get more critical,” Schneier said next. “The Internet of Things affects the world in a direct and physical manner.”
This is something that I’ve been saying a lot. It’s one thing to lose access to your favorite website, lose online documents or even have your most intimate secrets doxed. But it’s another thing altogether where your very life and health are concerned and can be compromised from thousands of miles away.
And that’s what the Internet of Insecure Things is leading us.
Schneier: “There’s real risk to life and property. There’s real catastrophic risks.”
The economics don’t trickle down
“Our computers are secure for a bunch of reasons,” Schneier said—and that’s relatively speaking (my own comment). “But it doesn’t happen for these cheaper devices.”
There are many reasons that IoT devices are created with less security. Schneier named a few:
- Low profit margins: Manufacturers are doing their best to lower the costs, and therefore pack the devices with cheaper and less secure components, and firmware and low-end operating systems that can’t run security software.
- IoT devices are offshore: Many devices are treated in an install-and-forget manner. How many times do you check the logs for your thermostat? Also, no sane person leaves their desktop computer or smartphone in an unprotected environment. But IoT devices are made to be installed in the open and left unattended. And yet in many cases, these same devices sport storage and computation capabilities that rival those of mobile and desktop computers, to say nothing of their broadband internet connections.
- No dedicated security teams: Many of the manufacturing companies don’t allocate resources and funds to securing their devices, because as some will honestly admit, “Consumers don’t pay for security. They pay for functionality.” And vetting code and hardware for security can be costly. Also, we’re in the “Gold Rush” phase of the IoT industry’s development, where every new kid on the block is in a hurry to ship a connected device to the market before their competitors do, so naturally, things such as security take a backstage seat.
- Devices can’t be patched: Desktop and mobile operating systems are regularly updated and patched to fix security holes. The same can’t be said about IoT devices. In many cases, the mechanism is nonexistent, while in others, it’s so arduous that consumer will simply forego applying them. And let’s not forget that these are install-and-forget products. And as Schneir reminded in his remarks, many of these “things” such as fridges and cars will not be replaced for a long time—some, never. This means they’ll remain vulnerable for the rest of their lives, causing potential damage to their owners and others.
What needs to be done?
“The government has to get involved,” Schneier said. “What I need are some good regulations.”
I agree, but I would also extend the point and say “Everyone has to get involved,” and that includes manufacturers, who should get serious about securing their devices, or suffer the consequences. It also concerns ISPs, who should do more to spot and block botnet traffic. And consumers should become more savvy on cybersecurity in general and demand more security from manufacturers.
But of course, the government has to play a regulatory role that will ensure implementation.
“For the first time, the internet affects the world in a direct, physical manner,” Schneier said. “When it didn’t matter—when it was Facebook, when it was Twitter, when it was email—it was OK to let programmers, to give them the special right to code the world as they saw fit. We were able to do that. But now that it’s the world of dangerous things? maybe we can’t do that anymore.”
I liked that phrase, and I think we ought take it seriously.
Watch the full hearing here.