Wednesday, October 26, 2016

It's past time for governments to mandate security levels for all internet-connected devices

On the tail of the 2016's Census issues dealing with four relatively small distributed denial of service (DDOS) attacks, the US East Coast was recently hit by a massive DDOS attack that succeeded in taking offline, or at least slowing down, major sites - from Amazon, Twitter and Spotify to PayPal and Netflix.

This major attack, involving millions of devices, had global impacts - including impacting the websites of range of Australian companies - retailers, banks, media services, insurance companies and hotels.

This type of attack isn't new - for years organisations have had to harden their computers and networks to fend off DDOS and more focused hacking attempts.

In fact a DDOS attack is often considered one of the most unsophisticated approaches - simply flooding a network with an unmanageable number of requests from hundreds, thousands or millions of hijacked devices until the routers and web servers collapse under the pressure.

However this latest attack was different in several regards to what organisations now should plan for.

Firstly it was on a scale that few had imagined. The company targeted, Dyn, provides backbone services for the internet and was well prepared for massive DDOS attacks. However this attack was at a scale that even such a service was unable to fend off without significant disruption for hours.

Secondly, the approach didn't use the normal range of compromised and poorly patched internet-connected devices to launch and sustain the DDOS attack. Normally hackers conscript or buy access to 'botnets' made up of hundreds or thousands of poorly maintained computers on insecure networks, using malware on these PCs to launch an attack.

In this case, however, the people responsible used open source hacking software to tap into a network of devices connected to the internet - security cameras,  Digital Video Recorders and web cameras, amongst other types.

The majority of these devices were older, with many were linked to one specific Chinese manufacturer who develops white-label products for others to brand and sell. Most relevant, these devices had little if any security in place to prevent hijacking. They are also unpatchable - they can never be secured in ways that make it hard, if not impossible, for hackers to take them over.

In other words, these non-computing insecure devices are a permanent threat to the internet. They can easily be used in malicious or military cyberattacks by anyone with the inclination to do so.

While the manufacturer has issued a recall for these permanently insecure devices (though its unknown how many devices will be returned as part of this process), the growth of the 'internet of things', where DVRs, smart fridges, air conditioners, cars and all kinds of household and work appliances are linked to the internet for monitoring and management purposes, poses a growing threat to the ongoing viability of the internet.

With billions of devices progressively being connected to the internet, there's little in the way of mandated or legislated requirements for devices to be secure to a given standard at a point in time, or have their software regularly upgraded to ensure that known security risks are patched.

While most countries specifically regulate and test products designed for health use, power use and radio spectrum to verify they won't cause harm, few nations have similar requirements for security.

Largely this remains in the general 'fit for purpose' terms in relevant trade practice legislation, which is effectively useless when a device, such as a baby monitor or smart fridge, can remain fit for purpose and be used in a economic or politically inspired cyberattack at the same time.

This isn't a future issue. I can name six types of non-computing devices in my home which are, right now, internet capable - DVRs, TVs, web cameras, security cameras, air conditioners and light globes.

Households across Australia, and the world, are rapidly adopting or upgrading to these devices for convenience and improved management purposes - but security requirements are lagging badly.

This is an area where it's not sufficient for governments to trust that manufacturers and retailers will 'do the right thing' on an ongoing basis.

Some manufacturers and supplies  might cut corners in their software, or not realise the significance of how their devices could be remotely accessed and used maliciously. Others may discontinue products or go bankrupt, leaving devices unsupported.

The end result is not necessarily a risk to the consumer who bought the product, but rather a broader risk to society that these devices are used in an attack that damages companies or governments.

There's also a risk that companies or unscrupulous governments may use these 'smart' connected devices themselves to spy on citizens. Indeed this may already be happening.

Now some governments, such as the Australian Government have begun offering advice to citizens on how to secure their personal networks. A good home firewall will, currently, help keep many potentially insecure devices protected against external risks.

However this is merely a stopgap. Firewalls have flaws, can be bypassed and are not consistently installed or maintained by households.

With internet-connected devices already proliferating, many already in households and businesses may be impossible to secure, as were many of those used in the recent US cyberattack.

For governments to protect societies against cyberintrusions - economic loss, political damage and inconvenience, there needs to be far more consideration of the potential risks around internet-connected devices - and fast.

Extra: I've just read a post that sums up this issue very eloquently, so have embedded it below...

No comments:

Post a Comment