A cyber attack on the Internet infrastructure company Dyn on October 21 hindered internet browsing for hours while the company scrambled to restore service. The as-yet unidentified attackers were helped by a millions-strong army of Internet of Things devices, including enterprise webcams and DVRs, that were quietly conscripted into a botnet to launch the denial-of-service attack. The incident is the latest reminder that many IoT devices aren’t adequately secured. These types of attacks will continue as long as a large enough number of vulnerable devices exists. So the question facing the security industry is how to shrink that number.
Looking forward, the most important step is ensuring that new IoT products are strongly secured before they reach consumers. This is particularly important for IoT devices, even more so than smartphones and laptops, because IoT products can function for years and consumers often don’t have a reason to replace them. The European Union is considering laws to force compliance with security standards, and multiple industry and government groups have released standards for voluntary compliance in the United States. Incentivizing companies to adopt these best practices is a challenge, but even when every new IoT device contains baseline security protections, the millions of substandard IoT products already in existence will still be a problem.
“I’m not worried about the future, I’m worried about the past, because there are all these zillions of devices out there that are ripe for exploitation,” says Roland Dobbins, a principal engineer at Arbor Networks, a security firm that specializes in distributed denial-of-service attacks.
This is where internet service providers could potentially play a valuable role.
How Internet Service Providers Could Help
There are two main ways that ISPs could contribute to IoT security. The first is by blocking or filtering malicious traffic driven by malware in known patterns. For example, some ISPs use a standard called BCP38 to reduce spoofing, the process used by attackers to transmit network packets with fake sender addresses. Protecting against spoofing can negate many of the strategies that allow for assaults like the one on Dyn, but it’s taken years to get the majority of ISPs to adopt the standard—and some still don’t because of the cost of installing and maintaining the filters.
The second thing ISPs could do is notify customers—whether big corporate clients or individuals—if a device on their network is sending or receiving malicious traffic. The idea is similar to the practice already in place in which ISPs forward Digital Millennium Copyright Act warning notices to customers if the internet provider detects possible illegal file sharing. Proponents of this approach say ISPs could warn customers, who could then take action to find and secure the compromised IoT device.
Finding the Boundaries
Both strategies are controversial. Blocking or filtering traffic could potentially go too far, catching legitimate interactions in the same net as undesirable traffic. “There’s always the false positive rate,” Morey Haber, vice president of technology at the security firm BeyondTrust, says. He adds that attempting to protect insecure devices from above doesn’t change the truth of their condition, so while it can help to filter known threats, it doesn’t resolve the potential for the devices to be exploited in other ways.
Notifying customers has yet to gain traction. “There are some enlightened ISPs who understand that doing the operational expenditure to proactively notify their customers actually in the long-term pays out economically and makes sense,” says Arbor Networks’ Dobbins. “But most of the others either don’t understand the issue or their view is that it’s not their problem. A Verizon spokesperson told WIRED that the company only notifies customers if a problem is interfering with network operations.The Internet & Television Association trade group declined to comment on either notification or screening as part of attempts to improve IoT security.
Dobbins thinks of the IoT botnet threat as a public health crisis and argues that compromised devices should eventually be quarantined—cut off from the internet by ISPs if their owners don’t take action to secure or replace them. Matthew Devost, the managing director of Accenture Security, says that a public-private partnership, like the one for DMCA notices, could help ease the burden on ISPs. If internet providers send notices because they’ve been directed to in some form by government, they limit their liability. “I don’t think you’ll get the ISPs to participate unless it’s in coordination with the government,” Devost says.
In its Open Internet Order, most recently published in 2015, the U.S. Federal Communications Commission says that it condones “network management practices that are primarily used for … ensuring network security and integrity, including by addressing traffic that is harmful to the network, such as traffic that constitutes a denial-of-service attack on specific network infrastructure elements.” Though the agency does not require that ISPs offer these services, it encourages such actions by making it clear that they are protected and are not viewed as being at odds with net neutrality.
Paths Forward
We still don’t know who launched the attack against Dyn last week, though some preliminary evidence suggests that it was not a nation state actor. But with two other similar large-scale attacks recorded in the past month—one against the website of security journalist Brian Krebs and the other against the French internet service provider OVH—there’s increasing pressure to take action on IoT security. “It all comes down to basic security hygiene, says Chris Carlson, vice president of product management at Qualys. “This is a public safety issue.”
The Chinese IoT manufacturer Hangzhou Xiongmai said on October 24 that it would recall a model of webcam that is vulnerable and has played a role in recent botnets. If recalls became more common for IoT devices, it could provide consumers with a concrete step they can take if they receive an ISP warning notice: They could potentially replace the device for free and move on. BeyondTrust’s Haber notes, though, that there isn’t established industry precedent for this yet.
Experts point out that many companies already do implement strong IoT security measures like randomizing default device passwords so that each unit sold has a different one, or ensuring that they provide a prominent and easy-to-use interface for customers to download the latest security updates onto their devices. Apple, for example, is known for having very high security compliance standards for products to participate in its HomeKit framework. While some companies take the lead on modeling best practices, though, millions of devices have shipped without these types of features and sit vulnerable for years in businesses, institutions, public spaces, and homes around the world. “I think when we talk about the interconnected web, members of the [technical] community need to do a disproportionate amount of benefit to help us all,” says Chris Carlson, vice president of product management at the security firm Qualys. “ISPs have a good opportunity to do that because they provide the pipes.”