Last week, millions of infected devices directed Internet traffic to DNS service provider Dyn, resulting in a Distributed Denial of Service (DDoS) attack that took down major websites including Twitter, Amazon, Netflix, and more. In a recent blog post, security expert Bruce Schneier argued that “someone has been probing the defences of the companies that run critical pieces of the Internet”. This attack seems to be part of that trend.
This disruption begs the question: Can we trust the Internet?
The answer to that question is not yes, or no, or even “it depends.”
First, it is important to realise that there is no security czar on the Internet; there is nobody who can force the global Internet and its users to solve any of these cyber issues. Various actors on the internet must take responsibility, often in collaboration with others, taking into account the fundamental values and properties that underpin the Open Internet. We call this approach the collaborative security approach. For now, it is sufficient to realise that security of the Internet depends on many actors taking responsibility. In this post, I look at this attack through the lens of the internet ‘as a system’, and I identify one success, share one observation, talk a failure, and outline an agenda that we must adopt.
The success lies in the collaborative nature of how Dyn worked with others to mitigate the attack.
As mentioned in their statement, Dyn had to work with the technical community to mitigate the attack. My speculations will not be far off if I say that this must have involved work with network operators, computer security specialists, law enforcement, computer security incident response teams, DNS providers, and their customers. Given the size and scale of the attack, I see their reactive work as a testament to the effectiveness of the coordination. So, kudos to Dyn for thwarting the attack even though, metaphorically, this is the success of a fire truck arriving on time and limiting damage and not a success of preventing the fire in the first place.
We should not take the sort of collaboration that happened here for granted. These sort of attacks can only be stopped when network operators collaborate to address issues that are not exclusively impacting their own network (the firemen from other areas coming to aid). At the Internet Society our Routing Manifesto, or MANRS, initiative speaks to just that: We are growing the community that commits to taking measures against certain types of attacks and takes action that allows for effective collaboration. MANRS acts as a signal to customers that they are dealing with an entity that understands their responsibility. I’ll get back to signalling below.
One of the benefits of having a site’s DNS service managed by one or a few consolidated companies is that specialist expertise can be outsourced and these few organisations can efficiently deal with problems quickly. However, it also means that chokepoints are created and those few managed DNS service providers are becoming very big targets. The failure lies herein that the target painted seems to have become too big, and many major companies and websites now share their fate with these consolidated DNS providers. Given that one of the services often offered by DNS service providers is load balancing, untangling these hefty integrations may be a bit tricky. But since some companies and websites got a real hit last week, I think there may be some market-driven evolution in this space.
Now for the failure: Why is it that we are shipping an Internet of Things (IoT) that is so insecure?
These types of attacks depend on malicious software (usually referred to as “bot,” from robot) being installed on various devices that connect to the internet. The installation can happen because users (accidentally) open links that download software or because devices are open to attack from the Internet. There are some actors involved here. Any device – a computer, a phone, or an IoT thing – is made out of a large number of software components. When bugs are discovered in the software, the fixes need to make their way into the software and then onto the devices. There is a lot of collaborative effort in identifying the problems, and creating and distributing the fixes. It involves processes like responsible disclosure of bugs, software patch policies and procedures, and device end-of-life policies. It also, somewhat, unfortunately, involves the actions of end-users since they need to pay attention that they change the default password on the camera, printer, or car they just bought.
So from this follows an agenda. Inspired by the IoT Security Questions from our Internet of Things Overview, we need to get to a point where:
- Producers follow, and share, good design practices;
- For every product sold there is a way that security researchers can responsibly disclose vulnerabilities found;
- Producers can fix, or patch, these vulnerabilities during the lifetime of the device (Field Upgradability);
- We clearly understand what happens if the product, or the supporting producers, reach end-of-life (Device Obsolescence);
- Consumers can make informed choices based on these properties (Cost vs. Security trade-offs);
- Data that IoT devices collect are protected and dealt with in privacy-honoring ways (Data Confidentiality and Access Control); and
- Those who go about device security in an irresponsible way get penalised.
This is not a trivial agenda.
Take, for instance, consumers making informed choices. While consumers may care about their devices being hacked and used against them, they usually do not know that their camera may be used to bring down the Internet, so the latter isn’t part of their purchasing decision and hence an afterthought for the producers. These types of issues can be resolved through signalling mechanisms that indicate devices have at least minimal security. Getting to these signalling mechanisms could be done by consorted industry action, but may also involve regulation.
The fact that Internet of Things security is riddled with cases where manufacturers do not incur costs for any lack of security, and the fact that the global industry ships devices without having good answers for questions like responsible disclosure of bugs, software patch policies and procedures, and device end-of-life policies makes for a rather toxic mix.
We are shipping a lot of Things, so these issues need to be taken head-on with urgency. However, not through a central authority, but by consumers, producers, researchers and regulators coming up with mechanisms that allow the internet to remain open. There are multiple examples of communities taking responsibility and trying to move the needle. Let me name a few that I encountered in the past weeks:
- the NTIA Multistakeholder Process; on Internet of Things Security Upgradability and Patching;
- the work by the IAB on IoT software updates – see the report summarising the workshop; and
- the framework for IoT published by the Online Trust Alliance.
The fact that many organisations are looking at several pieces of the agenda is reassuring; that means that good solutions will surface. Solutions that are relevant in the context in which they will need to be applied. The call to action is to get involved. To take your piece of the agenda and address that piece that you, as a consumer, as a producer, as an insurer, as a stock broker, or as a regulator can address. Together in collaboration, bring your expertise.
In the Dyn blog that reports on the DDoS attack, Kyle York says: “It is said that eternal vigilance is the price of liberty.”
I believe that quote is central to the collaborative security approach. It implies that we collectively need to work to keep the Internet open, that sometimes we will feel the pain of openness — for this attack will probably not be the last one — and that most importantly the open Internet brings liberty.
Image credit: Downdetector.com