We don’t have an IoT security problem, we have a threat comprehension problem

This week, everyone on the internet who styles themselves any kind of expert is talking about the Internet Of Things, and in particular “botnets” formed from thousands of poorly secured IoT devices, as a potential threat to the Internet. Unless you broaden the term “Internet of Things” to mean “all computing devices except desktop PCs” then it’s not really an IoT problem, it’s a more general problem of threat comprehension.

In the 1970s and 1980s it was common for servers to have default passwords for maintenance that were often left unchanged. There were so few people with access to the consoles of these servers that this was rarely a problem.

In the 90s desktop PCs often had the same “broken as designed” approach to security. In the 2000s many consumer-grade network routers were similarly insecure.

Some time in the naughties I was attempting to configure a low cost wifi router to bridge networks. I won’t mention the brand, as the problem was common to many, let’s say it was a NetLinkComm router. Some research revealed that the device in question could perform the job I needed, but that the feature was not exposed in the web console. I would need to enable the optional command line console, which was turned off for safety. To turn it on, you transmitted a “breath of life” packet to activate the server, then logged in over telnet using a default password.

Let me say that again. A security product had an administrator account that was turned off by default (so that most people didn’t even know it was there) but could be turned on by anyone on the network. This was documented in the manual. This is like writing “key is under the second pot-plant to the left” on your securely locked front door.

It wasn’t long after this that I had a call from my sister in law, who said “I think I have a virus, I keep getting advertisement popups, but I’ve run a virus scan, and even tried reinstalling windows”. We eventually confirmed that her laptop was clean, and tracked the problem to her router, which had been subverted to inject advertisements into web pages that it passed. A visitor had unknowingly brought a wormy laptop onto the WiFi LAN where it had attacked the router from the inside via its default password.

The Blind Watchmaker Fallacy

In the book “The Blind Watchmaker”, the author writes that one of the key difficulties students (and the public) have in understanding how life on earth evolved from primordial sludge all the way up to netflix and space probes is due to humans’ innate inability to understand the time scale involved. It appears counterintuitive to us that random change and natural selection could produce the level of complexity that we see in the natural environment today, primarily because our consciousness is simply not well suited to comprehending the immense scale of the universe, in both space and time.

The same cognitive gap affects software designers and developers. A developer may think that a default password that is only accepted from the “secure side” of a router is an acceptable risk, both of the incredible unlikeliness of a successful exploit. In order for a user to be compromised, an attacker would have to:

  1. know the vulnerability exists
  2. find a way to get inside the trust boundary to attack the vulnerability
  3. be lucky enough to find a site where the vulnerable device is present
  4. be lucky enough to strike before the user closes the vulnerability (say, by changing a default password)

So unlikely that it would most likely never happen, right?

You forgot about the scale factor. You didn’t truly comprehend how large a billion people is, nor how short a microsecond is.

It used to be said that the average time to compromise of a fresh out of the box Windows XP computer connected to the internet without a firewall was as little as four minutes. Not even time to change your wallpaper and finish downloading updates, and you’re already owned.

The number of attackers, and the sophistication of attack vectors, means that even if you as an engineer think that a particular risk is unlikely to be exploited, someone, somewhere is both smart enough, motivated enough to exploit it, and lucky enough to find you in the herd. To survive your first four minutes on the internet, you don’t have to be smarter and luckier than the average hacker, you have to be better than every single one of them. It’s a losing proposition for the prey, as any crocodile waiting in the river for the wildebeest migration can tell you.

Today we have a similar situation with IoT.

Four Minutes To Doomsday

So, stop wailing that some devices are vulnerable, and some designers are stupid. We are all vulnerable, we are all stupid. We always have been, our PCs, our phones, our set top boxes, our IoT sensors, our smartwatches, our lightbulbs, they are all vulnerable and all designed by fools.

Yes, we can and should study to be less stupid, right now we are being unforgivably stupid by repeating mistakes we’ve seen at least three times before. But we also need to accept that even if we stop making unforgiveable mistakes, there will still be the occasional design or deployment error resulting in a vulnerabilty. The universe of threats is not only bigger than we imagine, it’s arguably bigger than we can imagine.

Are you paranoid enough?

If you are asking yourself “how can I protect myself from attack from my own devices or from yours” you are asking the wrong question. You need to ask “how can I minimise damage from when I am compromised” and “how can I detect and recover from compromises”. The lesson of the “incomprehensibility of deep time” is that we don’t aim for “never have problems” but rather “never have problems on average over device lifetime”.

If you want to never be afraid of the Internet again, buy a log cabin so deep in the woods that you have to bring sunlight in by mule train, then feed your phone to a bear.

Otherwise, start here

  1. Stop letting everything talk to everything else. Don’t put your fridge on the same LAN as your tax returns. Explain to the appliance salesperson that you’re thinking of the $800 dumb fridge instead of the $2500 smart fridge unless they throw in a firewall router. Duck so as not to get hit by the router.
  2. People are hard to predict, IoT devices less so. Understand what network resources your unattended devices need to do their jobs. Put them on a budget for both destinations and traffic volume (you’ll probably find traffic limiting under the child-safety features in a home router).
  3. Budget for security. If you’re a business, do periodic network audits for rogue devices. If you’re a nontechnial householder you’re kind of screwed, unless you ask your motorised blind installer about their annual checkups, or get your nerdy nephew to check your router packet stats after Christmas lunch. I’m still thinking about how to help you better.

To sum up, the problems we’re seeing are not intrinsic to IoT, and the best advice is the same as ever: there is no such thing as a free lunch, or a ten dollar lifetime cost of ownership.

(This article originally appeared on Medium.)