A clank of botnets
More bad news for the Internet this week as a plague of BotNets launched a successful wave of denial of service attacks on Dyn, a dynamic domain name service provider. The attacks on Dyn propagated through to services such as Twitter (OK no great loss), Github, The Verge, Playstation Network, Box and Wix.
So here’s the problem. First ‘retail internet security’ is a joke. Mainly because a) it relies on end users to secure it and b) even if the retail user did a good job the software actually implementing the security functionality is invariably broken in some way. The example de jour is BusyBox, a cut down embedded version of Linux, which regrettably also contains a security vulnerability which in turn can be exploited by BotNets such as BasLight. So remember all those IoT ‘things’ on home networks, oh like say internet CCTVs or appliance switches? Well if they use BusyBox or it’s like turns out they can be pwned to form a botnet and, as we found out this week, one capable of conducting a successful distributed denial of service attacks on a DNS server.
As I’ve pointed out previously using an an entire OS to do an embedded systems job might be economically savvy but security wise it’s pretty dumb. Rolling that out into a thousand products and a million or more processing nodes goes from pretty dumb to criminally stupid. This is the reverse of the principle of economy of mechanism, call it the sin of ‘profligate mechanism’ or maybe the ‘stupidity of really big numbers’. Now of course the larger the installed base at risk the larger the potential size of the Botnet. All of which means it looks like we now have a plausible internet level effect cyber-weapon. What we’re talking about is an IoT botnet massively parallel array with a capability to execute multiple parallel attack on DNS servers. If you’re of a really unpleasant frame of mind you’d write some white-hot botnet code with a hidden backdoor and then release variants into the dark-web, thereby allowing you to pwn the pwners (1). All this may sound like a funny anecdote when it’s just your Twitter account that’s been knocked out, but becomes rapidly unfunny when you consider the degree to which modern life depends on the Internet working (2).
Now normally I’d be advocating the application of LANGSEC and other security principles, but I think we’ve gone beyond that point as clearly no-one is listening and the IoT install base continues to grow at a dizzying rate. My vote is therefore that these sort of attacks be treated just as seriously as an other act of terrorism, The traditional response to terrorism these days of course is to find out who we can blame and send a drone strike (3) wherever they be, after all the treaties of Westphalia only goes so far (4).
This has been another dispatch from the frontline of the IoT.
1. See Rule 34 by Charlie Stross for a fuller treatment of this concept.
3. Or equivalent. Like for example making IoT vendors responsible for the criminal misuse of their products.
4. As much as Westphalian principles hold in this fractured century.