Anyone using the internet in Europe and the US on 21st October last year experienced what economists call an externality.
It arrived in the form of a massive 1.2 Tbps DDoS attack on Dyn, a US-based internet infrastructure company. This, in turn, triggered outages at multiple sites – including PayPal, Twitter, Amazon and Netflix.
The attack was coordinated by a piece of malware called Mirai, which coordinated millions of compromised IP-connected devices including DVRs and cameras. According to the security firm Flashpoint, the likely authors of the attack were talented amateurs: script kiddies.
Security breaches always impose a cost on innocent parties. Most consumers would describe this as a variant on Murphy’s Law. PayPal, Twitter, Amazon and Netflix probably view it as economic sabotage. Economists, by contrast, use the e-word to describe this kind of thing. Externalities are the hidden costs of doing business that tell us markets are working imperfectly.
Whatever you want to call it, the risks involved in IoT security are immense. If Netflix goes dark while you watching a box set, that’s one thing. If pacemakers crash and automobiles veer off course, that’s something very different. At the point where the digital world blurs into the physical, risks to human life become evident. For obvious reasons, the Dyn attack sparked a high-level debate about the state of IoT security.
So here’s a question: in IoT, who is responsible for closing down the space in which externalities like DDoS attacks can occur?
Clearly, the script kiddies have a lot to answer for (though it remains unlikely that they will pay a penalty). This leaves us with two targets:
It’s easy enough for us, inside the industry, to criticise consumers.
But take a look at the scale of the attack surface generated by ignorance. It’s enormous. In a recent survey, which you can read about in more detail in this white paper, we asked consumers for their views on the security of connected devices. Here’s what they told us:
It’s clear that we will have our work cut out to educate a sufficiently large number of individuals – at the minimum — about the need to rewrite default credentials and install firmware updates.
So let’s turn to the device vendors who understand IoT security risks, but don’t mitigate them.
Clearly, these vendors have the power to close down the space for externalities like IoT-mediated DDoS attacks. (For an overview of what’s wrong with cheap consumer IoT devices, take a look at this post by Ray Krebs, who himself was the victim of a similar IoT-mediated DDoS attack last September.)
Now it’s perfectly understandable to read an analysis like this and leap straight to the recommendation that regulation is the answer.
Among those urging us down this route is Bruce Schneier, the veteran security analyst and thinker. In a long essay last month, Schneier wrote: “Regulations are necessary, important, and complex; and they’re coming. We can’t afford to ignore these issues until it’s too late.”
Schneier may well be correct. Regulation is the classic response to externalities and market failure. But once again, this will be an enormous undertaking. Governments don’t move fast. And they are already well behind the pace of IoT deployment.
So where does this leave us? Well, in addition to clueless consumers and slow-moving government, there’s a third option for mitigation: the possibility of better and smarter architectures – at network and device level.
Innovation may not be the only solution, but it will play a major role in securing the IoT. With that in mind, we suggest you take a look at Ubuntu Core – a tiny version of Ubuntu designed specifically for IoT.
While we wait for consumers to get educated, and for governments to do their thing, let’s build a better IoT, using a purpose-built OS that takes security seriously: Ubuntu Core.
Learn more about current approaches to IoT security and why they aren’t working in Taking charge of the IoT’s security vulnerabilities
From home control to drones, robots and industrial systems, Ubuntu Core and Snaps provide robust security, app stores and reliable updates for all your IoT devices.
As details of the Meltdown and Spectre vulnerabilities1 have become clearer a number of statements have been published by the multiple vendors affected; Canonical has issued advisories and updates on fixes and mitigations, the latest of…
Canonical holds Ubuntu to the highest standards of security and quality. This week we published candidate Ubuntu kernels providing mitigation for CVE-2017-5715 and CVE-2017-5753 (ie, Spectre / Variants 1 & 2) to their respective…
For up-to-date patch, package, and USN links, please refer to: https://wiki.ubuntu.com/Securi... Unfortunately, you’ve probably already read about one of the most widespread security issues…