Thanks, IoT vendors: your slack attitude will get regulators moving

Networks also need to grab a mirror and look at themselves

Last Friday's Mirai botnet attack against Dyn must force everybody's hands – vendors, regulators, and Internet infrastructure operators.

It's going to be a while before research gets as far as attribution to an attacker, but in the meantime, there's plenty of culpability to go around.

Two things are clear, however: the freewheeling idiots of the Internet of Things business need the fear of regulation put into them – and so do network owners and operators.


We don't just mean the specific vendor, XiongMai, named by Flashpoint as making the cameras exploited by Mirai. Buggy cameras and DVRs, to pick out just one product segment, are all over the place.

Since the White House asked Mudge to create a “Cyber UL” last year, the industry got busy with a flurry of activity designed, we suspect, to prove it could handle things without Washington getting involved.

Within a month, the industry formed a committee, in the Online Trust Alliance.

Then it formed another, the IoT Security Foundation.

Then another, the Open Connectivity Foundation.

The Industrial Internet Consortium, late to the party, recently came up with its own guidelines.

What are the outputs from all of these talking-shops? Nowhere near enough.

The Online Trust Alliance needed 15 month to finally come up with a vision for IoT security.

The IoT Security Foundation promises best practice guidelines by the end of this year.

The Open Connectivity Foundation has gone further, opening certification labs this month to let its members certify products (including one at Underwriters Laboratory in the US), and has published an open source software framework.

It's just as well for the various vendor love-ins that Mirai happened after last week's conference with the National Telecommunications and Information Administration, or vendors might have genuinely been hauled over the coals.

Why are there so many mostly slow-moving IoT security gatherings?

Partly it's because nobody wants to standardise their interfaces or APIs when Google (try Threading or Weaving your way to a thorough understanding of where Brillo fits, and why Nest doesn't like any of them), Apple (HomeKit), Samsung (SmartThings), LG (SmartThinQ), or Amazon still all reckon they can corner the market.

And as we said, partly it's probably to prove to the Feds that regulation isn't needed.

Too late, everybody: Mirai proves you're not going to march in step without a whip at your back. The world knows your products can at least pass a standard, basic security test suite, and will get recalled if they can't.

And while things move slowly in Washington, we're heartened that Mudge's efforts have given rise to research to try and quantify security risks, here.

Internet infrastructure companies

From the edge to the core, Internet minnows and whales knew that DNS can be blasted by a botnet, because it's happened before – when DNS-changer-infected PCs attacking the system were quarantined in a then-unprecedented cooperation between Internet companies and the FBI.

Paul Vixie was at the heart of that response, and is so disheartened by things that in March of this year, he suggested governments get involved, by way of penalties for network operators that don't block attack traffic.

The Internet Society (ISOC) warned last year that the Internet is in danger from the IoT, and while it's put forward routing security proposals, the MANRS initiative needs a lot more members before it could prevent something like the Dyn outage.

ISOC warned in 2014 that network owners' failure to implement the BCP 38 anti-spoofing standard (authored in 2000) puts the internet at risk.

It's no surprise, though: another key measure to secure the DNS, DNSSec, was first written in 1997 and after nearly 20 years has gone nearly nowhere.

DNS Changer proved that network operators can put responses in place: that Dyn succumbed to the Mirai botnet is because they choose not to.

The Internet is too embedded in nearly every business operation for repeats of the Dyn attack.

Operators who have known how to fix the DNS, and IoT vendors who don't care about security, are both inviting the heavy hand of regulation. ®

Other stories you might like

  • OpenID-based security features added to GitHub Actions as usage doubles

    Single-use tokens and reusable workflows explained at Universe event

    GitHub Universe GitHub Actions have new security based on OpenID, along with the ability to create reusable workflows, while usage has nearly doubled year on year, according to presentations at the Universe event.

    The Actions service was previewed three years ago at Universe 2018, and made generally available a year later. It was a huge feature, building automation into the GitHub platform for the first time (though rival GitLab already offered DevOps automation).

    It require compute resources, called runners, which can be GitHub-hosted or self-hosted. Actions are commands that execute on runners. Jobs are a sequence of steps that can be Actions or shell commands. Workflows are a set of jobs which can run in parallel or sequentially, with dependencies. For example, that deployment cannot take place unless build and test is successful. Actions make it relatively easy to set up continuous integration or continuous delivery, particularly since they are cloud-hosted and even a free plan offers 2,000 automation minutes per month, and more than that for public repositories.

    Continue reading
  • REvil gang member identified living luxury lifestyle in Russia, says German media

    Die Zeit: He's got a Beemer, a Bitcoin watch and a swimming pool

    German news outlets claim to have identified a member of the infamous REvil ransomware gang – who reportedly lives the life of Riley off his ill-gotten gains.

    The gang member, nicknamed Nikolay K by Die Zeit newspaper and the Bayerische Rundfunk radio station, reportedly owns a €70,000 watch with a Bitcoin address engraved on its face and rents yachts for €1,300 a day whenever he goes on holiday.

    "He seems to prefer T-shirts from Gucci, luxurious BMW sportscars and large sunglasses," reported Die Zeit, which partly identified him through social media videos posted by his wife.

    Continue reading
  • A Windows 11 tsunami? No, more of a ripple as Microsoft's latest OS hits 5% PC market

    Next version of Windows 10 looms around the corner

    Microsoft's Windows 11 OS has notched up a respectable near 5 per cent of PCs surveyed by AdDuplex, as another Dev Channel build was unleashed with new features for the favoured few.

    With less than a month of General Availability under its belt, Windows 11 now accounts for 4.8 per cent of "modern" PCs (Windows Insiders running the OS account for 0.3 per cent) according to the ad platform. The figure is up from the 1.3 per cent in September, which was Insider-only and points to some migration to the production version of the software.

    The figure is both an indicator of Microsoft's cautious approach to releasing its wares and the limited amount of hardware that can actually run the round-cornered OS.

    Continue reading

Biting the hand that feeds IT © 1998–2021