Experts keep talking about the vast range of vulnerabilities and threats made possible by the internet of things, but those threats themselves often turn out to be the same ones security experts have been battling for decades — except this time, without obvious ways to mitigate them.
Tod Beardsley, director of research, and Rebekah Brown, threat intelligence lead, both at Rapid7, sat down with SearchSecurity last November at Rapid7’s UNITED 2016 event in Boston. In the first part of the interview, Brown and Beardsley talked about the implications of recent Mirai botnet attacks and traded pen-testing war stories. In the second installment, the two experts shared their views on vulnerability disclosure and bug bounty programs, and how those programs address IoT security issues.
In this final part of the interview, Beardsley and Brown dig much deeper into the ways IoT security issues are affecting IoT consumers — from car buyers to patients who need connected medical devices.
Editor’s note: This transcript has been edited for clarity and length.
Let’s go back to IoT security issues again. We’ve got billions of things out there, with serious vulnerabilities in them. Are there any approaches we can take to mitigate the threat without just saying, ‘This is bad; throw it in the garbage?’
Rebekah Brown: I think taking a threat-based approach. I don’t ever want to say, ‘Hey, cool, you can monitor different threats, so you don’t have to fix things.’ Because, eventually, the threats and the attackers will find a way around your mitigations and your preventions.
We’re seeing examples where most people are on a 30-day patch cycle. So, if a new patch comes out for a vulnerability, [then] you can reasonably assume — if everything’s on track — in 30 days, they’ll be good. But we’re seeing these rolled into exploit kits like two [or] three days later. So, there’s a huge delta there between when it’s being exploited and when we can reasonably expect someone to patch for it.
And in those situations, if you understand and you know who is using it, [you can ask] how is it being used? And what signs can I look for? What artifacts? Or, what will tell me that somebody is trying to exploit this? You can put in some temporary mitigations and temporary blocks and preventions to stop that. But you still want to patch it. I think there are some examples where that might work, but again, attackers are creative. They’re going to realize what we’re doing, and they’re going to find a way around it. So, it’s not a permanent solution ever.
New cars now turning into IoT security issues
Tod Beardsley: As a consumer of IoT, I think a lot of it is just being mindful of the capabilities. So, one: [Be] mindful of where your devices are. I know, eventually, we’re all going to lose track, because we’ll just all be made of computernium and everything will be a ‘thing’ on the internet.
But, secondly, don’t ever, ever trust the defaults. That’s the big takeaway of Mirai, right? Default security is not security. Until we get to a place where it’s culturally normal to always have random passwords on first boot, and it doesn’t actually work until you click through a thing, that forces something. Because right now, it’s very much the usability issue of [saying], ‘I want to buy a thing, plug it into my network and then not touch it ever again. It just works, and I can then order pizza on it or whatever.’
Ultimately, this is a design issue. This is a [user experience] issue. It’s not strictly a security issue, but when your UX prohibits you or discourages you from doing the right thing, then that itself is a bug — it’s a usability bug. Routers, home routers very rarely will prompt you for things — [it’s] like you go buy one, you plug it in and you’re done. That’s a recipe for disaster. So, I would much rather people take that five minutes when they first get the thing and they unwrap it, and they look at the quick-start guide — because no one reads a manual — and part of that setup process is unique passwords, default encryption … all those things.
Brown: Did I tell you my car story?
Brown: This terrified me. This was from two weeks ago. I bought a new car, super awesome. My car has Wi-Fi; the kids are very happy.
Beardsley: Of course it does.
Brown: Of course it does. As I was going through the process of setting up the Wi-Fi, they have you call the person who’s going to enable it. And [they say], ‘OK, let’s set you up. You have to have your network name. Now, we recommend you use your last name.’
Beardsley: Of course you do.
Brown: What? No, I’m more clever than that. So, I said, ‘No, here’s what I want to use for it.’ She was like, ‘Oh, OK.’ And [she] said, ‘OK, now you should have a password to secure it. We recommend you use your phone number.’
And I [said], ‘Are you kidding me? You’re setting people up right now with their SSID as their last name, and their password is their phone number on their car Wi-Fi?’ And [she said], ‘Yeah, it’s easy for them to remember.’
I think she might be introducing some problems here into this situation. And, again, I couldn’t believe that that was the default. So, a consumer who’s trying to do the right thing is still going to be less safe.
It’s a very small key space. If I don’t know your last name, your phone number, I could probably get some pretty good guesses.
Time to stop blaming users for IoT security issues
Everyone in this room, we know that when we get a router, we should put up a strong password. And we can sit there and download an updated image. But most consumers aren’t doing that, so is there any way around it?
Beardsley: Yeah, and we have to stop blaming the consumer for this … This is not a consumer problem. It’s the manufacturer’s problem, for sure. It is on the manufacturers of these devices to strike a balance that recognizes the modern world. At one point, it was super fine to be using Telnet and have a password of …
Beardsley: Or, ‘autumn2016.’ Like, that’s a fine password. Please use that if you ever want to get owned.
There was a time where that was OK. I’m happy to admit it — and that time is in the past. And it will never come again. And, so, vendors have to take it upon themselves to solve this, because it’s only so long where you can keep blaming user error. Because if the user error is they’re doing all the defaults and, therefore, they’re insecure, then that is [on] the designer. I can’t stress that enough.
Things like this wireless mouse, which is subject to the MouseJack vulnerability — how do we deal with all these things? How do we make sure we can safely mitigate these IoT security issues? Do we have to throw them all out faster?
Beardsley: We have a long-tail legacy on the internet. There’s a lot of legacy stuff; that’s why we still have millions of Telnet servers on the internet.
Brown: And it’s not as easy as buying a new tape recorder. Some of these devices, especially when you talk about some of the manufacturing equipment, they buy that intending to use it for 20 years because it’s that expensive. They don’t have it in their budget for another five years to get a new one. And, so, we are still going to see those. I don’t think that, ‘We’ll just buy a new one,’ is really the best option.
Beardsley: Yeah, it fails on both fronts. A, it’s expensive. And B, you’re never going to get rid of all the old stuff anyway. I think it’s crucial that there is at least some way to patch these things.
The thing that makes the IoT interesting is the ‘I’ part. It’s on the internet. If you’re already on the internet, I’m positive you can use whatever channel that is to also distribute patches, and doing it in a secure way, and make sure everything’s signed, and all that other stuff. But it is absolutely possible.
I know that your first [generation] is probably not going to have that, but your second gen really ought to. If you’re going to be willfully unable to get patches out and get updates out, and firmware updates for everything, then you’re asking for trouble. Because like we all know, we ship bugs, and once you’re in a position where you shipped an unfixable bug, that’s not a great position to be in.
Brown: It’s going to be on you, yeah.
So, speaking of unfixable bugs, there was the AtomBombing code injection attack recently, which has apparently been in all versions of Windows since Windows 2000. And the initial report said that this isn’t mitigatable.
Beardsley: I’m sure it is.
Are there bugs that can’t be fixed, or is it just a question of we haven’t figured it out yet?
Beardsley: I sure hope it’s the latter. I take it on [as] an article of faith. Like I said, we have a bunch of legacy devices out on the internet, [and] Windows 2000, that will never go away. And in that case, now you have to rely on the resiliency of the network. And you have to rely on the actionability.
Brown: Yeah, and I think there are some situations where there are other things in place. And it could be a situation like you see in a Windows 2000; they’re not fixing it. They might be able to, but it’s not supported anymore, so it’s not going to get fixed in that particular manner. But if it’s on your network, there should be other things you can do, at least while you’re hopefully making that case to your leadership that we should probably replace these.
Beardsley: And it’s tough, but I do think that internet service providers can play a role here. BCP 38, Best Current Practice 38, says that you should filter spoofed IP addresses. And this has been around for, what, 20 years? And the [internet service providers] ought to be doing things like that. So, there are choke points on the internet. The trick is finding that balance between something that’s reasonably secure and something that still encourages innovation. We would not have the internet we have today unless TCP/IP was so permissive. It just wouldn’t happen, until you can’t see this as a positive. Yeah, everything we’ve put out is kind of broken and barely works, but, boy …
Brown: You’ve done some awesome stuff with this still.
Beardsley: … It sure still seems good enough to me.
Let’s talk about IPv6. I’ve been told that it may be possible to use source routing headers in IPv6 to guide packets through different services on their way to the destination in such a way that you could implement security applications that direct every inbound packet to a firewall or other type of security service. Thoughts?
Rebekah Brownthreat intelligence lead at Rapid7
Beardsley: I remember the days of permissive source routing for IPv4. Wait, you’re going to let me tell you where to put my packet? Cool, that’s great for an attacker.
Brown: But can it be great for [a] defender?
Beardsley: I don’t know, man. I feel like IPv6 is a toy box for attackers. It is not designed for security.
IPv6, its sole design concern really was vanishing IP [address] space. Vanishing IP space gave us NAT, which is one of the greatest things ever. Network address translation lets me have 10 devices in my house behind one IP address, and you don’t get to talk to them unless I talk to you first.
This is the best kind of firewall there is. And in an IPv6 world, where every ounce of matter gets its own addressable space, that goes away. You don’t need NAT anymore. We have a very strong notion now [about] what’s on the internet and what’s off of the internet — most people don’t think of the innards of their house being really on the internet. IPv6 gets rid of that.
So, between the very strong temptation to just [say], ‘Slap an IP address on it,’ and this whole business about getting the source route to your things, too, you get some extra crypto and all that jazz with IPv6. But, man, just getting rid of this addressing bottleneck is … it was an accidental security feature that we depend on today.
Meaning the NAT.
Beardsley: The NAT, absolutely. Best firewall ever.
And yet, 10 or 15 years ago, people were saying, ‘NAT?’
Beardsley: Oh, it will break the internet. I can’t ping you.
Come on. Seriously? Do you really want to ping me? And that’s the thing. Our understanding of the internet is different. The internet is designed where everyone’s up here. You have clients and servers, but everyone can talk to everyone. And it’s very meshy, and it’s designed this way because it gets you redundancy and it gets you on-the-fly routing. But, now, we live in a different time.
Brown: We don’t want everyone to be able to talk to everyone on the internet.