IoT – Pioneering in a Weird Diversified Landscape

The eco Association service botfree.eu offers end users free tools and support for detecting and removing malware from their computers and mobile devices. Based on the model of the eco Association’s successful botfrei.de anti-botnet advisory center, a further 10 new national botnet prevention services have been set up in Europe and Africa. dotmagazine spoke to Peter Meyer, Head of Cyber Security Services at the eco Association, to find out about the impact of botnets on the security of Internet infrastructure, and security issues in the burgeoning Internet of Things.

DOTMAGAZINE: We’ve heard reports in recent months of increasingly severe DDoS attacks taking major Internet giants offline. Do you think that the public is starting to see the importance and the impact of security on Internet infrastructure?

PETER MEYER: I think we see a common trend in IT security awareness going back to 2009, starting with Conficker, which was the first mainstream security incident that made headlines in the major news. Awareness has been growing throughout the years, but it always needs an incident of some kind to bring it to public attention. Over the last year, cyber security has become more and more important, and major companies are already aware of the problem. Now the focus is really to bring it to the broader public – especially the SMEs. As we see it, the smaller a company is, the more important it is for us to reach out.

DOT: Are such attacks merely a costly inconvenience, or do they pose a real threat to our global infrastructure?

MEYER: I think both are true. There are certainly DDoS attacks that are more or less customized, targeting a specific company. This is often combined with blackmailing – for example, bringing down a web shop. In these cases, I don’t see a global impact. But in other cases – attacks against ISPs, for example, or the recent Dyn case – they can have a major impact on global infrastructure. A range of infrastructure services have been identified as critical infrastructure, with good reason, and if a DDoS attack targets one of these, it can have a global impact.

DOT: Recent large-scale DDoS attacks have made use of hijacked Internet of Things devices – for example, the Mirai botnet. What needs to be done to make IoT devices – new and older ones – more secure?

MEYER: There are two different approaches needed. Actually, there is no discussion that Internet of Things devices need a security focus and that their development really needs to start from scratch to make these devices secure. The problem is that this is a new frontier for the market and everybody wants to connect everything to the Internet. It’s a kind of experimental phase with no previous experience, so, for most companies, the first priority is to bring these devices to the market and connect them to the Internet – and security currently does not play much of a role. There are a few IoT devices that have been connected to the Internet for many years. We can debate whether a fridge really needs an Internet connection, or a hairdryer. Maybe, maybe not.

But looking at things like smart homes, there’s definitely a need to access the Internet. At the same time, these things also need to be safe. There are a couple of things that companies need to be considering when programming the devices. First of all, they should absolutely not have pre-coded, hard-coded 3-digit passwords that users are unable to change. We’ve seen these get rolled out to a couple of million devices, and they give the user no chance to change or even to see any type of password.

The other thing we need to do, looking into the future, is to find a solution for making these devices – the ones that are already out there in homes and companies – safe. Added to this, the IPv6 protocol needs to be considered – soon, every single fridge etc. will have its own IP address, which will also change the game.  

But, to be honest, there is really no idea of how to fix the devices that are currently infected. Looking at a Windows computer, for example, DDoS attacks are not new. They’ve been around for almost a decade. Basically, the mitigation process is that you use an antivirus program which detects the malware, then you install a tool and scan your complete computer and ideally also the network – and you do this all at the push of a button. This is possible because these devices use standard platforms like Windows – or Linux for the routers, for example – and there are common tools available. If you look at the Internet of Things, you have multiple platforms – some of them work on Linux, some of them have a proprietary operating system, etc. It’s a really weird huge diversified landscape. There is no standard tool that I can install that will fix my fridge, my webcam, my router, my hairdryer, or whatever else that’s out there. 

Given this, there’s really no idea how to remove the malware from the Mirai botnet right now.  There are some suggestions in the Internet for removing the malware – by using a Nematoden worm, for example. This would basically be another kind of virus which would infect these computers and disable the Mirai infection. But this is a dirty approach, because even if the authorities – the police, or the ISP responsible – take action, trying to install a virus on someone else’s systems is in itself hacking, and it’s illegal in most countries.

As a result, there is a lot of discussion at the moment about how to get rid of Mirai. The problem is that even if the Mirai botnet, for example, gets brought down, and the command and control servers get shut off, we still have a huge number of infected devices out there, and it’s quite obvious that somebody will build up new command and control servers and take over this big army of bots again. What makes it even worse is that the source code of Mirai was published on the Internet, so it’s quite probable that the Mirai botnet might be on the Internet – in a new version – just weeks after a possible takedown.

DOT: While we’re talking about the Internet of Things, what do you see as the benefits and dangers of sectors like the health sector becoming “smart”?

MEYER: Connectivity has a lot of benefits. For example, tracking your biometrics – if you have diabetes, you can have a device that makes it possible to automatically to submit your blood sugar level to your doctor and he can proactively inform you if something’s wrong. The same goes, for example, for a pacemaker for your heart – this could get monitored by a doctor to detect if something’s wrong. There are a lot interesting ways that IoT and connected e-health devices can help everybody save costs or time waiting in the doctor’s surgery. But, on the other side, you certainly have security and privacy issues. If nobody has put any security mechanisms into the system, it’s technically and theoretically possible to hack a pacemaker and kill that person. I think it’s always important to find a good balance between security and privacy on the one hand, and the benefits on the other, but each new technology also comes with risks.

DOT: Perhaps we missed the boat with the Internet of Things, but how can this development be undertaken securely for e-health?

MEYER: Societies always question who is in the end responsible. I mentioned before that there is a lot of pioneering enthusiasm in developing new technologies, connecting things, and so on. But this is a global issue. Devices are developed in China, in the US, in Europe, etc., and there is no entity that defines standards. I think that is where we need to go. It’s like the CE certification for power plugs for example (a European certificate, but it’s also in the US. It’s on every electronic device that gets plugged into the power – certifying that it’s safe, that the plastic won’t melt, etc., and you need to get this certification before you bring electrical products to the market.) I think such a certification would also be beneficial for the Internet of Things from the security perspective. It is quite complicated to implement such standards and quality levels, and I think it will be a matter of some years – maybe up to a decade – until we get to a point where these standards apply. Then you still have the issue that it needs to be a global approach, and as you can see, there are a lot of electronic devices sold from Asia that could, for example, manipulate the certifications, etc. It will take an enormous effort and investment to ensure that these standards are applied to every device. So it’s a big challenge. I hope we’ll get to this point soon, but it’s still a long way to go.

Meet the eco team at the RSA in San Francisco in February!
Peter Meyer and Cornelia Schildt will be on location in the German Pavillion on February 13 – 17 2017. Meet them there to talk about how the eco Association can support your entry into the German market.