IoT devices turned into powerful weapons on the internet – Lessons for the heating industry!
Last week, the well respected security website Krebs on Security was “shot” down by criminals with a sustained gigantic flood of internet traffic. The site received free protection from Akamai, one of the largest internet companies in the world and an expert in mitigating such attacks. But even Akamai gave in after hours of fighting as costs were too high. As a result Krebs on Security vanished from the the net. According to reports, Akamai estimated the attack at 665Gbit per second – twice as big as the biggest they had ever seen before.
But the biggest news was not that Krebs on Security went down. But that the attack was unusual in that it did not use mostly misconfigured servers or malware infected desktop computers. A large part of the traffic came from hundreds of thousands of IoT devices, which the criminals had taken over to attack a single website.
Today more and more consumer devices are network connected – from the smart TV to the fitness tracker, from the lighting system to smart thermostats. These IoT devices did not just create “junk traffic” but legitimate looking requests to the Krebs on Security website. Which made it practically impossible to filter out.
This time it “only” targeted a website. But what will be a future target? Hospitals? National infrastructure? Military targets? Voting systems? Security technologist Bruce Schneier recently disclosed a growing attack on the core infrastructure of the internet itself: The DNS system, which is responsible for mapping human readable web addresses to IP addresses on the net. In his post "Someone Is Learning How to Take Down the Internet" Schneier details that someone – likely a nation state – was systematically testing the defenses around the core DNS system by launching ever increasing attacks against it.
So what does this all mean for the IoT and specifically for the heating industry? If you have followed me in recent years, you will certainly know that I am a big proponent of using sensors and the net to upgrade heating and cooling systems. There certainly is much to gain. But I have also always warned to take security and privacy really serious.
In a 2014 interview tado° CEO Christian Deilmann downplayed the need for privacy and security. He argued that we should rather look at the opportunities that came from aggregating and analysing data. Unfortunately this thinking is common in our industry. And it is exactly this attitude which leads our industry to becoming accomplices in internet attacks. If user comfort and product sales are put above common sense, our products will be wide open for criminals to misuse. We need to start thinking paranoid: What could possibly go wrong? Now, and in 5, 10 or 20 years from now? And how do we react to a vulnerability?
Apple has put a high burden on products that want to play in its smart home ecosystem. Required encryption is much stronger than what seems reasonable today. But Apple has thought of the long life time of some of the products and set the requirements accordingly. But even with Apple we should ask ourselves: How long will they support their products? The company has a history of rather abruptly abandoning devices and whole platforms (anyone remembers their switch from PowerPC to Intel chips?). And today they say that 5 years after discontinuation of a product, the product is considered “vintage”, with limited or no support. Do they force their users to throw away old Macs, iPods or iPhones? No, but de-facto the hardware has become unusable. Such a timing would not work for heating systems, which are typically replaced only after 20+ years. It should worry us that reports are more and more often linking Apple with car manufacturing:” Sorry, your car is 6 years old, we do not support it anymore”. And of course, they do not open source the software to let others fix old bugs.
So what should we do? We as an industry must take responsibility for our products. That means:
* Designing and producing products “secure by default”. Think of security like an onion: The system should not be wide-open to attack if one vulnerability is found. Several layers of protection should make it less likely that any one vulnerability is easily exploitable. Keep the attack surface small: Let the user turn on features only if he or she really needs it. Even if that makes your user's life a little more difficult.
* Let us try to join forces: Let us settle on one or two platforms that we jointly develop and support. Let's make them open source so that no one has to reinvent the wheel. If everyone develops their own security layers and own update mechanisms, many products will be more vulnerable – we see this in the Android ecosystem, where it often takes months for vendors to patch their individually adapted version of Android (if they ever provide patches).
* Accept that you cannot foresee the future: Your device will become vulnerable. It is only a question of time! Plan ahead! Have a clear upgrade strategy! How do security patches get on the device? Do you upgrade them directly? Or can you at least signal a problem to their users – but be aware: registering a user for a heating system may not make sense. Will the user/owner still be the same in 10 years? And will their e-mail address still work? How will you reach them?
* Think also of how to deal with devices you cannot or do not want to support anymore. Are you willing to offer a free replacement?
Maybe we will in the end have to conclude that the user should not be the owner of the heating system anymore. Maybe we should speed up the slow trend toward contracting and “pay-per-kWh”. The manufacturer or a third party service provider stays the owner of the heating system and keeps it in good working condition. And guarantees – as well as possible – its security.
Otherwise we will see our products become members of ever growing bot nets, which can be used to take down anyone on the internet.
4 Christian Deilmann in energynet Podcast No 36, ca. at 12'30'' http://www.energynet.de/wp-content/uploads/podcast/energynet_Podcast36.mp3