Platt Perspective on Business and Technology

Information systems security and the ongoing consequences of always being reactive – 16: the internet of things and the emergence of next generation DDoS attacks

Posted in business and convergent technologies, social networking and business by Timothy Platt on May 13, 2013

This is my sixteenth installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, postings 189 and loosely following for Parts 5-15.)

In a very real sense this is also a posting where I find myself writing out of order from what I have been intending, as circumstances intervene and provoke a rethinking of that. I had been planning to write to this blog about the internet of things for several months now, and I am still planning on doing so. But I see reason to start addressing that more general topic area here, and before building a more organized framework of discussion on it, with at least a brief discussion of its information security implications coming first.

In anticipation of that fuller discussion, I would divide the internet of things paradigm into two distinct if connectible approaches:

• The Internet 1.0 of Things where more and more items and objects are tagged and in ways that can be connected into the internet and tracked through it.

This is, in its extreme, where every item or object that can be RFID tagged is and if it is not RFID tagged then it is either standard 1-dimensionally, or 2-dimentionally barcode tagged. Think of this as enabling a universal supply chain capability and this is where the number of nodes on the internet could conceivably expand out from the billions of computers, tablets, handheld and smart phones and the like of today to include trillions and more connected points – with all of those tagged items passively interacting as they are tracked and remote inventoried for identity and position.

• The Internet 2.0 of Things where more and more nodes and types of node are added that do communicatively, 2-directionally interact with the internet and with other nodes, and more actively and even proactively than would be possible with simple ID tagging.

This is where the dream house of tomorrow comes in where a smart refrigerator would know that you have only one egg left in and that you are about to run out of milk and that you always want at least six eggs and a half quart of milk on hand – so it orders them as per routine programming from Fresh Direct, verifying that you have not already done so first. More real-world and here-and-now this is where you can use a smart phone app and a smart and connected thermostat to raise the temperature of your house back up to the “return home” setting, from a colder “away” setting on a Winter weekday when you realize you will be getting home early. And for purposes of this posting that also includes an increasing number of devices that we do not think of as computers or as being connected to the internet per se at all – but that are. And as an example there, I cite the cable box that so many of us have hooked up to our televisions for accessing and connecting into a programming content provider service such as Time Warner Cable. We tend to think of those boxes as being nodes in dedicated, special use systems – in this case limited to accessing television programming service. But those same set-top boxes can be used in combination with an internet service such as Netflix’s instant viewing service, to access a streaming version of a movie – via the internet and directly to our televisions.

• The primary source of vulnerability that we all face in online and information security, and in computer systems security is always “the unexpected.”

When we as end users do not think of those cable boxes – or other online connected and connectible resources as computers and as being at least potential internet nodes we do not think about securing them from outside access or control. When the cable service provider and others who send these resources out and set them up for their customers do not think about them that way either, each and every single one of them set up and connected in becomes a target of opportunity for black hat hackers.

The internet of things, and particularly in its 2.0 form creates a whole new world of exploitable opportunity for black hat hackers and particularly when the potential for this is left open and unexpected. And this brings me to the specific threat assessment topic of this posting: the emergence of a whole new type of distributed denial of service attacks (DDoS) that capitalize on the, in this case distributed vulnerabilities of cable boxes and more, as new sources of third party controllable online activity – and with the capabilities for assembling larger botnets than ever before out of them.

We are already beginning to see this new and emerging arena of vulnerability being exploited, and certainly for those set-top cable boxes. The prospect of the fully wired home with refrigerators and thermostats and more able to connect online for remote home-SCADA management indicates that this arena of emerging vulnerability will only become more important. Imagine all of this as being vulnerable to outside botnet control – and that just takes household devices and resources into account that on their own, number far more at least potentially than all desktop, laptop and other computers that are suborned in a traditional DDoS attack – and all servers that would be targeted. Now add in the still wider potential for expanding this out in a more general internet of things, and particularly an internet 2.0 of things that is more generally and globally developed. And of course DDoS attacks only represent one possible form of attack here.

As I noted at the beginning, my original intent was to delve more into what an internet of things is first, and then with that as foundation turn to consider its security issues and how they might be addressed. But the order I am presenting this in here may in fact be the best, as:

• It is vitally important that potential information security and related issues be understood and addressed from the beginning, and from initial design and implementation rather than waiting until systems are in place and infrastructure built – and any response would have to be piecemeal and reactive.

I will add in that context and as a historically all too well known example, it is all too easy to spoof the actual identity of an email or other online content sender. That, in principle at least, could have been addressed and forestalled early on and even at the very beginning ARPANET stage of internet development when the initial core connectivity protocols were first being developed. That was not done, and source authentication was not built into the core networking architecture of the internet and from the beginning, and we are still dealing with the consequences of that lack of foresight as they continue to unfold.

I am going to start a series on the internet of things soon now, in follow-up to this posting. Meanwhile, you can find this and related information security-related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: