IoT and the NAP

Is it a violation of the Non-Agression Principle to proactively infect a vulnerable connected device?

“Internet of Things” is a term used to describe a class of products that are connected to the internet and can perform certain tasks.

For example, the so-called “smart lightbulb” that just screws in, and then you can turn it on and off or change its color using your smart phone. Even when you’re not home.

Other such devices include surveillance cameras, thermostats, refrigerators, your washer and dryer, even doorbells.

Many of these IOT devices contain a computer running a full-blown operating system, usually Linux. The device attaches to your home network over Wifi, and then establishes a connection to a centralized service, or just exposes itself to the internet so your smart phone can see it.

Whenever any computer is exposed to the internet, it is vulnerable to attack.

And that has happened. On a large scale.

One type of attack is the building of a “botnet”, where a bad actor infects many vulnerable devices with software code that listens to a central command-and-control center and can perform certain tasks when commanded.

These infected machines still work, as far as the owner is concerned. Light bulbs light, cameras surveil. But lurking in the background of these infected devices is a bot just waiting for instructions.

One such botnet is called “Murai”, which controls more than 200,000 devices. It was invoked last year against Brian Krebs, a security researcher. The attack was a particularly virulent “distributed denial of service” (DDOS) attack. On command from the central command-and-control server, the bots were instructed to send messages to Krebs’ site. Because of its distributed nature, the victim’s site could not block any particular attacking address, and shutting down all of them would mean legitimate traffic from those addresses couldn’t go through.

A similar attack was made against Dyn, a company that provides internet address resolution services. The Dyn attack resulted in millions of users not able to navigate the world wide web.

These two attacks are examples of a relatively small program running in an unprotected device. While the attack is going on, you’ll never know that your baby monitor is taking part. It is by the sheer number of devices, not the sophistication of each bot, that wreaks havoc on the targeted victim.

It’s clear that the party responsible for infecting these insecure devices and then coordinating an attack is guilty of initiating aggression. But how far can we go to defend ourselves against this type of attack?

One solution would be for the owners of these devices to secure their devices to make it more difficult for the botnet infection to hit them.

That’s a tall order, because what kind of normal consumer understands security and goes through the steps to harden their lightbulbs against attack?

Another solution would be for the vendors to install better security (starting with the absence of default passwords), and then send updates to their devices when security flaws are found. This is how your PC or Mac is protected, and many vendors of smart devices use this model.

For example, the camera sold by Nest is connected to their servers. It sends encrypted video data that can be accessed on your smart phone or a web site. Nest updates your camera if it finds a security vulnerability.

But this comes at a cost. The NestCam is about $200, and the monitoring and updating service is $50 per year. Cheap wifi cameras from China can be purchased for under a hundred dollars with no annual fee. The utility of these cheap cameras is similar to what Nest provides, so why would a consumer pay more for the Nest?

With that background let’s talk about possible defensive actions.

There’s another botnet in the wild that is looking for vulnerable devices. This botnet, dubbed Hajime, has much more sophisticated, distributed command-and-control, making it much harder to find. Plus, it uses the dark internet (Tor) to send instructions to its bots. Hajime is believed to have infected more than 300,000 devices.

One of the notable features of the Hajime botnet is that, once it finds a vulnerable host, it shuts the door behind, denying access to other competing botnets.

The interesting thing about the Hajime botnet is that it appears to be defensive in nature.

Is it a violation of the Non-Aggression Principle to proactively infect a vulnerable connected device?

“Internet of Things” is a term used to describe a class of products that are connected to the internet and can perform certain tasks.

For example, the so-called “smart lightbulb” that, when merely screwed in to a socket, allows you to turn it on and off or change its color using your smart phone. Even when you’re not home.

Other such devices include surveillance cameras, thermostats, refrigerators, doorbells, your washer and dryer, even shower heads.

Many of these IoT devices contain a computer running a full-blown operating system, usually Linux. The device attaches to your home network over Wifi, and then establishes a connection to a centralized service, or just exposes itself to the internet so your smart phone can see it and control it.

But that easy control has an considerable risk. Whenever any computer is exposed to the internet, it is vulnerable to attack.

And that has happened. On a large scale.

One type of attack is the building of a “botnet”, where a bad actor infects a massive number of vulnerable devices with software code that listens to a central command-and-control center and can perform certain tasks when commanded.

These infected machines still work, as far as the owner is concerned. Light bulbs light, cameras surveil. But lurking in the background of these infected devices is a bot just waiting for instructions.

One such botnet is called “Murai”, which controls more than 200,000 devices. It was invoked last year against Brian Krebs, a security researcher. The attack was a particularly virulent “distributed denial of service” (DDOS) attack. On command from the central command-and-control server, the bots were instructed to send messages to Krebs’ site. Because of its distributed nature, the victim’s site could not block any particular attacking address, and shutting down all of them would mean legitimate traffic couldn’t go through.

A similar attack was made recently against Dyn, a company that provides internet address resolution services. The Dyn attack resulted in millions of users not being able to navigate the world wide web for several hours.

These two attacks are examples of a relatively small program running in an unprotected device. While the attack is going on, the device’s owners would probably not even notice any degradation of service functionality. It is by the sheer number of devices, not the sophistication of each bot, that wreaks havoc on the internet.

It’s clear that the party responsible for infecting these insecure devices and then coordinating an attack is guilty of initiating aggression, probably starting with trespassing. But how far can we go to defend ourselves against this type of attack?

One solution would be for the owners of these devices to secure their devices to make it more difficult for the botnet infection to hit them. Sort of like putting a lock on your front door.

That’s a tall order, because what kind of normal consumer understands security and goes through the steps to harden their toaster against attack?

Another solution would be for the vendors to install better security. Unbelievably, many of these devices have identical default passwords that are well known in the hacker community. Vendors could also be responsible and send updates to their devices when security flaws are found. This is how your PC or Mac is defended, and many vendors of smart devices use this model.

For example, the camera sold by Nest is connected to their servers. It sends encrypted video data that can be accessed on your smart phone or a web site. Nest updates your camera if it finds a security vulnerability.

But this comes at a cost. The NestCam is about $200, and the monitoring and updating service is $100 per year. Cheap wifi cameras from China can be purchased for under a hundred dollars with no annual fee. The utility of these cheap cameras is similar to what Nest provides, so why would a consumer pay more for the Nest? They have no idea that they are vulnerable to start, and a participant in a worldwide attack when infected.

With that background let’s talk about possible defensive actions.

There’s another botnet in the wild that is looking for vulnerable devices. This botnet, dubbed Hajime, has a much more sophisticated, distributed command-and-control, making it much harder to find. Plus, it uses the dark internet (Tor) to send instructions to its bots. Hajime is believed to have infected more than 300,000 devices.

One of the notable features of the Hajime botnet is that, once it finds a vulnerable host, it shuts the door behind, denying access to other competing botnets.

The interesting thing about the Hajime botnet is that it appears to be defensive in nature. Such activities are still illegal in most places, so the author or authors are not identifying themselves. But there is speculation, based on the nature of the botnet and some cryptic messages sent, that the botnet is designed to infect vulnerable users and prevent malicious botnets from attacking.

This is still a bit unsettling, however. Even though the initial infection is benign, it is still an active botnet with a robust command-and-control. Who is to say that the people behind this aren’t lying? Or what if they are offered big money to turn their asset to the dark side? Or what if someone with less noble intentions gets control of this already established botnet. Bad news all around.

Which brings us to my favorite new development: BrickerBots. The reason these IoT botnets are able to get a footing is that the manufacturers have been lax in securing their devices. We know enough about internet security that it is relatively easy to at least patch some pretty gaping security holes in these devices. And professional negligence to release a product that has such a potential for abuse.

But some manufacturers don’t really seem to care because once they sell the product, they wash their hands of it. Well, what if that decision came back to bite them?

A BrickerBot is a member of a botnet, just like the ones I described above. But when it infects a device, it “bricks” it. That is, it renders the device useless as a brick by deleting all the files and closing all the ports. One day, your baby monitor stops working and you don’t know why.

The good thing about a BrickerBot is that there’s no way it can be later used for evil, like the Hajime botnet. Another good thing for the world, if not the owner of the device, is that it removes it from the potential pool of bots that can be used to attack their victims.

The BrickerBot philosophy is to get consumers to force vendors to provide better security for their devices. If a vendor suddenly gets thousands of returns of devices that no longer work, perhaps they’ll get the message that they need to better secure the next batch.

So that’s the situation out in the field. What about the Non-Aggression Principle? The Murai botnet is clearly trespassing on private property. It is using that property to perform an act that the owner probably would not do if given the choice. Clearly a violation of the NAP.

The second case, the initially benign Hajime botnet, is also trespassing, but it is doing it for reasons that could be aligned with the owner of the device. a statist might say that Hajime is being installed “for your own good”. It is a bit unsettling, though, that it is an active botnet and could be turned at a moment’s notice.

The third case, BrickerBot, is also a clear case of trespassing, and it is doing something that is clearly not in the best short-term interests of the owner of the device. But it could be creating a better, more secure future for everyone.

So is this a violation of the NAP? Or is it a fully justified act of defense? If someone points a gun at your face but doesn’t touch you, you are justified in using force to avoid a clear and present threat. In the environment of IoT botnets, could a vulnerable device be considered a clear and present threat to the rest of the internet?

Leave a Reply

Your email address will not be published. Required fields are marked *