Attacked by Our Toasters

Is there a connection between the FCC’s Open Internet regulations and the recent DDoS attacks on Brian Krebs, OVH, and Dyn DNS? A letter to FCC Chairman Tom Wheeler from Sen. Mark Warner (D, VA)  suggests there is. In fact, there are multiple connections ranging from very general to very specific.

Big Picture Connection

In the big picture sense, the fact that net neutrality has dominated Internet policy discourse for a decade means that many other issues have been avoided. Many people have observed – myself included – that Internet policy discussions have tended to degenerate into “net neutrality food fights“. Because net neutrality is such a fuzzy, hypothetical problem it’s hard to drive these spats to a conclusion before they’ve drained all the oxygen from the room.

I shared this observation with a reporter a week ago, but it didn’t make it into her generally excellent story on the FCC [Note: I don’t see this as a policy site as much as a technology education platform.] If we hadn’t spent so much time trying to ensure that hypothetical fears didn’t materialize, we might have given more thought to shoring up the Internet’s security, extending service to unserved areas, and teaching people how to use and manage network devices and applications. This isn’t to say that policy makers didn’t spend any time at all on these issues, but simply that the attention wasn’t adequate.

The Internet is fundamentally insecure because its security model – to the extent that it has one at all – is end-to-end. This means the network is supposed to be a “dumb pipe” connecting smart devices.  But many devices attached to the Internet today aren’t very smart – like toasters and video cameras. Even when devices are smart, users can undo their security with stupid passwords, such as the ones assigned at the factory. And devices without adequate basic security can find their intelligence – their software – compromised.

The ease with which millions of devices can be compromised means that the end-to-end security model must be replaced with multi-level model where network elements on both the public and private portions of the Internet have designed-in protection against malicious forms of behavior by attached computers and other devices.

Now that the FCC has finally managed to write some net neutrality regulations that pass legal muster, we now need to have a broader discussion. But the letter from Sen. Warner (who co-chairs the Cybersecurity Caucus) suggests some changes may need to be made to the FCC’s Open Internet Order as well.

IoT Attacks

As security researcher Jeff Jarmoc observed on Twitter, the Internet enables our toasters to attack us.

This is not what the creators of the Internet had in mind. It was supposed to be a research network for a small group of trustworthy experts, but it worked too well. Thus, a fundamentally insecure network was pressed into service as a means of interconnecting the general public without much concern for the downsides. And here they are.

Three recent IoT attacks on security researcher Brian Krebs, French hosting service OVH, and Dyn DNS, all utilized an open source botnet known as Mirai.  Mirai used default passwords for IoT devices built by XiongMai Technologies to login to cameras and take control. The company (which calls itself XM) has issued a press release denying total responsibility but also vowing to update software. Here’s what Krebs says:

In a follow-up to that story, I interviewed researchers at Flashpoint who discovered that one of the default passwords sought by machines infected with Mirai — username: root and password: xc3511 — is embedded in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use them in their own products.

XM denies some of this and threatens to sue people who blame it for the attacks. Krebs is studying the issue.

Flashpoint suggests that these attacks didn’t have a commercial motive, but were probably done for emotional reasons. Krebs exposed the business practices of some DDoS-for-hire services just before he was attacked, and I personally suspect the attackers were out for revenge. Krebs and Dyn DNS did some joint work in DDoS-for-hire services, and OVH was probably hosting some sites the attackers didn’t like.

The Warner Letter

Sen. Warner highlights the FCC’s dumb pipe belief as creating confusion on ISPs’ powers of mitigation:

Under the Federal Communications Commission’s (FCC’s) Open Internet rules, ISPs cannot prohibit the attachment of “non-harmful devices” to their networks. It seems entirely reasonable to conclude under the present circumstances, however, that devices with certain insecure attributes could be deemed harmful to the “network” – whether the ISP’s own network or the networks to which it is connected. While remaining vigilant to ensure that such prohibitions do not serve as a pretext for anticompetitive or exclusionary behavior, I would encourage regulators to provide greater clarity to internet service providers in this area.

Consequently, the senator puts the following question to Chairman Wheeler:

What types of network management practices are available for internet service providers to respond to DDoS threats? In the FCC’s Open Internet Order, the Commission suggested that ISPs could take such steps only when addressing “traffic that constitutes a denial-of-service attack on specific network infrastructure elements.” Is it your agency’s opinion that the Mirai attack has targeted “specific network infrastructure elements” to warrant a response from ISPs?

This brings us to the problem with net neutrality. These attacks did not target network infrastructure. The FCC has specifically denied that DNS is part of the Internet infrastructure. I addressed that problem in my amicus brief in the DC Circuit challenge so it’s quite clear (Check podcast here.)  The FCC’s OIO presumes that users simply need to be protected from bad behavior to be free of interference with their Internet use, but I’ve always maintained that protecting users from other users is a more important consideration.

Consequently, the FCC needs to reformulate its rules with a more realistic – and less political – view of the dangers that bad actors can inflict on ordinary Internet users. It’s not ISPs who launch DDoS attacks, it’s criminals and sociopaths breaking the Internet’s security model from computers attached to the Internet. And they don’t directly attack the infrastructure, they simply render it unusable. So the FCC needs to drop the pretense that its role is to beat up on ISPs and deal with the Internet as it really is.

The Privacy Dimension

ISPs have the power to monitor Internet traffic streams for the signatures of abuse, but it’s not clear that users are willing to pay extra for such a “smart pipe” service any more than they’re willing to pay for gigabit Internet service at its actual cost. If they were, Google would probably not be shutting down its Google Fiber project and its leader would not have resigned. Scanning data streams for default passwords to XM Tech cameras raises questions about the opt-in required by the FCC’s proposed privacy rules.

The FCC clearly wasn’t thinking about security when it adopted Title II and its CPNI privacy rules. DDoS attacks are not an issue the legacy networks had to deal with, it’s a fresh problem.

Will the FCC finally admit that the Internet is not simply the latest revision of the telephone network and reformulate its rules with the help of an updated Communications Act, or will it keep its head in the sand and pretend that everything new is really old? This will happen eventually because it must, but it would be nice for Washington to allow it to happen sooner rather than later.

We have more to fear from our toasters than from our ISPs and it’s high time the 8th floor of the FCC came to realize this.

UPDATE: Atlantic did a test that confirms the vulnerability of toasters, click here.