I recently had the opportunity to sit down with two of F5’s top threat researchers, Sara Boddy and Justin Shattuck, to pick their brains about IoT, its current state of “security,” and what we can expect to see in terms of threats, attacks, and mitigations in the future. Justin and Sara are co-authors of three IoT threat research reports published by F5 Labs.
Q: What brought you to the point of doing this research on the Internet of Things (IoT)?
Justin: That’s an interesting question because, as a researcher, I don’t look at IoT the same way most people do. The media typically talks about IoT in terms of WiFi devices connected to the Internet— whether it’s DVRs, IP cameras, or smart baby monitors—and, in some ways, creates a lot of hysteria and confusion around IoT. I see IoT as an evolution. Today, my research has moved beyond WiFi. I’m looking at devices on other radio frequencies, such as cellular—research with devices that serve as entry points into what IoT truly is.
So, the WiFi aspect of “IoT” seems like a long time ago for me, but at the same time, it’s an ongoing problem that we’re going to face and still have to try to find solutions for. Forbes did a great article recently on IoT initiatives and how 95% of companies plan to deploy IoT devices in the next three years. If the vast majority of companies are planning to do put stuff on the Internet and use IoT, it’s going to make our lives as security professionals hell. So, the reality is that the problem is going to get bigger in the future no matter how much research we do.
Sara: Agreed. We’re just beginning to see the tip of the iceberg of IoT threats. And Justin’s right; from a researcher’s perspective, the “media version” of IoT is boring to security professionals. They just roll their eyes when you mention it! But the reason it’s still a relevant story is because cleaning up stuff on Internet takes decades—if it ever happens at all. We’re just now starting to understand the IoT threat at a higher level. It will take years for the rest of the industry to start doing something about it and addressing the threat. Meanwhile, the threat continues to grow. So, as researchers, we have to keep talking about it, staying on top of it, and telling people what’s going on. It was the potential threat that initially got me interested, but it’s the continually growing threat that keeps me interested in it.
Q: From your perspective, what are the biggest insights in the current (volume 3) report, IoT: The Rise of Thingbots?
Justin: Expect the unexpected. The data we collect and the data we work from is very consistent, but we’ve learned to expect the unexpected every quarter when it comes to the results. When we look at the volume of activity by date and time and correlate that to temporal events in our physical world, there’s some consistency in the amount of time between recon, exploitation, and attacks in large campaigns. But otherwise, the “fallout” period—that is, the months following any attack—is complete, random chaos, as we saw post-Mirai.
Sara: I would agree with that. We’ve been good at understanding the dataset, so we’re confident when we say, “this is what we think is happening,” but it always turns out to be far bigger than we expected. For instance, pre-Mirai, we knew attackers were building a really big thingbot that could launch a large attack, but did we know it would be as big as Mirai? I don’t think we thought about it in that context. I was surprised by how big Mirai was. Now, a year after Mirai, it’s obvious from our most current data that something massive is being built right now, because the level of activity we’re seeing is orders of magnitude higher than what it took to build Mirai. I definitely believe something big is going to attack sooner rather than later. We should all be bracing ourselves for impact. Yet, no one has screamed from the rooftops that thingbots are something we should be concerned about. It’s time to start screaming now!
Q: How would you describe the level of concern among enterprises?
Sara: There seems to be very little concern among enterprises. The prevailing attitude seems to be, “I’ll deal with it when it hits me.”
Justin: More and more IoT devices are coming online, and we’re seeing more and more activity from these devices. It’s not slowing down; it’s continually growing, yet no one is voicing concern at the enterprise level as or for consumers of these devices. So, our assumption that people just aren’t concerned about the threat seems pretty correct.
I can give you two examples of that. An industrial company I know of uses IoT devices to monitor and control their equipment. Someone unauthorized was clearly connecting to these devices, but instead of exploiting the underlying equipment or industrial control systems, they were just using the devices’ bandwidth to send spam email and text messages. The company had outsourced the management of IoT devices to a third party, which left all the default values (admin passwords, weak authentication) in place, so they obviously weren’t concerned about threats. The industrial company only became aware there was a problem when they noticed a jump in the bills on their gateways.
I know of another company that measures risk associated with various pieces of their network, hardware, and subsystems based on which ones they believe will be exploited sooner rather than later. The IoT devices they use—which they know are vulnerable—are so deprioritized that they obviously aren’t worried about any threat. Their position is that they’ll deal with the problem when it breaks! So, it’s a bit surprising the high percentage of companies (as I mentioned earlier—some 95%) that are already leveraging or plan to leverage IoT, yet their level of concern about the risk is still very low.
Sara: I think that goes back to the typical problem between security and business. As security professionals, our job is to secure things and mitigate risk in a way that still lets the business operate. IoT is the new, shiny ball in business opportunity; it presents such huge opportunities for the business (and mankind in general) that companies are not willing to step away from that opportunity. It’s our job to come behind them and patch the problems within the solutions they’re deploying. But, technology aside, just as human beings, we tend to adapt to problems and find ways to treat them versus fixing them. In the same way that we don’t cure cancer, instead we find ways to treat it, I don’t think we will “fix” the current IoT problem. I think we’ll adapt and find ways to deal with the attacks, and hopefully fix on a go-forward basis.
Justin: We’ve reached a point where packets are being flung across the Internet at 100 gigabits per second all day long, so it’s not reasonable to expect that we can fix the problem. Our role is to make the cost of performing attacks significantly more costly and difficult for attackers.
Q: What do you think the future holds for IoT security?
Justin: My initial thought is that the notion of “security by obscurity” will no longer be acceptable. This is the idea that it’s okay for manufacturers to bring a product to market that has little to no effective means of security because only a few people know about it, it’s highly specialized or proprietary, isn’t well known, serves a relatively small market, or won’t be broadly implemented or deployed. The thought being, “I can put this device out there, and as long as no one finds it, it’s okay—no big deal.” It’s a little like thinking I can leave my windows unlocked, and as long as I don’t tell anyone or draw attention to them, no one will break in. But when they do break in, it is a big deal. For a long time, IOT manufacturers have been able to get away with security by obscurity. I’m more confident now (in 2017) that device manufacturers will not be able to get away with that approach, and that will help reduce risk.
Sara: I also think the amount of residual risk humans are willing to accept—especially when it comes to cybersecurity—is much higher than should be. People are all too comfortable with their personal data being compromised and public. You can win the risk argument that says, “We need to do something about these devices because they’re going to get compromised and turned into Death Star-sized botnets,” but IoT attacks go way beyond DDoS into personal privacy and data theft, and you still have the problem of dealing with the level of residual risk the global population is willing to accept. This goes back to the two examples of companies that Justin mentioned earlier. So, it’s still an uphill battle to get people to take the threat seriously. I don’t see that changing anytime soon, but I would love to be proven wrong!
Q: What’s your opinion about the proposed legislation, “IoT Cybersecurity Improvements Act of 2017”?
Sara: We have to start somewhere. There are two parts to this legislation that I like; the first is to set a purchasing standard for government agencies. This is really important—and it’s what we advocate to customers already: to purchase smart and do their due diligence before they buy and deploy any new technology. This legislation would set purchasing standard for IoT devices for the federal government. The hope is that if the legislation passes, manufacturers will start to become more responsible and build security into their devices, because they want to sell products, not just to government entities but to commercial businesses as well.
Even with good legislation, however, you still have the “retroactive” problem, which is how to deal with the billions of devices already in use that don’t meet those standards. Those devices won’t magically disappear. It’s great to see legislation that tries to address the problem and deal with it in better ways moving forward, but new legislation can never really fix the existing problem.
The second part of this legislation is the provision to protect researchers who are identifying vulnerabilities in these devices. This is really, really, really needed! Researchers are testing these devices because the manufacturers are not, and somebody needs to be doing it.
Justin: I agree; as a researcher, I consider that a critical part of this bill. Researchers who work in good faith and are trying to do the right thing by disclosing vulnerabilities to manufacturers need to know they won’t be prosecuted and thrown in jail for the good work they’re doing. There’s still a healthy fear among researchers about that. Doing disclosures is difficult—and you’re never sure how they will be received or what the repercussions will be. I’d say about 90% of the serious stuff is discovered by independent researchers who get probably 1% of the credit or compensation. I base that on the number of CVEs, phishing sites, and malware discovered, etc. that’s presented to the world by individuals not associated with big-name security outfits.
Q: What does the future look like for IoT?
Justin: I’m hopeful for the future because another industry is building up at the same time and getting lots of attention. Machine learning, AI, and data sciences are going to be a big part of our future. As researchers, cybersecurity experts, and InfoSec professionals; we continue to research and monitor and go after bad guys and provide information to law enforcement agencies, etc., but ultimately, machines will be doing a more of the initial work. We’re already teaching machines to do that, because it’s physically impossible for humans to sift through all the information that can be collected. (It’s difficult already for us to sift through all the data we collect for the F5 Labs IoT reports.) That’s the fluffy, warm and fuzzy, rainbows and unicorns, upside we can look forward to. That’s why I appreciate the F5 Labs “fact is greater than fear” and “data is power” slogans—the future doesn’t have to be dark and ominous; skull and cross bones.
Sara: AI and machine learning is where we’ll get really creative and start to solve this IoT problem. I recently read a fascinating article about the fungal ecosystem that operates like an underground Internet, connecting plants to one another. It can be used for good—to share nutrients, for example—and as a defense to wipe out unwanted plants by spreading toxins throughout the ecosystem. I think that IoT will become this for the Internet someday. When it comes to machine learning and AI, I can see where IoT devices will become the “neural net nodes” that collect data, do the processing, and provide status on things. And then you have AI in there detecting when a node is down (maybe it’s compromised) and transferring resources, etc. I think IoT will be that way in the future. But it will take a while for us to get over the hump, because we’re barely at the point of understanding the problem. It takes researchers years to really understanding it and then it takes business a couple of more years to react. We’re still in the infant phase, but in the future, I think it’s going to be really cool.
Justin: Even now, people have a hard time trying to find appropriate ways to visually represent data, and it’s even harder to find ways to transform and analyze that data. It’s a small community who does this. The technology does exist, though. It reminds me of the 1990s “SETI” (search for extraterrestrial intelligence) application. You installed it on your home computer to process information as part of a team or individually and it would submit it. Now we do similar things for cryptocurrency—bitcoin mining essentially distributes a very large amount of work across many devices that are all working to solve the same type of problem. It’s an example of how we’ve found ways to process large swaths of information very, very quickly. We’re already doing this with things like cryptocurrency and advertising. There is a lot of data science, AI, and machine learning that goes into projects that analyze data. Think of the differences that can be made in the world if we use those same resources that give you relevant ads while shopping online toward information security problems.
Sara: Problems will always keep getting bigger, but we’re finding better ways to address them. There will be a new and bigger Mirai attack, everyone will panic, and then we’ll get level-headed about it and start trying to fix it again. That’s just how human beings behave. That hasn’t changed in centuries.
Sara Boddy currently leads F5 Labs, F5 Networks’ threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all divisions of the company including web and ecommerce media properties, the domain registrar and registry platform (eNom, now Rightside), and domain parking. Prior to Demand Media, Sara spent 11 years at security consulting firms that focused on compliance (ISO 27001, PCI-DSS, SOX), incident response, and technical control implementations. Sara specializes in incident response, application security, compliance and audit, and has extensive experience with M&As, IPOs, and public company splits.
LinkedIn: Sara Boddy
Justin Shattuck is the Manager of Product Development for F5 Silverline. He is responsible for developing features and enhancements to Silverline’s managed security services, including Web Application Firewall protection, and DDoS attack mitigation. Justin has been a security product developer and researcher for over 15 years. He is an avid advanced persistent threat hunter that continually tracks global attacks and threat actors. He routinely participates in takedowns, and helps to inform various law enforcement agencies of nefarious cyber activity.