The Internet of Insecure Things
28/06/2018
This was the surprising title Bob Hinden chose for his presentation at LACNIC 29. The reason: according to this expert, most of the thousands of devices connected to the so-called Internet of Things are not secure as in many cases all an attacker needs to do is login in using the default password to control a device.
The specialist cautioned that neither individuals nor organizations are thinking about Internet security, and that executives are not investing adequately in security technology to prevent attacks.
In an extensive talk with LACNIC News, Hinden addressed what he considers to be the main obstacles to IPv6 deployment, focusing especially on the security issues related to the Internet of Things.
In your presentation at LACNIC29 you spoke about the history of IPv6 and mentioned all the considerations you had to take into account when developing the new version of the Internet Protocol. What are the most common questions and comments you receive regarding IPv6?
We used to get the question “Why is it necessary to deploy IPv6?”
Now that the Regional Internet Address registries have run out of IPv4 addresses, this kind of question has ended, and the new question is “How do I deploy IPv6?”
IPv4 and IPv6 are not compatible. In your opinion, is this incompatibility one of the biggest concerns for those who must implement IPv6? Do you believe that the incompatibility of the two versions of the protocol has affected IPv6 deployment speed?
The issue with this was that IPv4 wasn’t designed to be forward compatible. It didn’t have any capability for change, for example, to support longer addresses. The only forward-compatible feature in IPv4 was its four-bit version number. And we did use that (that is where the “6” in IPv6 comes from). This allows IPv6 to run in parallel with IPv4, which is working quite well and is the main transition strategy used today. It is the approach that IPv4 supported and it has worked well in practice.
The main impediment to IPv6 deployment has been the change in the business models used on the Internet. Today, it’s hard to deploy anything that doesn’t have a short-term benefit, and even more difficult to deploy something new that needs to be deployed widely before it offers any benefits.
What is your opinion on the global evolution of IPv6 and its evolution in our region in particular?
I think it’s going quite well. Given the broad implementation in host operating systems, we tend to see big increases in usage when a new ISP deploys IPv6. In the United States we are seeming large operators (fixed and mobile) where the majority of their traffic is IPv6. Similarly, large content providers such as Facebook and Google are seeing that large percentages of their traffic is IPv6.
I think IPv6 is very important in the LACNIC region. You have the opportunity to leapfrog the other regions. It will be a significant advantage not to be hindered by the high cost of obtaining IPv4 addresses, including both the cost of purchasing addresses and the constraints imposed by the limited address space. IPv6 allows for different, more efficient kinds of network designs that avoid the difficulties imposed by the limited IPv4 address space and having to deal with a mix of public and private IPv4 addresses.
Do you think that the challenges posed by IPv6 development have been overcome?
Yes, but there is still a lot more to do. The current level of deployment means that the technical hurdles have been overcome and that implementations are mature. We would not be seeing this level of usage if this wasn’t true. It’s only a matter of will, not a matter of technological issues.
What is your greatest concern regarding Internet security?
People. People who don’t think about security, people who run outdated systems, organizations that don’t protect their data internally and in transit, people who think security problems only happen to others, and executives who don’t invest adequately in security technology.
Then there are the people who attack networks. We clearly know there are many people who earn their living by building tools to attack network devices, and people who provide services to others to make it easier to do this. The arms race between the attackers and defenders will continue, but it always comes down to a people problem. We need to find ways to bring the attackers to justice and to discourage others from becoming attackers. Right now, there are few consequences for people carrying out attacks.
We also need to educate more people about the need for appropriate security technology and to consider security when thinking about how data is stored and transmitted.
What do you mean by the “Internet of Insecure Things”? Can you give us some examples?
I mean that most Internet of Things devices are not secure. Hence the “Internet of Insecure Things.” In many devices the problems are so serious that all an attacker has to do is to log in with the default password to take over the device. I wrote an article on this topic for the Internet Protocol Journal (IPJ) last year. The article is available at:
http://ipj.dreamhosters.com/wp-content/uploads/issues/2017/ipj20-1.pdf
Click here to watch Bob Hinden’s presentation at LACNIC 29.