I attended a session at the EUNIS conference on internet security given by Leif Nixon from the Swedish National Supercomputer Centre. The first two words of the presentation title were “Mission impossible” so it seemed unlikely that there would be many answers to the challenge of securing the internet. And so it proved. Although, as Leif pointed out, people will “hook up all sorts of crap to the internet” (his words), the problem is with how that crap is configured, allied with individuals or groups that take advantage of vulnerabilities to attack systems. A great deal of what is connected to the internet is insecure by default.
Leif highlighted a range of devices that were insecure when purchased. These included routers for which the default password for the admin username was ‘admin’. He had found how to reset the password but the chances of an ordinary member of the public resetting the password were practically nil. It was much the same story with patching firmware – even if end users received a patch to update firmware to correct a vulnerability, few would have the expertise to apply it. It wasn’t just routers that were the problem – webcams, access control systems and printers all had vulnerabilities of various forms. These included open root access, poorly configured firmware (support for which was often deprecated) and automated responses to polling on given communications ports. Such devices are not just home owned – the chances are that there will be unsecured devices in practically every organisation (Leif illustrated the point by identifying devices in a number of organisations).
Why is this a problem? In short, it is these devices that are used as the source of a range of internet attacks such as denial of service. Those that are so minded can gain control of the device or can utilise its configuration to generate targeted traffic. The consumerisation of IT means that there is pressure on low end manufacturers to produce devices at as low a cost as possible and as a consequence there is little or no effort put into ensuring that the devices are secure at sale or providing ongoing support for the firmware. There is no financial incentive for them to do so. As a result there will continue to be insecure devices connected to the internet for those who want to do harm to exploit, making securing the internet truly “mission impossible”.