Internet of things - marketing or a real threat
Friday, Habr! This is a report by Artem ximaera Gavrichenkov, technical director of Qrator Labs from the conference "Hacker, vendor, client", held April 21 in Moscow. For the video at the end of the publication, thanks to Kirill Ermakov .
Hello again.
Where to begin? You'd be surprised - with global warming.
')
Global warming is a process that began around 50-60. last century due to industrialization and is characterized by a gradual, and constant, increase in the average temperature of the Earth's surface.
This is what the change in temperature of the earth's surface looks like on average over 5 years, from 1950 to 2014. Warmer: red and orange tones, highlighted those areas where warming was greater, that is, the temperature rose more strongly; and gray and blue stand out for those where, on the contrary, there was some cooling or there was no noticeable warming over a specified period.
It should be noted that the places where there was no noticeable warming are primarily oceans, and in the space above the continents the temperature has increased significantly. That is, in those places where mostly people and conducted their activities.
Scientists have studied this process for a long time and built mathematical models that helped describe what is happening and how. The models were those that take into account only the human factor, and others - considering only natural factors, in order to understand how natural this process is. Because there was some assumption, they say: “This is a normal natural phenomenon, the peak before the coming ice age, the sun warms the Earth a little more and there is nothing to soar about. People have nothing to do with it. ”
But, models that used only natural factors could not explain what was happening - there was no real picture from the source data.
In particular, using only natural factors, it is impossible to explain in any way why the air is heated over the continents. In addition, during solar heating, all layers of the Earth’s atmosphere should warm up uniformly: the upper (stratosphere) and lower (troposphere), but in reality only the lower part heated - that is, the heat came from somewhere below.
Probably, after all these arguments, few people will argue with the fact that human activity has led to this. Now attention. Global warming, in itself, is not a problem - it is a consequence of human activity: the greenhouse effect, the activities of plants, transport emissions, aggressive industrialization, fierce competition, cheap goods, factories in third world countries, where low-skilled employees work.
Why do we not see these problems, but discuss only the consequences? Because everything changes when they get down to business: politicians ...
... artists ...
... politicians who consider themselves artists, like Al Gore.
All this leads, of course, to irony, sarcasm and distrust of scientific data, because when different people speak, not giving any justification for what they are saying, it looks strange.
And the report about the Internet of things. What is this?
This, for example, the camera. Here I gave a list of cameras vulnerable to RCE, on which privilege escalation is possible - these are cheap IP cameras. I especially like the manufacturer called Sricam, I really like it - I will definitely buy one for myself.
In addition to cameras, these are also televisions - everything that can be bought for 20,000 rubles and the manufacturer's label will fall off very quickly, although, as we know, Samsung is also vulnerable (that is, it has TVs and is more expensive than the specified price threshold).
What else? Chinese smartphones. Every consumer goods. The rest, such as autopilot cars and onboard aircraft systems, is garbage in comparison with cameras.
Naturally, all this is what is listed on the slide, and it is not audited by anyone, is not updated. And, of course, that the safety issues of this eerie fleet of devices that never patched, and the manufacturer closes when the slightest problem arises, attract artists.
According to some estimates, the Internet of Things market should reach $ 2 billion by 2020, while the IoT security market should reach $ 36 billion, which is almost 20 times more. Marketing is also an art.
All this is nonsense, because what kind of security can we even talk about?
At the beginning of this year, the world learned about vulnerabilities in enterprise-grade networking equipment — the news came one after another. Researchers correctly noted: "Not that recently the firmware of network devices have become unsafe - they have always been like this." Just recently, they were taken for it and it was found that everything inside is bad. Holes are even in complex equipment worth a hundred and a thousand times more than this unfortunate IP camera.
We cannot, as Paul Vixie correctly notes, even secure devices and infrastructures worth millions and hundreds of millions of dollars. And someone is trying to think that it is possible to somehow protect all this Chinese consumer goods. The most interesting is that it is not necessary.
There is nothing fundamentally new in the Internet of things, as in the security threat, except perhaps the multiplier is a blow to accessibility, denial of service attacks. Why? Because 10 years ago it was decided to build a “perimeter”, where everything is dirty outside, and everything inside is clean and good. It did not work already then.
Therefore, those measures that were built with the mind - they are still working and can withstand not only what was in the 13-15 years, but also infected smartphones, cameras and even refrigerators. A properly constructed distributed system turns out to be ready for the multiplier that the Internet of Things provides.
Yes, Akamai had problems with one of the subnets during the Mirai attacks, after which Krebs went to Google Cloud and I did not hear that Google search was falling. They had problems, but a properly constructed system isolates individual components, so global problems did not occur. Problems were one of the vendors - well, what to do.
And who then will have problems? They will be for those who do not have security systems at all. Here the story is simple: you see that rain is coming - a daily meteorological phenomenon, you conclude that you need an umbrella. It makes sense in time to attend to it. Under the threat because there are very ordinary users.
Here I have a seditious thought - I set it off. It is clear that ordinary users who go to the cinema and do not know anything about security will not integrate or choose some kind of IoT-security solution. They will choose the “safest solution”. It sounds ridiculous, think about it: “Vasya Pupkin from Uryupinsk chooses the safest TV”. It seems strange, but the fact is that there was already such a precedent.
On this slide is a 3D model of a security center built by Volvo in 2000, to study the safety of its cars - look, this is a very complex engineering structure, which was very expensive. It is necessary to simulate multi-factor accidents that the car can get into in real life.
This gave a definite leap, at the same time with similar actions of the European Commission at the same time, driving safety, after which it is actually quite difficult to die in a modern car. Volvo started the process and, most interestingly, it affected sales. A competent marketer, looking at this, was able to raise sales with the words that "Volvo is safer than competitors."
Until the thunder clap - the peasant does not cross. But when a storm rages, people get baptized quickly and intensely. Either the Internet of things will really turn into such a threat to human life and security, and then this problem will be solved, or it will not turn into it and there will be no problem.
From where - you ask, then all these decisions are taken to protect the Internet of things? This week ended a two-day CISO forum. I looked at the materials and more than half of the reports there were about various types of compliance .
What is comliance ? This is an important thing, especially in the modern world. Indeed, you need to be able not to sit down at the way in which you implement a security policy - the world is changing, it becomes more complicated. And, it can be said that hacker reports are not for the CISO forum, there are ZeroNights and with this you can go there.
So what is compliance? This is the implementation of policies that someone sets: the state, the authorities, someone third. Compliance with policies and relevant legislation.
Many people have to face, literally, the following - people in jackets come to visit and say: “The news was about the Internet of things. You, as an information security department, what are you planning to do about it? ”The answer is very bad:“ Nothing ”.
Other people come to other people in jackets and say: “There was a marketing report about the formation of a new market of $ 36 billion, why are we not on it?” It is strange to answer: “Because this is nonsense.”
And then these people meet: one needs to sell something, while others need to buy something and a solution appears. The solution solves some problem. But the problem is not in the Internet of things and it is impossible to solve it with a separate piece of iron, because the question is fundamental. The question is in the patches, the question is in the preparation of this iron even before the production stage.
What problem are we talking about, in general, of the thousands of difficulties encountered on the Internet of Things? Is the Internet of Things a Real Threat, or Marketing? And global warming? I do not know, but weather forecasters promise that the summer will be hot - not this, so the following is accurate.
Video of the entire conference:
Hello again.
Where to begin? You'd be surprised - with global warming.
')
Global warming is a process that began around 50-60. last century due to industrialization and is characterized by a gradual, and constant, increase in the average temperature of the Earth's surface.
This is what the change in temperature of the earth's surface looks like on average over 5 years, from 1950 to 2014. Warmer: red and orange tones, highlighted those areas where warming was greater, that is, the temperature rose more strongly; and gray and blue stand out for those where, on the contrary, there was some cooling or there was no noticeable warming over a specified period.
It should be noted that the places where there was no noticeable warming are primarily oceans, and in the space above the continents the temperature has increased significantly. That is, in those places where mostly people and conducted their activities.
Scientists have studied this process for a long time and built mathematical models that helped describe what is happening and how. The models were those that take into account only the human factor, and others - considering only natural factors, in order to understand how natural this process is. Because there was some assumption, they say: “This is a normal natural phenomenon, the peak before the coming ice age, the sun warms the Earth a little more and there is nothing to soar about. People have nothing to do with it. ”
But, models that used only natural factors could not explain what was happening - there was no real picture from the source data.
In particular, using only natural factors, it is impossible to explain in any way why the air is heated over the continents. In addition, during solar heating, all layers of the Earth’s atmosphere should warm up uniformly: the upper (stratosphere) and lower (troposphere), but in reality only the lower part heated - that is, the heat came from somewhere below.
Probably, after all these arguments, few people will argue with the fact that human activity has led to this. Now attention. Global warming, in itself, is not a problem - it is a consequence of human activity: the greenhouse effect, the activities of plants, transport emissions, aggressive industrialization, fierce competition, cheap goods, factories in third world countries, where low-skilled employees work.
Why do we not see these problems, but discuss only the consequences? Because everything changes when they get down to business: politicians ...
... artists ...
... politicians who consider themselves artists, like Al Gore.
All this leads, of course, to irony, sarcasm and distrust of scientific data, because when different people speak, not giving any justification for what they are saying, it looks strange.
And the report about the Internet of things. What is this?
This, for example, the camera. Here I gave a list of cameras vulnerable to RCE, on which privilege escalation is possible - these are cheap IP cameras. I especially like the manufacturer called Sricam, I really like it - I will definitely buy one for myself.
In addition to cameras, these are also televisions - everything that can be bought for 20,000 rubles and the manufacturer's label will fall off very quickly, although, as we know, Samsung is also vulnerable (that is, it has TVs and is more expensive than the specified price threshold).
What else? Chinese smartphones. Every consumer goods. The rest, such as autopilot cars and onboard aircraft systems, is garbage in comparison with cameras.
Naturally, all this is what is listed on the slide, and it is not audited by anyone, is not updated. And, of course, that the safety issues of this eerie fleet of devices that never patched, and the manufacturer closes when the slightest problem arises, attract artists.
According to some estimates, the Internet of Things market should reach $ 2 billion by 2020, while the IoT security market should reach $ 36 billion, which is almost 20 times more. Marketing is also an art.
All this is nonsense, because what kind of security can we even talk about?
At the beginning of this year, the world learned about vulnerabilities in enterprise-grade networking equipment — the news came one after another. Researchers correctly noted: "Not that recently the firmware of network devices have become unsafe - they have always been like this." Just recently, they were taken for it and it was found that everything inside is bad. Holes are even in complex equipment worth a hundred and a thousand times more than this unfortunate IP camera.
We cannot, as Paul Vixie correctly notes, even secure devices and infrastructures worth millions and hundreds of millions of dollars. And someone is trying to think that it is possible to somehow protect all this Chinese consumer goods. The most interesting is that it is not necessary.
There is nothing fundamentally new in the Internet of things, as in the security threat, except perhaps the multiplier is a blow to accessibility, denial of service attacks. Why? Because 10 years ago it was decided to build a “perimeter”, where everything is dirty outside, and everything inside is clean and good. It did not work already then.
Therefore, those measures that were built with the mind - they are still working and can withstand not only what was in the 13-15 years, but also infected smartphones, cameras and even refrigerators. A properly constructed distributed system turns out to be ready for the multiplier that the Internet of Things provides.
Yes, Akamai had problems with one of the subnets during the Mirai attacks, after which Krebs went to Google Cloud and I did not hear that Google search was falling. They had problems, but a properly constructed system isolates individual components, so global problems did not occur. Problems were one of the vendors - well, what to do.
And who then will have problems? They will be for those who do not have security systems at all. Here the story is simple: you see that rain is coming - a daily meteorological phenomenon, you conclude that you need an umbrella. It makes sense in time to attend to it. Under the threat because there are very ordinary users.
Here I have a seditious thought - I set it off. It is clear that ordinary users who go to the cinema and do not know anything about security will not integrate or choose some kind of IoT-security solution. They will choose the “safest solution”. It sounds ridiculous, think about it: “Vasya Pupkin from Uryupinsk chooses the safest TV”. It seems strange, but the fact is that there was already such a precedent.
On this slide is a 3D model of a security center built by Volvo in 2000, to study the safety of its cars - look, this is a very complex engineering structure, which was very expensive. It is necessary to simulate multi-factor accidents that the car can get into in real life.
This gave a definite leap, at the same time with similar actions of the European Commission at the same time, driving safety, after which it is actually quite difficult to die in a modern car. Volvo started the process and, most interestingly, it affected sales. A competent marketer, looking at this, was able to raise sales with the words that "Volvo is safer than competitors."
Until the thunder clap - the peasant does not cross. But when a storm rages, people get baptized quickly and intensely. Either the Internet of things will really turn into such a threat to human life and security, and then this problem will be solved, or it will not turn into it and there will be no problem.
From where - you ask, then all these decisions are taken to protect the Internet of things? This week ended a two-day CISO forum. I looked at the materials and more than half of the reports there were about various types of compliance .
What is comliance ? This is an important thing, especially in the modern world. Indeed, you need to be able not to sit down at the way in which you implement a security policy - the world is changing, it becomes more complicated. And, it can be said that hacker reports are not for the CISO forum, there are ZeroNights and with this you can go there.
So what is compliance? This is the implementation of policies that someone sets: the state, the authorities, someone third. Compliance with policies and relevant legislation.
Many people have to face, literally, the following - people in jackets come to visit and say: “The news was about the Internet of things. You, as an information security department, what are you planning to do about it? ”The answer is very bad:“ Nothing ”.
Other people come to other people in jackets and say: “There was a marketing report about the formation of a new market of $ 36 billion, why are we not on it?” It is strange to answer: “Because this is nonsense.”
And then these people meet: one needs to sell something, while others need to buy something and a solution appears. The solution solves some problem. But the problem is not in the Internet of things and it is impossible to solve it with a separate piece of iron, because the question is fundamental. The question is in the patches, the question is in the preparation of this iron even before the production stage.
What problem are we talking about, in general, of the thousands of difficulties encountered on the Internet of Things? Is the Internet of Things a Real Threat, or Marketing? And global warming? I do not know, but weather forecasters promise that the summer will be hot - not this, so the following is accurate.
Video of the entire conference:
Source: https://habr.com/ru/post/328066/
All Articles