Late last month, popular websites like Twitter, Pinterest, Reddit and PayPal went down for most of a day. The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology. If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the "Internet of Things" and increased regulation of what are now critical and life-threatening technologies. It's no longer a question of if, it's a question of when.
First, the facts. Those websites went down because their domain name provider — a company named Dyn — was forced offline. We don't know who perpetrated that attack, but it could have easily been a lone hacker. Whoever it was launched a distributed denial-of-service attack against Dyn by exploiting a vulnerability in large numbers — possibly millions — of Internet-of-Things devices like webcams and digital video recorders, then recruiting them all into a single botnet. The botnet bombarded Dyn with traffic, so much that it went down. And when it went down, so did dozens of websites.
Your security on the Internet depends on the security of millions of Internet-enabled devices, designed and sold by companies you've never heard of to consumers who don't care about your security.
The technical reason these devices are insecure is complicated, but there is a market failure at work. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. These devices will affect every aspect of our lives, because they're things like cars, home appliances, thermostats, lightbulbs, fitness trackers, medical devices, smart streetlights and sidewalk squares. Many of these devices are low-cost, designed and built offshore, then rebranded and resold. The teams building these devices don't have the security expertise we've come to expect from the major computer and smartphone manufacturers, simply because the market won't stand for the additional costs that would require. These devices don't get security updates like our more expensive computers, and many don't even have a way to be patched. And, unlike our computers and phones, they stay around for years and decades.
Is government regulation the only way to get manufacturers of Internet of Things (IoT) devices to care about security?
(Score: 2) by Scruffy Beard 2 on Sunday November 13 2016, @06:24AM
The code still has to be bug-free: even with read-only memory.
Computer Scientists Take Over [ucsd.edu]
Electronic Voting Machine with New Programming Technique
TL;DR: They invent an new programming technique called "return oriented programming". The use the tail-ends of subroutines to built up a turing-complete language.
The leverage a stack overflow in a maintenance routine in order to do naughty things.
That is the article that convinced me that modern computers are inherently insecure.
(Score: 1) by EETech1 on Sunday November 13 2016, @09:20AM
I thought the Z80 was a Von Neumann chip.
From your link:
“We overwrote the computer’s memory and state so it does what we want it to do, but if you shut off the machine and reboot from ROM, the exploit is gone and the machine returns to its original behavior,” explained Checkoway.
This would indicate to me that the chip was executing instructions from RAM caused by a buffer overflow.
This cannot happen of the CPU cannot execute instructions from data memory. It can corrupt the data, but not change the program.
Am I missing something?
Cheers
(Score: 2) by Scruffy Beard 2 on Sunday November 13 2016, @04:11PM
From the paper [usenix.org] (that I though was linked from that article: