Thursday, April 3, 2014

Dan Geer's Nightmare Scenario: An Internet Killer That Can't Be Fixed

Dan Geer is a friend and mentor whose writings have continually inspired my work in the area of data-driven security (versus network-driven security) since 2009. He has recently shared with me his latest talk given at the NSA on March 26, 2014 "APT in a World of Rising Interdependence" and has now given me the OK to share it with you. 

Amongst many insightful points, Dan describes a scenario which would knock most off the world off-line, and for which there would be no no near-term recovery as of today or the near-future unless a dedicated, expensive effort is made to fix this problem.
Lest some of you think this is all so much picayune, tendentious, academic perfectionist posturing, here is how to deny the Internet to a large fraction of its users.  There are better methods, there are more insidious methods, there are darker paths.   
My apologies to those of you who are aware of what I am about to describe, but this one example of many is known to several of us, known in the here and now:  Home routers have drivers and operating systems that are binary blobs amounting to snapshots of the state of Linux plus the lowest end commodity chips that were extant at the time of the router's design.  Linux has moved on.  Device drivers have moved on.  Samba has moved on.  Chipsets have moved on.  But what is sold at Best Buy or the like is remarkably cheap and remarkably old.   
At the chip level, there are only three major manufacturers, so Gorman's 43% threshold is surpassed.  With certainty born of long engineering experience, I assert that those manufacturers can no longer build their deployed software blobs from source.  If, as my colleague Jim Gettys has laboriously measured, the average age of the code base on those ubiquitous low-end routers is 4-5 years,[JG] then you can be assured that the CVE catalog lists numerous methods of attacking those operating systems and device drivers remotely.[CV]   
If I can commandeer them remotely, then I can build a botnet that is on the *outside* of the home network.  It need not ever put a single packet through the firewall, it need never be detectible by any means whatsoever from the interior of the network it serves, but it is most assuredly a latent weapon, one that can be staged to whatever level of prevalence I desire before I ask it to do more. 

All I need is to include in my exploit a way to signal that device to do three things:
  • stop processing anything it henceforth receives, 
  • start flooding the network with a broadcast signal that causes other peers to do the same, 
  • and zero the on-board firmware thus preventing reboot for all time.  
Now the only way to recover is to unplug all the devices, throw them in the dumpster, and install new ones -- but aren't the new ones likely to have the same kind of vulnerability spectrum in CVE that made this possible in the first place?  Of course they do, so this is not a quick trip to the big box store but rather flushing the entire design space and pipeline inventory of every maker of home routers.
I won't quote anything else from his talk because you should read it in its entirety, and can do so here. I will however mention that although Dan used the word "APT" in his talk's title, it had nothing to do with China (for those of you who still think that APT is a "who" and not a "what").

Thanks, Dan! 

No comments:

Post a Comment