Active Defense for the Internet of Things

Summary: Attackers will hack the Internet of Things. Then defenders will invoke "active defense." To support unexpected and unconventional active defense, defenders can post legal terms and warnings.

Today, a hot topic is hacking -- breaking into -- the Internet of Things.

The Internet of Thinks includes myriad little devices -- like smart Nest thermostats -- that are connected to the net via channels like wifi and bluetooth.

At SANS Institute's Network Security 2015 conference, experts demonstrated how to manipulate things remotely, in ways that are not intended by the designers of the things. Experts hacked into a flying drone, a wireless teddy bear and a doll.

Active Defense to the Rescue?

But if attackers will hack into "things," then defenders will use so-called Active Defense to defend the things.

SANS Instructor John Strand for example teaches a whole array of techniques for tricking or annoying attackers or for collecting threat intelligence from them.

One technique is Kippo, a fake SSH server that captures the attacker's commands on his local machine, even after the attacker thinks he has logged out of the SSH server. Dick Dastardly would be proud.

Another tool Strand teaches is a spider trap or WebLabrynth. It serves up to an attacker an endless supply of junk data that could crash the attacker's web crawler software and possibly even the hard drive that supports the web crawler. What a surprise to the attacker who thought she was just hacking into a toy!

Active Defense Law

What are the legal implications of Active Defense techniques? Generally speaking a good active defender would have legal justification for thwarting and snooping on an attacker.

But Active Defense is an evolving, loosely-defined style of cyberdefense. It might embrace a zany repertoire of tricks, spoofs and unconventional maneuvers.

To reinforce legal justification, an Active Defender might post a legal notice that says the attacker consents to being tricked or tracked.

So for example, a wireless teddy bear might post a statement like this:

“Warning. No trespassing. If you hack this device, you consent to us deceiving you, tracking you and taking other unconventional steps to stop you and prosecute you to the fullest extent of the law.”

According to SANS instructor Josh Wright, this statement might be published "in the mobile application or the web UI of the device, using a modal dialog or other splash/landing page." It might be published many different ways. The statement needs to be accessible to the attacker, though not necessarily screaming in his face.

Posted Warnings Affect the Legal Interpretation of an Activity.

My point is that the publication of warnings and statements of legal consent can help to confirm the legal justification for Active Defense of lots of things connected to the Internet, including drones, robots, teddy bears and creepy dolls.

Furthermore, such statements can help to confirm that the professionals who execute or give advice about Active Defense are behaving ethically.

Compare my discussion of Offensive Countermeasures that warn a trespasser away from physical danger.

What do you think?

Attorney Benjamin Wright teaches the law of data security and investigations at the SANS Institute.

Post Script. At SANS Institute's Network Security 2015 conference, my fellow instructors were handing out coveted Hack the Internet of Things badges. You should have been there.

No comments:

Post a Comment