Satoshi Kondo
Trend Micro K.K.
Ubiquitous computing, or ubiquitous networking simply mean the network environment and usage scenario where all kinds of information terminals, devices and goods embedded with IC chips are connected to various wired and wireless networks. Computing capability resides ubiquitously everywhere in the real space, and users can utilize various services without the knowledge of underlying mechanisms. It can be expected that IPv6 will be used as the base networking technology to realize such computing environment.
Then, what are the possible security threats in such ubiquitous networking environment?
Three factors that determine security threat level
Among security threats, the level of threats by illegitimate access, denial of service, viruses, worms and malware can be defined in the following three factors:
Network Connectivity X Technical Information Availability X Attacker Motivation = Security Threat Level
Network Connectivity
It is easier to understand this if we look back on security threats in the present Internet.
In the age of sneaker networking, or the initial stage of networking when offices began to deploy LANs, above security damages and threats were very restrictive without physical media connectivity that work as routes and channels for attacks.
Cases of large scale virus infection, large DoS attacks and illegal intrusion are drastically increasing in number, with network expansion and dissemination of Internet. Network connectivity is an important factor that pushes up security threat level.
Technical Information Availability
Technical Information Availability means how easy it is to acquire technical information necessary for attacks. For attackers, the effort required for attacks should be largely reduced if technical information is widely distributed, and if it is easy to use necessary environment for trials and errors and development tools.
However, information availability is only one aspect for higher security threat level. Even the black-box systems and devices with no disclosure of technical information can only expect to make it more difficult against reverse engineering by attackers with enough time and technical skills. We should realize that it is not so difficult for attackers that can work without toils to overcome the hurdle of undisclosed technical information.
Attacker Motivation
Remaining factor is Attacker Motivation or Incentives. Up until now, major motivations have been pure technical interests and challenges, or showing-off own technical skills and self revelation. But with emergence of the new type of attackers with strong sense of using such activities as the means for financial profit, as seen in phishing and botnet, it is expected that we will see dramatically improved attacker technical skills and cost associated with the effort, as well as more organized efforts.
Such shift of attacker motivation and background breeds strong focus and planned and large-scale attacks. They will lead to more serious security threats and expansion of damages.
Security effect of IPv6 on existing information devicesWith the above factors considered, how will the security threats be changed by existing devices supporting IPv6? The factor affecting this is the improvement of “network connectivity”. Basically, as long as you use network in the same way as in IPv4, there is no radical change in security threat quality and content.
Basic characteristics of IPv6 is the fact that devices have global unicast addresses and have network connectivity from the Internet, with no requirement for indirect Internet connections such as NATs. This is not a big change if your site has allocated global addresses on IPv4. But if you have been familiar with IPv4 network environment and implemented security measures based on Internet connection through NAT, then you need to change your recognition about security measures when you deploy IPv6 (see the reference at the end).
Then, what are the security threats in the age of ubiquitous networking information devices and other objects, with extended use of IPv6?
Security threats in the age of ubiquitous networking
We are surrounded by various digital gadgets such as DVD/HDD recorders, digital audio players, game consoles, and cellular phone terminals. These non-PC devices will be increasingly networked, to be digital hubs and media consoles.
Not only these consumer devices but sensors and control devices for environment infrastructure such as intelligent buildings are beginning to move to the use of network environment based on IPv6 Internet technology.
In the Internet cloud connecting various devices, not only the existing “computer-looking” but these new devices will be subject to the security threats all the same. There should be differences in the size, processing power and operating systems, but these devices have the same computer components like memories and CPUs as PCs. Therefore, the same types of attacks as PCs are technically possible.
Given the above condition defined by three factors, security threats similar to those with PCs will surface as serious and real issues.
Closed network to IP networkAs a prerequisite for security threats to surface, network connectivity is the most influential factor. A standalone device does not have any risk of being attacked from outside other than by physical contacts.
The risk is also low in a system composed of closed networks with physical separation, such as building management networks. But switch to IP networking enables multiplexing of various services on one physical connection. Various terminals and services share the same network, which forces us to consider the increase of the risk of attacks beyond logical network separation.
Even completely closed network may have security attacks, for example through a PC of a service personnel infected with malicious code when it was connected to another network for maintenance work. All possible network connection routes have to be considered in implementing security measures.
In ubiquitous IP networking, devices themselves may need to have some security features, such as firewall, packet filter, and download content scanner, as self defense. As for network-based update firmware update and software installation, they can be controlled by tampering protection through electronic signature on programs, as well as limiting and controlling download source servers, but they are not enough. As for implementation vulnerability, malicious code may be delivered through protocols and ports allowed for use in communication. In particular, for protection before security patch is delivered and applied to the devices by the user, it is important for the devices to have packet scan function to detect malicious data and codes. As the new devices may be placed in various network connectivity environments, it is hard to expect security functions in place in each of these environments. All security protection cannot be left to network.
Data download routes and network accessWith smart phones, some worms and malicious programs have already been observed for terminals with Windows Mobile and Symbian OSes. Their threat has been limited because most of the infection routes and attack routes were limited to Bluetooth ad hoc communication. The threat is expected to become more serious by improvement of connectivity to the Internet, such as full browser functionality and download of programs and media contents from Internet servers.
There are actual examples of attacks by image, voice and other content files embedded with executable code, exploiting software security vulnerability. If there is security vulnerability in the software that processes content data, it is not technically impossible to create malicious code disguised in content files. Therefore, you cannot say that a particular device is secured just because it doesn’t download applications and other executable programs.
Attacks to non-PC platformsInformation devices and other embedded devices come in various operating systems and CPU architectures. But the basic composition is not much different from normal PCs. Therefore, it is not impossible to apply buffer overflow and other known attack techniques used for PCs.
One of the reasons that we find fewer malicious codes with embedded devices than with PCs is that each device uses customized hardware and own software, making it hard to match the gain from successful attacks to the cost of reverse engineering and analysis. In other words, as they become attractive to attackers, these devices will be target for attacks, just as PCs.
More embedded devices are beginning to use general-purpose OS, as represented by embedded Linux. This makes it easier for attackers to obtain technical information about attack target platforms than it was before.
We recently saw PNG library vulnerability. Devices that use the same open source library as the library in question are given binary code created to suit their CPUs. But malicious code targeted on this vulnerability could be executed on the target platforms.
However, it is too early to determine that adoption of open source software increases security threat level. One should not neglect the fact that third party review of published source code enables discovery and fixes of security vulnerabilities and raises code reliability. If an attacker has clear determination as well as enough technical expertise and time, this hurdle can be overcome even with closed targets, using reverse engineering and other analytical techniques. With this taken into account, fundamental issue is the security of software itself, rather than whether it is open source or not.
Attacker motivation and new attack targetsAs ubiquitous computing devices begin to interact deeply with real space, then it is easy to imagine attacks to these devices and systems for material damages.
As seen in the fact that malicious code appeared for portable game devices, creation of attack code to any platform is technically feasible, with enough technical skills and motivation. But first two factors of the above three, especially network connectivity, is the necessary condition to cause large scale damages and problems. Unless the criterion is met, such code is just a concept that illustrates risks. Unless the code shows the possibility of significant actual damage, such code may offer news topics but is not likely to lead to serious counter measures.
Latest protection techniques
With security measures for ubiquitous networking environment, it is difficult to apply the same technology and products used for PCs. The new environment also require measures that take into account the characteristics different from current general usage of the Internet, such as network mobility, usage that is not tied to specific network location, and variety of network connectivity functions.
It is possible to consider multi-layer security measures with devices themselves have minimum security functions and work with network-based security functions to enable overall protection. We have recently seen quarantine security model for network connection management and distributed security model.
When devices themselves cannot have enough security functions, some consider it is possible to use VPN and similar network technology to let them connect to the Internet through VPN tunnel, providing network connectivity and security functions altogether by the network. This is similar in concept with cellular network gateway which relays between cellular packet network and Internet access. For ubiquitous devices, this method is advantageous in that it sends capsulated IP packets to gateway server that conducts protocol and contents translation. But such gateway-based measures have the disadvantage of inflicting huge load to the gateway server with the number of devices increases. Scalability is one remaining issue.
Challenges in security policy configurationMany ubiquitous devices have limited user interface. It is also hard to expect users to have enough knowledge about security settings. It is not realistic for users to apply security policy and other security requirements on the devices directly. It is essential to have a management server carry out automatic settings by distributing configurations. As for truly distributed network environment including ad hoc communications, challenges include security policy implementation management as well as policy distribution and device management.
Future outlook
It can be said that security in ubiquitous network environment possibly involves the same level of threat as existing Internet-connected PCs. Potential security threat will surface when any of the three factors mentioned above crosses a certain threshold. It is important to plan enough security measures for such new computing environment before the threat emerges. But it is difficult to find satisfactory protection effort, due to the lack of specific threats.
Planning counter measures after the threat becomes serious wouldn’t help get rid of vague anxiety on the security, which may become an obstacle to new computing environment. I hope to see widespread efforts to cope with the above mentioned challenges in order for realizing secure ubiquitous network environment.
Reference:
IPv6 Promotion Council of Japan Transition WG, IPv6 Transition Guideline 2005: Security Segment
http://www.v6pc.jp/pdf/en-09-v6trans-security-050722.pdf
