Mobile
3/31/2014
09:00 AM
Jaeson Schultz
Jaeson Schultz
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Bit Errors & the Internet of Things

Internet traffic, misdirected to malicious bitsquatted domains, has plagued computer security for years. The consequences will be even worse for the IoT.

The digits zero and one are the natural language of computers. Almost anything can be represented inside a computer's memory simply by arranging zeros and ones into the proper sequence. However, because most computer memory consists of nothing more than a microscopic magnetic charge, these binary digits (bits) can also be susceptible to the conditions of their physical environment.

Our bits are stored inside increasingly compact devices that function outside in the harsh environment of Planet Earth. Many of our devices are routinely subjected to extremes in temperature, in addition to hazards such as cosmic rays, which strike the Earth's surface as often as 10,000 times per square meter, per second. Under adverse conditions such as these, a one occasionally and inadvertently flips state to become a zero, or vice versa.

For us, the common Internet users, bit errors can have a profound effect on our Internet traffic. For example, through the flip of a single bit, the domain name "s.ytimg.com" can become the domain name "snytimg.com. When this happens, Internet traffic originally destined for YouTube is sent to a completely different address. That's because the letter n from this example is only one binary digit different from the dot character.

Other letters share a similar relationship. The letter o and the forward slash (/) differ by only one binary digit, as do the letter c and the character #. These characters can also cause mischief in the routing of Internet traffic. There is even a word to describe the registration of these bit error domains: bitsquatting. Misdirecting Internet traffic to malicious bitsquatted domains has serious implications for computer security. However, bit errors can also have terrible, even life threatening, consequences.

Consider a 2005 advisory from St. Jude Medical in Mississauga, Ontario, to doctors who surgically implanted one of five models of implantable cardioverter defibrillators (ICDs). These devices use electric shocks to stimulate the heart muscle and help prevent sudden cardiac arrest. According to the advisory, cosmic radiation-induced bit flips affecting ICD memory chips "can trigger a temporary loss of pacing function and permanent loss of defibrillation support." Among the 36,000 installed devices, there were 60 reported cases of the anomaly, the advisory said, resulting in a significant failure rate of 0.17%.

Fasten your seat belt
In Australia in 2008, Qantas Flight QF72 was carrying more than 300 passengers at cruising altitude when it suddenly nose dived 650 feet. The pilots were able to bring the plane back to its original altitude before it suddenly plunged again, this time falling 400 feet. Some passengers were thrown out of their seats, and some were ejected out of their seatbelts, according to a 313-page report by the Australian Transport Safety Bureau (ATSB). Some passengers were flung so violently that the impact damaged the aircraft cabin ceiling.

The ATSB investigation was able to eliminate almost all the potential causes of failure except one -- an airplane computer bit error caused by cosmic radiation. According to the ATSB report, "The CPUmodules for the two affected units did not have error detection and correction (EDAC)."

Bit errors were also the focus of attention in a series of highly publicized lawsuits against Toyota Motor Corp. over a flaw in the electronic throttle control system that caused cars to accelerate out of control spontaneously. Last fall, the company settled a lawsuit in Oklahoma City after a jury returned a $3 million verdict in favor of two victims of a crash (one of whom died). An expert witness testified that a single flipped bit in the car's computer memory, perhaps as a result of cosmic radiation, could cause runaway acceleration, and that the working memory in the throttle system did not possess EDAC. Just this week, Toyota reached a $1.2 billion settlement with the US Department of Justice after a criminal probe of the carmaker's safety record related to unintended acceleration.

As we connect more and more with so-called smart devices, it's important to be mindful of potential consequences that may not be completely obvious from the start. Gartner predicts that, by the year 2020, there will be more than 26 billion Internet-connected "things" -- not including PCs, tablets, or smartphones. These things will range from smart home climate controllers and door locks to cloud-connected picture frames -- even smart Crock-Pots and toilets. They are all susceptible to bit errors, because the cost of adding error-checking and correcting memory inflates the base cost of an item beyond what consumers are willing to pay.

A 2009 study conducted at one of Google's datacenters found the rate of these DRAM errors in the wild to average anywhere from 25,000 to 75,000 FIT (failures in time per billion hours of operation) per Mbit. If there are 26 billion things connected to the Internet, then by 2020, every hour there will be somewhere between 650,000 and 1,950,000 errors per hour per Mbit. A modest installation of only 128 Megabytes of RAM contains 1,024 Megabits. Thus we can expect to see, minimally, anwhere from 665.6 million to 1.996 billion errors per hour across the entire Internet of Things.

These errors will undoubtedly affect us all. Let's chat about how in the comments.

Cisco's Threat Research Analysis and Communications (TRAC) team is dedicated to advancing the state-of-the-art of threat defense. Jaeson has worked for more than 20 years in information security. Prior to joining Cisco's TRAC team, he held positions at Counterpane, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
0%
100%
Marilyn Cohodas,
User Rank: Strategist
4/1/2014 | 8:01:23 AM
Re: Plagued computer security for years? Proving the case
Jaeson. These additional resources are useful in making your argument. I'm reposting them here with the links embedded:

http://dinaburg.org/bitsquatting.html

https://lirias.kuleuven.be/bitstream/123456789/395759/1/bitsquatting.pdf

http://blogs.cisco.com/security/error-correction-using-response-policy-zones-eliminating-the-problem-of-bitsquatting/

Beyond bit errors, Mat Schwartz recently reported (quoting Cisco CEO John Chambers) in 'Thingularity' Triggers Security Warnings that in the "current rush to connect everything to the Internet" there's isno way to keep billions of consumer devices updated with the latest security patches or firmware. This to me seems like an even bigger problem. Or is just different aspect of the same issue. 
jaesonschultz
0%
100%
jaesonschultz,
User Rank: Apprentice
3/31/2014 | 8:41:34 PM
Re: Plagued computer security for years?
Some of the domains Cisco studied as part of our research were selected specifically because they were extremely unlikely to be fat-fingered URLs from users. If the wwwnfacebook.com and otwitter.com examples aren't enough evidence the problem is real, then consider the content delivery network domain belonging to youtube, s.ytimg.com. Almost all references to ytimg.com come when you load a video in youtube. In other words, users aren't typing s.ytimg.com links into the browser themselves. Yet, when Cisco registered the bitsquat variant snytimg.com, we received a substantial amount of traffic.

I encourage you to read some of the published research on the topic, and then decide for yourself whether you believe the problem is real. Based on this research, I remain convinced the problem actually does exist.

http://dinaburg.org/bitsquatting.html
https://lirias.kuleuven.be/bitstream/123456789/395759/1/bitsquatting.pdf
http://blogs.cisco.com/security/error-correction-using-response-policy-zones-eliminating-the-problem-of-bitsquatting/



 
jaesonschultz
50%
50%
jaesonschultz,
User Rank: Apprentice
3/31/2014 | 8:30:51 PM
Re: Dangers from crock pots?
I agree that we aren't likely to see EDAC in consumer level, Internet connectable devices, and I do point that out in the article. Crock Pots may be relatively harmless, but bit errors in things like smart door locks could be substantially more problematic.

On the subject of the bit-errors and unintended acceleration.. I am unaware whether this factored into the DOJ investigation or not.
forrestgump
100%
0%
forrestgump,
User Rank: Apprentice
3/31/2014 | 6:36:56 PM
Re: Plagued computer security for years?
The presence of a bitsquatted domain doesn't indicate whether that sort of technique is effective (i.e. machines have visited that domain because of a bit error) .  That sort of thinking can get you into a lot of trouble. 

Keep Occam's Razor in mind here, and consider the possibility that a domain name was registered because it's likely to be visited due to a user fat-fingering the domain when typing it.  And if the replaced character doesn't seem plausible, keep in mind that keyboards in different countries have different layouts.

To look at the issue another way, consider how many operatiions a computer does in a given day.  I'm talking low-level memory operations, not like "Opening MS Word."  Statistically speaking, what are the chances that you hit an operation involving a domain name?  Now, what are the chances that a bit error hits the bytes of the domain name in a way that everything else is fine?   Now, what are the chances that the bit error corrupts the domain name in a way that you end up on a previously registered one-bit-different domain name that's actively serving up a malicious site?  (factor in how many bits are in "www.facebook.com" in your calculation)

Is it possible that somebody has registered one-bit-different domain names after reading the referenced paper?  Sure.   Does it makes any sense for attackers to register domain names with the hope of getting visitors due to bitsquatting?   (Hint: casinos in Vegas can afford to air condition the streets by keeping their doors open all of the time)
jaesonschultz
50%
50%
jaesonschultz,
User Rank: Apprentice
3/31/2014 | 6:07:56 PM
Re: Plagued computer security for years?

Thanks for your question. The bitsquat domain "wwwnfacebook.com" was first registered back in 2008, about 3 years before the initial research paper on bitsquatting was published. The domain "otwitter.com" was registered even earlier, dating back to 2007. There are other examples as well which indicate that individuals have been capitalizing on bit errors in Internet domain names for a long time.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/31/2014 | 3:05:16 PM
Dangers from crock pots?
Jaeson, I can see the potential for harm from bit errors in automobiles, medical devices and airplanes. But it seems a bit of a stretch to expect EDAC in inexpensive consumer "things."

As for the Toyota litigation, aside from the expert testimony in Oklahoma, do you know if the bit error issue factored into the DOJ's investigation of the spontaneious acceleration problem? 

 

 
forrestgump
50%
50%
forrestgump,
User Rank: Apprentice
3/31/2014 | 10:58:33 AM
Plagued computer security for years?
Has the concept of landing on bitsquatted domain names really plagued computer security for years?  If so, then I truly have no idea how computers work.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Why else would HR ask me if I have a handicap?"
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.