When patching holes in your core security kernel takes upwards of three years on average from discovery to patch release, it obviously raises concerns. Add in the view of security analysts that the basic approach of the security design is outdated and not responsive when under attack, and the picture grows ever more worrisome. It is a very big scenario indeed when you consider the vast number of devices out there that are exposed to the hacking fraternity and which probably never receive OS updates ever.

Linux drives the majority of the world’s Internet-connected devices. Its open source nature provides a stark contrast to proprietary platforms such as iOS and Windows in the speed of bug fixing and patch development. The security aspects being highlighted in recent debates have a lower impact on servers housed in data centers than they do on exposed devices in the IoT world. The latter is the real cause for concern.

Device manufacturers deploy Linux on everything from digital video recorders to vacuum cleaners. The cost is attractive and it is customizable and scalable. The downside is that native Linux does not offer patch push functionality to devices in the way that, say, Microsoft does. Often derided for many aspects of Windows development, nobody can deny that Microsoft appears to do all in its power to ensure that connected devices receive frequent OS updates and patches. At the same time, a vast number of connected Linux devices may never receive an OS update in their lifetime.

At the core of the problem is the often very poor code quality and risible security of the countless device drivers that vendors add. This on top of the disjointed not-thought-through nature of the IoT landscape. The Linux security kernel faces challenges not of its own making but which potentially pose a major threat to the Internet itself. Recent massive DDoS attacks launched by botnets of zombie IoT devices generated an unprecedented a level of traffic. An attack measured at over 600 Gbps raises the possibility that even bigger attacks may be possible. Those traffic levels can swamp the routers that connect the Internet’s backbone with its spokes.

Manufacturers and vendors must take a share of the blame for failure to develop code that at least attempts to provide adequate security protection. One senses that the quick buck mentality overrules the genuine need to make drivers and the like robust enough. Of course, there is no money in building security features into vacuum cleaner device drivers. Only attractive functionality might increase the bottom line. Developing security aspects is a cost that may not be justifiable in the boardroom.

Criticism has been levelled at Linus Torvalds and the Linux community for taking a bug fixing approach rather than overhauling the security kernel design. Torvalds is infamous for his tendency to drive his own path forward and ignore arguments for change that potentially have merit. The security debate may be the single biggest challenge to his authoritative approach since 1991 when Linux was first released. Architecture that is 25 years old was not designed to cope with security demands and ever increasing hacking threats of 2016. It does appear that the time has come for a major rethink that will adequately cope with the nature and shape of foreseeable threats of the next 25 years.

Security experts have long assessed the IoT (Internet of Things) as being a hacker’s paradise in its current format. Last week saw the biggest DDoS attack ever recorded, in terms of hostile traffic bandwidth. French web host OVH was the victim. DDoS attacks have been around for a long time in Internet terms. What is startling about this and at least one other recent attack is that the hostile botnets did not consist of infected PCs but of cameras, digital video recorders and other devices. About 150,000 of them at its peak.

The significant weakness of the IoT is that each and every connected device presents an attack surface. Any device that is connected to the Internet is a potential victim of hacking and hostile takeover, as major corporations are only too well aware. The growth in real life IoT networks is racing ahead of development of adequate security protection for their component parts. There are literally millions of Internet-connected devices that hackers can potentially harvest into zombie networks.

The devices involved in the OVH attack were capable of generating traffic totaling an estimated 600 Gbps when combined. This level of usage threatens to significantly disrupt the Internet for other users. Theoretically, multiple botnets with that capability could “break” the Internet in a geographical region by rendering it so slow as to be practically unusable. Even a 300 Gpbs flow may be enough to put at risk the heavy duty routers that connect the backbone and spokes of the Internet.

At issue is the sheer number of inadequately secured devices out there. The primary sources of a botnet DDoS attack on the website of security writer and independent journalist Brian Krebs in Jan 2015 were home routers. The attack was so heavy and prolonged that the DDoS mitigation service of his web host Akami could not cope over a sustained period. Back then, Krebs predicted that even CCTV cameras were potential zombies. That scenario came true in 2016 with a botnet attack from 25,000 of them.

There is no single solution that will protect all devices from hacking attacks. The most obvious and basic one is for users to change the default access credentials. For most home routers and connectable devices, the factory setting is admin/admin for user name and password. Users are also expected to apply frequent updates and patches to less-than-robust firmware. However, there is such a large percentage of homeowners who are simply either unaware or not technically competent, or both, that the onus must lie with vendors.

Not only that, but owners have no way of knowing if their devices have been compromised. Unlike PCs, laptops and mobile devices, there is no established practice of users hardening security on the majority of dumb-terminal devices. Until progress is made in this critical area of security, the IoT is the soft underbelly of the connected landscape. Devices are manufactured and supplied to perform a function. That is akin to having authority but no responsibility – having the capability to utilize the Internet but security is seen as being somebody else’s problem. This is that attitude that must be changed.

The latest version of Capcom’s Street Fighter V for Windows includes an update that installs an unpublicized rootkit. The company claims it is intended to prevent players from cheating but its poor design allows any installed software to access the rootkit. It is an open back door to full kernel privileges and provides the capability to take over the user’s machine. A hacker’s dream.

What is a rootkit?

The term Rootkit comes from the Linux world where Root is the equivalent of Administrator in Windows. Users or components with this level of authorization have godlike powers over the device to more or less do anything that pleases them. Kit signifies a toolkit of utilities that can perform a range of tasks as the controller of the rootkit demands.

A rootkit is not necessarily malevolent of itself but is generally considered to be cloaking malware, or potential malware at least. Hackers use them to conceal their activities and to run stealth applications such as botnet stations in a DDOS attack, keyboard loggers and spam relays. A decade ago, Symantec, vendors of Norton Utilities debated the true definition of the term and when rootkits are legitimate.

What happens next?

Capcom tweeted that they are backpedaling on that initiative and rolling back those “security measures”. It is difficult to reconcile the concept of security with the release of such a potentially damaging rootkit and does bring into question the decision making process within the Capcom software engineering division. The action delivered a big negative hit to the company’s reputation.

It’s not the first time that a big name software vendor resorted to deploying a variety of rootkit as a means to address a legitimate objective. As well as Symantec, Sony was the original offender that brought the issue into public awareness in the first place in its messy music anti-piracy move.

Symptoms of rootkit infection

Because they operate at the lowest level on a device and implement cloaking measures, users may be unaware of the presence of a rootkit. Symptoms may reveal themselves only when the rootkit is operating stealthily. Screen components, such as the taskbar or system tray may disappear. General slowness is a good indicator. Malware that generates network traffic, such as spam relays and DDOS configurations, may cause a user to think that “the Internet is slow today”. There is no one signal that definitively indicates the presence of rootkit.

How to defend against rootkits

The obvious first step, which all computer users should by now adopt as a normal routine exercise, is to keep anti-virus systems up to date. This presents a difficulty for the older generation, whose devices present a rich picking ground for hackers. However, once installed, all anti-virus applications automatically check for and install the latest updates.

More security conscious users will find a variety of rootkit detection and removal tools online to add an extra layer of defense. The quandary is – just because the tool detects the rootkit while it is running, can it identify the source in a corrupted firmware module, for example? Malware rootkit authors are extremely clever and ingenious in devising the mechanisms to install and launch their tools. Rootkits come in a wide variety of guises and the only sure way to remove them is to strip the device and start with a clean software build.