Sweet, vulnerable IoT devices compromised 6 min after going online The unpatched Windows XP problem that spawned the Blaster and Sasser worm a decade ago is being replicated on a different platform by hackers exploiting IoT devices to launch denial of service attacks. Two Internet of Things-powered packet floods took down the websites of cybersecurity journalist Brian Krebs and French hosting …
It can't.
The other issues are:
1) The user is unlikely to ever know it's compromised.
2) Most devices can't be updated.
3) Even if updates exist, users are unlikely to know they exist.
4) Even if it can be, and the user knows, most users won't bother.
5) There will be another bug, or patch ineffective and the maker will be gone, or closed by Google or lose interest as they are supporting the new shiny thing, or developer is gone (outsourced?) and no-one can patch it.
Forced automatic updates are actually a security risk and not a solution.
Ultimately the palliatives used by phones, tablets, PCs etc only partially solve the problem even for those. The IoT issue may not have a solution other than uPNP illegal on firewalls and no INWARD control at all on domestic IoT.
We don't even have a complete solution for ordinary Internet stuff. The issues go to the heart of adding security as an afterthought to most internet protocols. Why didn't email have signing, whitelisting, etc from day one?
Why are web browsers still not properly sandboxed?
Why did anyone ever think Active X or Java (not Javascript) was a good idea in a browser?
Why aren't 3rd party cookies illegal, or 3 party iFrames blocked? Why are all defaults on all browsers and email clients at nearly the worst for security & privacy.
So how can we expect anyone to get IoT security right?
So called "Agile" software development makes it all worse.
"most users won't bother."
Exactly: The powned IoT-devices are only annoying / devastating to others. Not to the owner. Just like a successful parasite should be: it should use the host, not kill the host.
So the real solution is not harvesting bitcoins (like the linked article says), but inflicting pain on the owner. The owner's ISP could do that by blocking the customer, but probably won't. Maybe white-hat-hackers can disable the vulnerable IoT-devices, so that the owner feels the pain and takes action.
I would wager it's even worse than that. The average user probably refuses to accept that they even have a responsibility to do the right thing. I remember one time a neighbour asked me for help because their computer got infected with something, and their ISP cut their service to mitigate the damage.
First thing he does is complain about how taking care of his computer isn't his responsibility, and the ISP should have prevented all this from happening.
I politely told him that there was nothing I could do, and he would have to blow away his machine and reinstall everything from scratch. I wasn't about to waste my time helping a numbnut like that.
MAC addresses are assigned by a central body. Issuing a MAC address should assume a certain responsibility to be associated with it by its usage. As I've mentioned before, make an element of the charge for MAC address issue to be set aside for killing errant devices.
There's a lot of hardware out there with MAC addresses copied from another manufacturer, duplicated within a production run or just plain invalid (sometimes all three at once).
There's no legitimate way to determine a manufacturer if all you have is a MAC address, and if you ask the legitimate manufacturers to pay for the assignation of addresses, they'll just pass the cost on to the end-users.
... but some of those numbers look dodgy to me.
Every day there is an average of over 400 login attempts per device, an average of one attempt every five minutes and 66 per cent of them on average are successful, according to Nazario.
So that's over 260 successful logins per device per day?
That gives me a severe case of the mindboggles. Surely if only a small percentage of those led to malicious activity, the then whole IoT would be rendered disfunctional? (And there's no need to tell me "It already is!".)
"... but some of those numbers look dodgy to me.
Every day there is an average of over 400 login attempts per device, an average of one attempt every five minutes and 66 per cent of them on average are successful, according to Nazario.
So that's over 260 successful logins per device per day?"
no, you are misreading it... especially in the case of MIRIA and others which disable the ports so that others can't get in once they are in place... in fact, one of the ways to find out that your camera, DVR or other IoT device is infested is when you cannot get into the admin interface...
back to your numbers problem... 400 attempts a day... yes i can easily see that on my traditional old-school BBS that's attached to a virtual modem on port 23... watching that is how i picked up on MIRAI and wrote a set of IDS rules to detect it... rules that emerging threats has published...
on to the rest of the numbers problem... they're saying that 66% of attempts are successful... not 66% of attacks on one device...
ISPs will already alert and disconnect domestic users if they have bots on site. Don't ask me how I know...
*some* ISPs may do that but not all of them... if they did then AT&T, Comcast, Level3, Timewarner, and all the others would be shutting folks connections down because of all the traffic from MIRAI, Bashlite and other IoT infestations currently running rampant over the cybersphere...
"Unlike historic email spam bots the current devs are clever. They rely on scale."
Yep. Each device in 3,600 strong herd might only initiate one login attempt* per hour, but if they are all aimed at the same target, that target is seeing one per second. 86,400 initiating one login attempt per day achieves the same frequency at that one target.
Add a few noughts on for the number of compromised devices out there.
* or other bot command
Although Im sure its not a hard and fast rule.... Seems to me that the people who buy these items are often people who, unless they plug it in or put on WLAN and it just works they would give up
Problem is that these people dont have the knowledge or inclination to secure their devices, they also probably have no knowledge of the problems these devices can and will cause.
Hence the owness has to be on the vendors to remove the default user/password, but as long as people buy the cheaper end of the market with no concept of implications then nothing will change
means Idiots or Twats for connecting this crap kit up to the internet. These people honestly deserve all tha pain they get. The sad thing is that their ignorance and idiocy will affect countless thousands of others.
If I could, I'd ban all of it until each and every device could be certified as un-hackable which means probable never.
I do know one thing and that NO, repeat NO IoT device will ever be connected up in my home.
I wish more people would take the same stance.
see Icon for what I'd like to do to the IoT makets and the script kiddies who hack it.
"I do know one thing and that NO, repeat NO IoT device will ever be connected up in my home." In some jurisdictions, an electric "Smart Meter" is mandatory. Although one hopes that the electric utilities which own these meters will be more security-conscious, they still have the same IoT weaknesses mentioned in other comments. And the possibilities to wreck mischief go far beyond DDOS.
Given that there are millions of Pi's in circulation, I bet that one of the credentials on the list was :
User : pi, Password : raspberry
I expect this was quickly followed by a quick "sudo bash" or similar
Perhaps a suggestion to the Pi foundation is that users must change their password at first login - given that this is good practice everywhere else in the world.
After all, I expect that they wouldn't want another top score to go with their number of units sold metric - that of the "most compromised device" category.
The Pi is a great device, but it can be a bit dangerous in untrained hands, a bit like a Smith and Weston. Lets at least show the users where the safety catch is.
Are we talking smart fridges and toasters, or anything which has built in Internet access?
Virtually all TVs, set top boxes, video players/recorders now have added functionality for iPlayer and Netfix. You connect them to a local network (wired or wireless) and they go and talk to the Internet. Roku? Apple TV? Sonos for streaming music? DAB radio with added streaming?
I have a couple of Humax STBs for satellite and there is no obvious sign of a remote management interface or a security password to change, but who knows?
On the "small devices" front the time to market and competition means that you have to get your kit out there FAST! This doesn't go hand in hand with rigorous security models and extended testing and reworking. You need to get kit out and selling to secure your second round of funding. Each month of running a development team burns money with no immediate return.
This means that "bugger me, I just talked to the fridge" means "Ship it. Ship it now!".
Then if it starts selling you have to make a case for putting more time into the software development instead of paying back the VC funding. Good luck with that.
Cowboys will be clanking their spurs for another 5-10 years before maturity rears its ugly head.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
