back to article Internet of Things botnets: You ain’t seen nothing yet

Internet of Things (IoT) botnet "Mirai" is the shape of things to come and future assaults could be even more severe, a leading security research firm warns. Mirai powered the largest ever DDoS attack ever, spawning a 620Gbps DDoS against KrebsOnSecurity. Source code for the malware was released on hacker forums last week. …

  1. druck Silver badge
    Facepalm

    Bleedin obvious advice

    Always put IOT devices behind a router with a good firewall, and turn off uPNP so they can't worm their own way out.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bleedin obvious advice

      Always put IoT devices on a wall and use them for target practice.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bleedin obvious advice

        Always leave IoT devices on the shelf.

    2. Al fazed
      Unhappy

      Re: Bleedin obvious advice

      I am gaining the impression that MS has recently made it impossible to disbale uPNP via Services.....

    3. Anonymous Coward
      Anonymous Coward

      Re: Bleedin obvious advice

      Always put IOT devices behind a router with a good firewall, and turn off uPNP so they can't worm their own way out.

      The ever increasing problem is that the 'smart' meters that are being forced on people by the government don't have that security and are ripe for the script kiddies to take over.

      1. Roland6 Silver badge

        Re: Bleedin obvious advice

        The ever increasing problem is that the 'smart' meters that are being forced on people by the government don't have that security and are ripe for the script kiddies to take over.

        Doubt Joe Public will notice or mind if the script kiddies get the meter to report lower levels of energy consumption...

      2. Millennia

        Re: Bleedin obvious advice

        "The ever increasing problem is that the 'smart' meters that are being forced on people by the government don't have that security and are ripe for the script kiddies to take over."

        Can you imagine a botnet of over 20 million devices simultaneously doing a DDoS and taking out the power grid? Brave new world, coming nowhere near me if I can help it. I keep changing suppliers every year so they lose track of whether I have a smart meter or not. I had heard that if your gas smart meter loses Internet connectivity it cuts you off!

        They can keep the Internet of Shit

    4. ilmari

      Re: Bleedin obvious advice

      Since UPNP doesn't work through ISP side NATs, many cheap consumer cameras just connect through random vendor's "cloud" instead. Compromise that machine and you gain access to all the devices ever sold by that, and related,manufacturer. The nat and firewall of any router won't help.

  2. Anonymous Coward
    Anonymous Coward

    Turn off uPNP

    Is that good enough? Doesn't it require a no default egress rule (not friendly to the average consumer) to stop them getting out?

    1. Brian Miller

      Re: Turn off uPNP

      It's not the device getting out, it's someone outside getting in to get to the device, and dropping a payload on it.

      NAT=good, disable all PNP protocols=good, and of course keep the stupid thing off the network in the first place=good.

      1. Known Hero

        Re: Turn off uPNP

        Well that's all well and good disabling upnp. But what about when people need it ?

        I play a few online games with my kids, not so much if we disable upnp :/

        1. Mage Silver badge

          Re: Turn off uPNP

          No one EVER needs uPNP. Configure the ports manually. If the SW can't use that, it's garbage. uPNP and related stuff are stupid, even if it's going to be on the LAN, no router should EVER have it.

          It's a similar badness to Autorun, which should not exist.

          1. Anonymous Coward
            Anonymous Coward

            Re: Turn off uPNP

            "No one EVER needs uPNP. Configure the ports manually. If the SW can't use that, it's garbage."

            Some routers don't allow port forwarding. Some ISPs don't allow you to use a third-party router, and there are games that can't use STUN or other tunneling tech. And if it's the ONE game the kids want (and you don't want to fray your relationship with them)...

            1. Anonymous Coward
              Anonymous Coward

              Re: Turn off uPNP

              And if it's the ONE game the kids want (and you don't want to fray your relationship with them)...

              Weak parenting! Kids (can) learn really quickly that wants satisfaction carries a cost.

              As yet not come across a game (Xbox One) that has required me to turn on uPnP on the WAN interface. Suspect if we do come across one, the Xbox will be relocated to it's own VLan.

              1. Charles 9 Silver badge

                Re: Turn off uPNP

                "Weak parenting! Kids (can) learn really quickly that wants satisfaction carries a cost."

                And many CAN'T. Seen it FIRSTHAND, so I'm speaking from experience. Far too often, it's the children that trigger divorce...or worse.

                "As yet not come across a game (Xbox One) that has required me to turn on uPnP on the WAN interface. Suspect if we do come across one, the Xbox will be relocated to it's own VLan."

                And if you don't know how to do that and have no one to turn to? Not all of us are geeks or know geeks.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Turn off uPNP

                  >so I'm speaking from experience.

                  So (like myself) you will have seen the parent-child dynamic in all its wonderous glory...

                  >And if you don't know how to do that and have no one to turn to?

                  Given we are talking about Job Public, I expect the game to be declared rubbish and taken back to the shop for a refund, unless the default setting on the router is for uPnP to be enabled and so the game works flawlessly out-of-the-box...

                  But as I noted I've not come across a game that has required uPnP to be enabled and from the lack of responses here giving examples, it would seem that it is an uncommon requirement.

          2. P. Lee

            Re: Turn off uPNP

            >Configure the ports manually.

            Say WHAT?!

            Ok, I'm in security so I know that's the right answer, but you're dealing with a generation who want to monitor their baby/babysitter on their iphone when they are out to dinner.

            Putting WPA2 and a password on the webcam was hard enough, do you expect them to configure a firewall too? It ain't gonna happen.

            It will continue to be bad until someone manages to set up a decent VPN coordination system with opportunistic encryption, so that these things don't need upnp and the firewalls can configure themselves.

            That sounds great... until you realise that then people will be able to know that their TV is snitching on them. That could be awkward. Then you have to decide if you'll support the protocol.

            But back to the phone... if you want to be able to view the webcam footage, you'll need an app or you'll need to trigger a vpn. Apps are buggy and the two phone suppliers don't exactly appear to be falling over themselves to make vpn activation very intelligent.

            Maybe some of that much-vaunted "machine learning" could be applied to some OCR so that your camera can read the security rules off a piece of paper and reprogram your firewall. It could be like... the 90's!

            1. Roland6 Silver badge

              Re: Turn off uPNP

              Maybe some of that much-vaunted "machine learning" could be applied to some OCR so that your camera can read the security rules off a piece of paper and reprogram your firewall. It could be like... the 90's!

              Don't suggest the use of QR-codes! The vendors will omit the obvious security checks and validation and simply do whatever the QR-code tells it to do. There was an article a while back on El Reg about the (mis)use of QR-codes containing URL's on posters to get unsuspecting people to download malware to their smartphones.

      2. Anonymous Coward
        Anonymous Coward

        Re: Turn off uPNP

        "It's not the device getting out, it's someone outside getting in to get to the device, and dropping a payload on it."

        The point is, your average firewall allows outgoing connections by default. Otherwise, things break. If your IoT device can scramble itself often (both MAC and IP), then you won't be able to get an egress block to stick. And once it's out, then that connection (which is TWO-WAY) allows the way back in. A rogue or hacked C&C server can pwn it regardless of your network setup, and Bob's your uncle.

  3. theOtherJT

    telnet?

    Seriously, this needs shooting in the head now. There's no reason for _anything_ to be using telnet these days, there really isn't.

    That said, I actually had quite a bit of fun this weekend turning one of my friends's living room light on and off with my phone - rather to her annoyance - because the amazing wireless IoT lightbulb she'd acquired from somewhere was listening on port 23.

    I mean, ok, I was already on her wifi so I didn't have to vault that particular hurdle to get at it, but why the HELL was it accepting anonymous connections at all?

    1. Brian Miller

      Re: telnet?

      What would be the point of either Telnet or SSH? If they have default credentials, then it doesn't matter for any access to the device. The default credentials will allow everything!

      For a slightly higher hurdle, the web UI can be soundly hacked on most of these devices.

      My Cisco router and Engenius AP required me to use a decent password on them. Unfortunately, companies like D-Link come hard coded for so many holes, it's absurd that they passed a competent QA or security analysis.

      For now, the ISPs need to take action by shutting down access to the dodgy devices, like getting the owner's attention by cutting off access. Beyond that, the companies that made the devices need to be held accountable.

    2. bombastic bob Silver badge
      FAIL

      Re: telnet?

      "Seriously, this needs shooting in the head now."

      YES.

      Worth mentioning, if it has a NETWORK STACK, but uses TELNET, someone didn't go far enough with the firmware implementation. If it's got ROOM in the NVRAM for the network stack, it's got room for SSH and/or other reasonable security. And non-guessable user names [unlike 'root' or 'admin']. And force the user to change the user/pass credentials before the device will function. And press a button on the device to reset it if you forget your user/password. And so on.

      not rocket science, just LAZINESS and CLUELESSNESS on the part of the IoT developers.

      LIABILITY applies, In My Bombastic Opinion.

      1. Anonymous Coward
        Anonymous Coward

        Re: telnet?

        And if it turns out the devices come from China, who doesn't care and has nukes?

    3. Charles 9 Silver badge

      Re: telnet?

      "Seriously, this needs shooting in the head now. There's no reason for _anything_ to be using telnet these days, there really isn't."

      But Telnet is simply a straight-up connection between two servers. It's the basis for all the other protocols including WWW (meaning I can masquerade--badly--as a WWW browser by telnetting to some server's port 80 and hand-feeding it the appropriate commands). What's really the difference between HTTPing to port 80 and Telnetting to it?

      1. theOtherJT

        Re: telnet?

        What's really the difference between HTTPing to port 80 and Telnetting to it?

        I agree, up to a point, but you shouldn't be allowed to do that either. It ought to be https on 443 and the only thing it will present you with there is a login page.

        I get why it wants a "non web" port open, so it can take commands from things that script automation, but if you're going to do that then there ought to be key exchange first.

  4. Olius

    Maybe I'm an old fogey (at 37), but why on earth would I want a wifi enabled kettle or fridge anyway?

    1. Anonymous Coward
      Anonymous Coward

      no, no, no, thats the wrong question. The question should be, why wouldn't I want a wifi connected kettle or fridge.

      The answer to that question is, they is no reason why you wouldn't..... oh wait, erm...

      On to actually answering the question :)

      The kettle, maybe, if it could fill itself up and then you turn it on remotely so you can be a lazy bugger. :)

      The fridge could only be useful if you changed the way that most people interact and decide on making food. Also if all food producers radio tagged all food with what it was and its expiry date. If the fridge was able to read this info and then you planned your meals for the week, it could tell you what you needed. But that's not going to work as it would require too many companies working together. The alternative is you tag it yourself, but then that adds work, which this is supposed to remove, so again will not work.

      The IoT is for an ideal automated world where everything talks to everything else so that it makes your life easier, you say you are going to do this, all the stuff in your life works together and tell you how and when you can do it and what you need. But this isn't an ideal world. Its a world where companies want to market new things to you to get you to part with your money. Spending as little on its design to maximize profit and reduce compatibility to lock you into their systems. Then they decide what you have bought should no longer be supported it, buy the new version, therefore turning off the 'support' servers, rendering all these IoT even more useless.

      1. SImon Hobson Silver badge

        > Also if all food producers radio tagged all food with what it was and its expiry date.

        Nope, that won't make it work either. It would need foods packaged such that the fridge could tell if it is an unopened packaged (in which case see the use by date) - or it's been opened in which case see the "consume within x days of opening" date.

        In any case, I ignore those and go by the test that predates all this "use by" and "sell by" malarky. It worked for my parents, and it worked for their parents, and ... I don't recall any of us getting food poisoning (very often).

        Lets face it, things like cheese and yogurt are "milk that's gone off" (in a special way). If the cheese hasn't gone green and fury then it's still OK to eat. And my nose tells me if the milk (that isn't supposed to be cheese or yogurt) is going off.

        1. Steven Roper

          "If the cheese hasn't gone green and fury"

          But green furry mould-raddled cheese is the tastiest kind. If it's not on the brink of evolving intelligence it's just not worth eating!

        2. Fred Dibnah Silver badge

          Yep, 'use by', sell by', and 'best before' are for the supermarkets and idiots who can't recognise festering mould when they see it. The only time I've ever had food poisoning is from restaurants and takeaways.

        3. d-type

          I recall an excellent cheese shop in Grenoble where the cheeses were almost exclusively green and mouldy.

      2. pdh

        > If the fridge was able to read this info and then you planned your meals for the week, it could tell you what you needed

        I've seen comments like this in quite a few places... but does anyone actually pre-plan a week's worth of meals in any kind of detail?

        And even the warnings about expiry dates don't seem all that useful. In my fridge, leftovers (rather than packaged products straight from the store) account for most of the stuff that's in danger of going bad. So the AC said, I'd have to tag them myself if I wanted warnings, which most people would probably be unlikely or unable to do. (How long does half of a tuna casserole last in the fridge? It depends...)

        1. Elmer Phud

          Dates

          Is that 'use by' or 'best before' or ?

        2. Rich 11 Silver badge

          but does anyone actually pre-plan a week's worth of meals in any kind of detail?

          I do, at least for three or four days ahead, and only rarely now a week. I've been doing so since I was 19 years old, using the same highly reliable technology: primary storage is a piece of paper kept in my back pocket, augmented by a non-hackable input device known as 'the nearest pen or pencil'.

          Admittedly, after three decades, the secondary storage wetware is a tad less reliable than it used to be...

          1. Anonymous Coward
            Anonymous Coward

            "I do, at least for three or four days ahead, and only rarely now a week. I've been doing so since I was 19 years old, using the same highly reliable technology: primary storage is a piece of paper kept in my back pocket, augmented by a non-hackable input device known as 'the nearest pen or pencil'.

            Admittedly, after three decades, the secondary storage wetware is a tad less reliable than it used to be..."

            Trouble is, that's not as reliable as you think.

            Paper kept in the back pocket? Oops, fell out when you sat down and you didn't know it, or you slipped in heavy rain and fell on your butt. Jeepers, paper's all soaked and runny; can't make anything out. And other times, you may just forget it when switching pants.

            Pen or pencil? Stepped on it, rolled off the table, got chewed by the dog, stolen by someone else, point breaks, lost it.

            And I speak for ALL of these FIRSTHAND.

            1. Roland6 Silver badge

              Trouble is, that's not as reliable as you think.

              But it is very rare for the wet wear to totally fail and you arrive home and the cupboard is totally empty - even having arrived home after several weeks abroad. But in these circumstances there are local shops, restaurants, fast food outlets, the neighbours and if it really is the wee small hours then going without food for a couple hours before places open for breakfast isn't really a hardship.

              With children, I've found there is always something in the cupboard - children can easily be satisfied by a bowl of crunchy nut cornflakes or chocolate cereals before bed, or a some pasta covered in a tin of sauce...

              I've found that the next day the wet wear is back to normal and doesn't forget to take you via the shops...

              1. Anonymous Coward
                Anonymous Coward

                "But it is very rare for the wet wear to totally fail and you arrive home and the cupboard is totally empty - even having arrived home after several weeks abroad. But in these circumstances there are local shops, restaurants, fast food outlets, the neighbours and if it really is the wee small hours then going without food for a couple hours before places open for breakfast isn't really a hardship."

                Local shops are closed down; lost out to the big box, which is too far away (no car and the transit doesn't run at night).

                Restaurants not always open and all too expensive. Shoestring budget.

                Same for C-Stores and fast food outlets.

                Neighbours are hostile.

                And going without may not be an option if one has a medical condition. Thyroid problems, diabetes, and so on require strict diet management or you could faint and otherwise present a medical emergency.

                1. Stoneshop Silver badge

                  Medical reasons

                  And going without may not be an option if one has a medical condition. Thyroid problems, diabetes, and so on require strict diet management or you could faint and otherwise present a medical emergency.

                  If you (or someone in your family) has such a condition, you make VERY sure there's the right food in the fridge, and one or more portions of the right food in the freezer. Always. It takes priority over going away for several weeks, then finding the fridge empty.

          2. J. Cook Silver badge
            Boffin

            Also, some of us introverts are just functional enough where we do our shopping a week at a time, so we *do* plan our meals a week in advance, so we don't have to get the store on the way home every. single. day and Deal With People.

            (I'll spare everyone the side rant of buying foodstuffs in bulk when it's advantageous and using a vaccuum sealer and deep freezer to portion it all out.)

      3. Mark 85 Silver badge

        The IoT is for an ideal automated world where everything talks to everything else so that it makes your life easier.

        From what we're seeing and hearing, it's more about making the manufacturers richer. 99% of these devices are a solution looking for a problem. They really only appeal to hipsters and those who like to play around with tech without understanding the security holes, etc.

      4. Stoneshop Silver badge
        Thumb Up

        idIoT devices

        no, no, no, thats the wrong question. The question should be, why wouldn't I want a wifi connected kettle or fridge.

        Why not ask the fridge, or the kettle, as applicable? Just telnet to it and query it for its raison d'etre.

        As it'll then go and contemplate its electronic navel for 7.5 million years you'll have to revert to a conventional model to cover that interval.

    2. Warm Braw Silver badge

      why on earth would I want a ...

      I was just having this conversation yesterday with a friend who is going to be working away from his home for several days a week. His first question was what products I would suggest so that the could control his lighting and heating remotely while he was away using his mobile. It took a bit of prodding to get him to realise that he could achieve all we wanted to achieve with a couple of programmable timers (which he would have to buy for a total of £10) and a boiler control with a seven day programme (which he has already). And maybe get his burglar alarm connected to the phone line.

      The ubiquity of the mobile phone is now such that people seem to assume it's the solution to every problem - regardless of how expensive or inappropriate the technology might be that the phone connects to.

    3. chivo243 Silver badge

      @Olius

      Because there isn't much in the way of non-smart products for sale these days...

    4. Fred Dibnah Silver badge

      if you ate a takeaway curry last night, the fridge auto-bought and auto-chilled another one for you. And so on, ad infinitum, or at least until you die of curry. Or maybe it will auto-vary your diet by never buying another curry again. 'Be careful what you eat' could take on a whole new meaning.

    5. bombastic bob Silver badge
      Devil

      why on earth would I want a wifi enabled XXX

      @Olius - exactly!

      "But Father, I don't want any of that."

      https://www.youtube.com/watch?v=g3YiPC91QUk

    6. Syntax Error

      Get one of these!! An Ikettle.

      https://www.amazon.com/iKettle-Comes-requires-Power-Converter/dp/B00BHXAWX4

      IoT is about charging higher prices for white goods.

      This one is about £120.

      How about a fridge? In fact its a "Fridge Hub".

      http://www.samsung.com/us/explore/family-hub-refrigerator/

      Samsung call it revolutionary. I'd call it stupid.

      This one around £4000

      IoT = Higher prices.

    7. Stoneshop Silver badge
      Facepalm

      why on earth would I want a wifi enabled kettle

      Someone who gave the wrong answer to that question.

      Although I'm not sure I'd want a normal fucking kettle either.

      1. Olius

        Re: why on earth would I want a wifi enabled kettle

        "Someone who gave the wrong answer to that question.

        Although I'm not sure I'd want a normal fucking kettle either."

        Crikey. I could probably build one from scratch with a Pi, a relay and a small motor in 11 hours...

  5. Marketing Hack Silver badge
    Facepalm

    The WiFi-enabled tea kettle...

    Evidence that Victorian-era commentators may have been 130 years ahead of their time, when they claimed that mankind had invented everything it needed, now that there was electric light and the telephone.

    More seriously, if you need a quick cup of tea when you get home, you can get a hot water dispenser. Or if you want to go 20th century, you can walk in the front door, put down your keys, go to the cabinet and grab a large glass measuring cup, fill that with water and put it in the microwave oven on "high" for 2 minutes. I'm pretty sure the boiling water doesn't taste any different.

    1. Anonymous Coward
      Anonymous Coward

      Re: The WiFi-enabled tea kettle...

      "More seriously, if you need a quick cup of tea when you get home, you can get a hot water dispenser."

      Renting. Can't fiddle with the plumbing.

      "Or if you want to go 20th century, you can walk in the front door, put down your keys, go to the cabinet and grab a large glass measuring cup, fill that with water and put it in the microwave oven on "high" for 2 minutes."

      Not enough minutes in my day. For many people, their day is split 2:1 between working and sleeping. Stolen moments of the day are all they have to give for anything else.

      "I'm pretty sure the boiling water doesn't taste any different."

      It does, actually. Slow-boiling allows more dissolving.

    2. Roland6 Silver badge

      Re: The WiFi-enabled tea kettle...

      if you need a quick cup of tea when you get home, you can get a hot water dispenser.

      For tea you need boiling water and a warm pot...

      I'm pretty sure the boiling water doesn't taste any different.

      It does, for tea you really need to start with fresh cold water.

  6. Anonymous Coward
    Anonymous Coward

    I just have to complain...

    Any reason why you censored the word shit? We're all adults here...

  7. Doc Ock

    And how many smart meters will the Government force on us ?

    How to turn the lights out in Britain by the flick of a switch in North Korea.

  8. John Crisp

    ....and then came IPv6.

    The End.

    :-)

  9. Kirstian K
    Devil

    What i do want:

    [Think Red Dwarf]

    A toaster with AI constantly asking me if i want toast or other toasted products....

    .

    .

    .

    that i can give as a present to really piss people off.....

    Mwuahahaha..!

  10. nicholasporison

    PnP

    Enabling UPnP on a router will allow applications running on client devices like PCs to open inbound ports, without any intervention or approval from the user or network manager. This can be thought of as temporary inbound firewall rules being created on demand. This feature is typically used by P2P (Peer to Peer) applications like gaming and Windows Live Messenger and setup decent VPN like PureVPN.

    1. Charles 9 Silver badge

      Re: PnP

      They also get used by IoT devices, with or without your permission; and miscreants like to target commonly-forwarded ports to pwn the programs within to use as springboards into your LAN. It's a no-win situation; the only practical solution to this involves more rigamarole than the average user is willing to put up. And that's not getting started with households behind a CGN which introduces a second firewall layer that smothers most UPnP setups.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019