[Closed] Interet of Things DoS attack....

I'd be a real PIA for the innocent folks who have paid for them.

And it didn't cause any planes to fall from the sky, so who cares? Paypal didn't get paid for a few hours?

I can live with that.

[quote=ScottChegg ]I'd be a real PIA for the innocent folks who have paid for them.

I dispute the idea that anybody buying a wifi kettle is truly innocent

taking insecure computers offline would be a good thing and might encourage vendors to secure them better......

You'd be happy for me to brick your PC or your entire company network if it is insecure?

Is there somewhere we can log on to these web cams...just to check they are working like...

Is there somewhere we can log on to these web cams...just to check they are working like...

yep..

http://www.insecam.org/

and a load of PCs with VNC left unsecured

http://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/

yes, shodan

You'd be happy for me to brick your PC or your entire company network if it is insecure?

They're not...

However, if it's for the greater good then yes.

Eventually manufactures will start shipping secure products and the problem will go away. By 'tolerating' insecure devices, we're opening up the whole internet to DoS attacks.

There is an internet of things specific search engine https://www.shodan.io/

The bloke who runs it found nuclear power plants never designed to be networked were networked. Article at BBC? or New scientist?

At some point people will realise that networking all these items is a terrible idea, the only winners being the manufacturers collecting all your data for free and the hackers watching you get undressed or doing your online banking.

At some point people will realise that [b]insecurely[/b] networking all these items is a terrible idea,

Nothing wrong with networks per-se, just ones with no security....

for the greater good

Whose greater good? Yours? Paypals?

The huddled masses in the third world that don't have electricty?

And who decides?

the hackers watching you get undressed

Those poor poor hackers, but that'l learn em.

Eventually manufactures will start shipping secure products and the problem will go away. By 'tolerating' insecure devices, we're opening up the whole internet to DoS attacks.

We tolerate them because we want them cheap. People moan about Apple products being expensive, but they are frequently the only phones that have regular security updates. Sure, you can buy a generic Android handset for 100 quid, but how many security updates will it get in two/three years? Did it even get patched for Heartbleed?

I doubt that even legislation would help. Trying to force companies to support software woudl just make them go out of business quickly. Support costs a lot of money in both Dev and Test.

Why doesn't someone just write a script to find them all and brick them (eg corrupt their flash drives).

I've seen quite a few suggestions like this over the past few days, many calling for the NSA to get on the case. I'm surprised some script kiddie hasn't already done it, you know, just for the lulz.

The main problem is shipping kit with a default password the same for every device. Adding a unique password to each device and putting a sticker on the box, will only add a few cents to the BoM...

I'm surprised some script kiddie hasn't already done it, you know, just for the lulz.

I'm quite tempted myself to be honest....

I'm quite tempted myself to be honest...

Well, hang fire a mo while I change the password on my electric blanket.

Nothing wrong with networks per-se, just ones with no security....

Nothing is totally secure though. Fine some things need to be on a network, but we seem to be putting a lot of crap on networks for no purpose, e.g. my Blueray player can be networked, but there really is no need for it to be.

The main problem is shipping kit with a default password the same for every device.

It's actually quite hard to do this well as it means once you've lost the password, the device is useless. What they should do is make the device inoperable until the password has been changed. So you plug your IP device in and it just sits there flashing lights until you set the new password via the admin device/app. THAT wouldn't be too hard to do.

[quote="dragon"]e.g. my Blueray player can be networked, but there really is no need for it to be.I quite like mine being networked, means i can pop the disc in and watch the film in another room. Without having to move the bluray player. Very convenient.

Other than that, you've got a point. It's quite amazing what passwords people do (or don't) set. Neighbours WiFi password was 1234, matched with the first bit of his address as the SSID. So not only could i steal his WiFi (except it's far slower than mine) but i could also see (and access) his phone, laptop, desktop, wifes phone, printer and so on. Only thing i couldn't access was his work laptop and his kids phones, as they'd done all the proper password things. I could even access (and log on) via the IP address without a huge amount of effort.

It's all changed and secure now, and he brought me some beers. So we're all good.

Some IoT devices, particularly those that you'd not log in to as such, even go as far as having hardcoded passwords.
Been quite a few good talks at recent hacker/security conferences. 20 devices hacked in 40 minutes (or something like that), the wifi enabled dildo (not a joke).
Security seems to be the assumption that 4 pins on the circuit board for a UART connection won't be a problem, since any hacker would need physical access to your device. Totally overlooks the fact that in reality a hacker only needs access to 1 device, whereby they can then find the vulns.
By hacker, I refer to security researcher.

edit: and in reality, numerous devices are simply rebadged OEM stuff, so get root console access to one, and you find the vulns for an entire family of devices.

Nothing is totally secure though.

You'd better get onto the NSA with that insider knowledge, they'd love to hear from you.

Fact is, with the right conditions we have encryption security that's as close to uncrackable for all practical purposes. The problem comes with poor implementation of it, or people generally being people. A nice easy way to get malicious code inside a network (say a virus or a keylogger) is have an autorunning virus on a USB pendrive and then "lose" it in the car park, for instance.

Fine some things need to be on a network, but we seem to be putting a lot of crap on networks for no purpose, e.g. my Blueray player can be networked, but there really is no need for it to be.

It doesn't [i]need[/i] to be, no. But you might need a firmware update to play the latest discs; you might want to use it as a media header, streaming content from elsewhere to your TV; and then there's BD-Live of course.

You don't need it networked. But there's plenty of reasons why you might want to.

It's actually quite hard to do this well as it means once you've lost the password, the device is useless. What they should do is make the device inoperable until the password has been changed. So you plug your IP device in and it just sits there flashing lights until you set the new password via the admin device/app. THAT wouldn't be too hard to do.

Some Wifi boxes force you to change the default password when you first configure it, so you can't leave it as 'admin'.

It's somehow reflective of the society we live in that that a communication system designed in large part to survive the destructive impact of nuclear war is now itself being held hostage by toasters.

As for the network thing, I have an insecure network thermostat in the house, just it's hidden behind a firewall, so not open to attack (unless the Firewall fails). If I really want to access it I can just VPN in to the LAN and then play with it...

imagine if one of these was hacked, it could be the last thing you see

[img] [/img]

Part of the problem has to be that people aren't aware that this stuff needs doing, or if they are aware it needs doing they don't know how to do it.

I recently bought an IP webcam to put in my daughter's nursery on my Wife's request so we can see if she'd actually woken up or is just snuffling around.

Anyway - the manual that came with it was simple at best. You pretty much downloaded an app to your phone, turned on the device & pressed a button on the app which played a high pitched old-style modem type noise that set-up the camera.

That was it. No explanation on passwords or securing the device from being hacked into.
And to be honest, while I have changed the default password I am not 100% confident that it can't be looked at outside our Wi-Fi network or how I would go about checking this.

I am not even sure how the camera works to be honest in terms of the data path from the camera, via the router to my phone/tablet for viewing.......

Same kinda thing with our router. I have changed the defaults, but am not sure whether that is enough....?

Probably need to dig a bit deeper.....

Oh, you mean like this:

[url= https://www.theguardian.com/technology/2016/sep/20/tesla-model-s-chinese-hack-remote-control-brakes ]Team of hackers take remote control of Tesla Model S from 12 miles away[/url]

Stumpy, good question. The big thing with people finding the cameras and being abe to eavesdrop was all around putting them directly onto the internet. Putting a NAT firewall in front of them and closing off the ports associated with the camera should stop/reduce that threat as the camera will not be searchable.

I can't say how secure the app or the back-end for it is, so if they gets hacked, then you will have the same problem.

The solution I came up with was to use a Pi as a VPN server, open up that port only on the router inbound and then use the camera from the LAN. That pushes the security to the router, which I have marginally more faith in, given that I changed the passwords and locked it down.

It's still less than 100% faith though.

That router is also just another internet device where the consumer assumes it is secure. Security by obscurity maybe, hidden behind the changing of the default password and maybe (at a stretch) changing of the WiFi SSID (not that that really achieves much), and ensuring port forwarding is disabled by default (although any IoT things inside the network can easily break out and make themselves vulnerable).

The baby monitor could do anything from having a totally open WiFi, to making itself easily identifiable online, to sending everything via some server somewhere (probably not even secure, since ssh is too much faff). Or it could be quite secure, but not 100%.

willard - I ended up uninstalling the default app. It felt it took too much 'control' away from me, so I wasn't really sure what it was doing or how to configure it.
I downloaded an app called something like IP cam viewer, and you have to set it up to point it to the webcam you want to view.

This was a bit of a palaver, but I got there in the end & have managed to stop the dynamic IP address thing from changing the address of the camera whenever it felt like it. I think I have assigned an IP address to it via the router & have told the router to miss out a chunk of numbers when doling out IP addresses, leaving a range for me to assign if I need to. Something like that.

Most of your post though I can't fathom out. I probably could do if I had the time and/or inclination but I really don't understand a lot of the terms....

NAT firewall......not a clue
port - guessing this is an access point for a device & you can close/open these are required. I think you need port forwarding via a specific port to set-up the camera so it can be viewed over the internet away from the home network; but I wouldn't know how to do that - could probably find out if I had to...
VPN server - again......erm, I have heard of work computers connecting to the work servers 'over VPN' but quite what it means, whether it is relevant, whether I should be doing VPN stuff - no idea.....

That's just a general point really about this kind of stuff. I love technology & consider myself quite geeky, but a lot of this is just stuff that I don't really have the time to learn about thoroughly enough to understand. I am more 'nuts & bolts' geek than 0s & 1s......

And there's probably several various levels of 'couldn't give a shit....' above me towards the don't have a clue end of the scale who are happily out there connecting 'internet' stuff to their networks without really understanding the ramifications....

You'd better get onto the NSA with that insider knowledge, they'd love to hear from you.

What the NSA that have a history of paying companies to have a back door.

[quote=andytherocketeer ]That router is also just another internet device where the consumer assumes it is secure. Security by obscurity maybe, hidden behind the changing of the default password and maybe (at a stretch) changing of the WiFi SSID (not that that really achieves much), and ensuring port forwarding is disabled by default (although any IoT things inside the network can easily break out and make themselves vulnerable).

The WiFi SSID is only really relevant if you've got somebody outside your house sniffing, though that's never supposed to be important for security. My router came with a randomised default password, though again that's only important if you've managed to hack the WiFi network - most of what is being discussed here is people going in via the internet. My router is secure to external attacks from that perspective, as by default there is no port forwarding and you can't log on to it from outside, hence it effectively protects any IoT devices on my WiFi network. I've not used huge numbers of different routers, but never come across one which enables port forwarding by default.

Which is why I'm kind of surprised by this whole story - I thought my network setup was fairly typical, are there really lots of people directly connecting IoT devices to the internet. Am I missing something in terms of security here? Sure an IoT device could break out (I'd think that relatively unlikely for most) - or more likely you could get a virus/worm on a computer which exposes access to your network. But that isn't what is being talked about here - it seems to be basic port scanning against which I'm secure.

What the NSA that have a history of paying companies to have a back door.

Examples please.

Examples please.

[url= https://www.theguardian.com/us-news/2015/feb/23/nsa-director-defends-backdoors-into-technology-companies ]NSA director defends plan to maintain 'backdoors' into technology companies[/url]

^ Mike Rogers looks like a man you can trust ^ 😯

[img] ?w=620&q=20&auto=format&usm=12&fit=max&dpr=2&s=1afc73ebe46a27116eb803d84d660068[/img]

Oh god he heard me

Oh, I think it's quite likely he heard you. When people from Quark pop up on threads about their products, I'd imagine the head of the NSA probably keeps an eye out for people taking his name in vain. I believe the word we're looking for now is "incoming"

[img] [/img]

NSA director defends plan to maintain 'backdoors' into technology companies

Yeah, I read that. "Maintain" in this context means "create" I believe, the article is him saying 'we need these' and the tech companies saying 'no chance.'

That photo of the nice NSA man looks like he's being portrayed by Alan Tudyk.

[img] [/img]

Well we do know that Cisco said that an NSA backed group had released malware that targeted their devices; they even issued a press release about it. Juniper also seemed to indicate an intentionally compromised algorithm for generating random numbers was created by the NSA enabling a backdoor.

Well we do know that Cisco said that an NSA backed group had released malware that targeted their devices; they even issued a press release about it.

But that, again, isn't Cisco being "paid off."

Just so we're clear, I'm not defending the NSA or saying that they're saints. I don't doubt for a fraction of a picosecond that they'd love a back door into high encryption techniques. What I'm contesting is the suggestion that the tech companies are complicit.

Juniper also seemed to indicate an intentionally compromised algorithm for generating random numbers was created by the NSA enabling a backdoor.

I don't know about Juniper specifically, but I do know a bit about this, it came to light a couple of years ago with the Snowdon files (it was part of Bullrun). The NSA did indeed publish a poisoned RNG which was for a time widely used in encryption. RSA in particular, there were hotly denied allegations that they'd been paid off to use it (which is one reason I asked for examples, I wondered if the poster was referring to this or just being randomly tinfoil).

I think everyone assumes that the NSA goes to Microsoft and says "Here, install this backdoor in return for 1 bazillion dollars". In reality there is probably a situation where they say "Here, install this in your datacenter in return for nothing and if you tell anyone we did this, you go to jail"

This makes for some interesting reading.

https://en.wikipedia.org/wiki/Bullrun_(decryption_program)

What the NSA that have a history of paying companies to have a back door.

Worse than that, they infiltrate standards bodies to try and weaken the encryption methods eg the dual elliptic curve method..

http://www.reuters.com/article/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331

most of what is being discussed here is people going in via the internet. My router is secure to external attacks from that perspective, as by default there is no port forwarding and you can't log on to it from outside, hence it effectively protects any IoT devices on my WiFi network

Sure an IoT device could break out (I'd think that relatively unlikely for most)

I'm not surprised by the story. IoT devices often have naff all security. For many of these devices, security is not something that those designers and developers have had to worry about until now. And now they are using stock Linux based embedded distros, and hardcoding things for convenience.

The NSA did it to a Swiss company selling encryption for banking decades ago, so they have form. TBF the NSA and GCHQ effectively invented computers to crack codes, so it'd be a surprise if they weren't on top of things.

I think everyone assumes that the NSA goes to Microsoft and says "Here, install this backdoor in return for 1 bazillion dollars". In reality there is probably a situation where they say "Here, install this in your datacenter in return for nothing and if you tell anyone we did this, you go to jail"

I think it's perhaps closer to say "this is the standard, you have you use it if you want to be FIPS-compliant." Which is both less surprising and arguably more concerning.

@Cougar, I recall that one of the TLA agencies paid a large chunk of change to a company developing encryption in USA. My Google powers are failing me currently so no reference yet. Needless to say once the news got out the product was tainted as was the company.

This weekend some of the comentards on The Register were suggesting that a router running DD-WRT was the only way of properly securing your home network device from being recruited into a botnet. Firmware updates seem to be forgotten once the next device arrives on the market and DD-WRT (if your device will run it) is the only way to maybe keep a jump ahead.

Juniper Systems were the compromised company using Dual E_C.

ninfan - Member
It's somehow reflective of the society we live in that that a communication system designed in large part to survive the destructive impact of nuclear war is now itself being held hostage by toasters.

INCOMING!

[b]

This weekend some of the comentards on The Register were suggesting that a router running DD-WRT was the only way of properly securing your home network device from being recruited into a botnet.

I'm not necessarily disagreeing but I'd love to see the logic behind it being the [i]only[/i] way.

Can you give me the link to that please?

I think it's perhaps closer to say "this is the standard, you have you use it if you want to be FIPS-compliant." Which is both less surprising and arguably more concerning.

Oh, absolutely. The thing is, the above, plus what I wrote are both absolutely the case 🙂

Hi Cougar [url= http://www.theregister.co.uk/2016/10/19/home_router_insecurity/ ]El Reg link[/url] The comment by Dwarf is what I based my comment above on.

Cheers for that, will read in the morning.

Apparently the main culprit is being recalled...

http://computerworld.com/article/3134548/security/chinese-firm-recalls-camera-products-linked-to-massive-ddos-attack.html

I'd love to know where the pressure came from for that recall. I can't imagine it was voluntary given that it is all of the webcams that they sold (pre 2016 I think)

Yep, I'm amazed. But given it's a cheap toy which still works fine as a camera, I suspect no one will actually return them.

I still think bricking them all is a good idea, that way they will get returned or binned...

I was wondering if those webcams were even products of a single company, or if they were an OEM thing rebadged under a whole host of brand names?
Good luck recalling that.
Remote bricking might be an option, but if there's a way for the manufacturer to brick them, whether thats the brand name mfr, or the mfr of the OEM reference design and firmware, then one thing you can guarantee is that there is a way for hackers to brick them remotely too.

DD-WRT has had and will have its share of vulnerabilities. The security of it comes more from those who would make the effort to use it being concerned about security. If manufacturers and ISPs were to ship it as standard the same problems would exist.

[img] [/img]
https://twitter.com/jjarmoc/status/789637654711267328