Internet of Exploits (IoE)

I recommend that we start using new term I heard at Disobey.fi event: Internet of Exploits (IoE) is to be used to describe the current and future situation of network being filled exploitable Internet of Things (IoT) and other poorly secured networked devices.

We were sold the idea of Internet of Everything (IoE) and what we got is Internet of Exploits (IoE).

 

153 Comments

  1. Tomi Engdahl says:

    Jean-Louis Gassée / Monday Note:
    Amazon’s Echo stands out as antithetical to the typical cheap consumer electronics approach in IoT, from buggy Nest products to insecure lightbulbs

    The Internet of Poorly Working Things
    https://mondaynote.com/the-internet-of-poorly-working-things-cda7a147af#.5aybr2z5i

    In the mythical Land of Theory, where everything ‘just works’, we can connect all the objects in our lives. We have the sensors, the wireless networks, and the computing power, but progress is slow if not comically wrong. Why?

    Cerf’s pithy IP On Everything prophecy was simple, resonant, and inexorable: All objects in our lives will someday feature an IP Stack.

    Two decades later, where are we? Moore’s Law has given us a 2¹⁰ to 2¹³ improvement in chip performance. — that’s 1,000 to 8,000 times more computing power. Personal computers and smartphones are everywhere, well adopted, put to productive and enjoyable uses.

    With a three-orders-of-magnitude power increase and oceans of wireless data packets, surely we can endow our everyday objects with all sorts of sensory and connectivity magic.

    So how is it that we don’t have connected objects that Just Work?

    Of course, not all connected devices are so easily mocked; some devices are dead serious: home security, HVAC, almost any kitchen appliance — even our very smart toaster. And it’s not that the IoT doesn’t work. The situation is actually worse than that: The IoT randomly works. Devices stop and restart, they require visit to unsupportive customer support pages and helpless Your Call Is Important To US help lines (and now we have chatbots). If you think I exaggerate, google “Nest trouble” or “smart bulbs trouble”.

    With a tight budget and limited software know-how, the Consumer Electronics product development team is issued orders from on high: Get on the IoT train…now! They buy the cheapest possible processor, grab some software from the open source shelves, throw on a skimpy UI, hastily assemble and test, ship it.

    The meager budget doesn’t leave much room for user instructions and customer support, and sometimes leads to dubious design solutions.

    After a device has made it to the market, the real fun begins. Software updates are a problem when your connected lock or your connected car is in the middle of an update and you need to get in the house or drive to the emergency room.

    There’s another reason for disappointing adoption: Complexity. It’s one thing to power cycle your router when your internet connection slows to a halt. How do you debug a network of ten, twenty, more connected objects in your house, from light bulbs to locks and sprinklers, that run on a mixture of WiFi and something else such as ZigBee for LED lights that require a special bridge?

    Even tech experts are frustrated by the complexity. ‘In one out of 10 cases, I get in my car and my smartphone just won’t connect to the stereo system,’

    Then there’s the truly ugly side of Consumer IoT: security, or the lack of it. The lackadaisical, to be polite, approach to software leaves many connections open to hackers who can see passwords exchanged in clear text on home WiFi while they sit in a car parked outside the house. Or we see that 100M Volkswagen cars are open to wireless hacking. Using the One Cockroach Theory, how many more other makes of cars will be found to be insecure?

    On the bright side, we do have an Internet of Things that works: The industrial version. Modern buildings are equipped with sensors, connected HVAC, security and power management. But there’s no scrounging on the cost of devices, they must work and last, and the building owner has a technical team to install, maintain, and run the whole system.

    This is the lesson that Consumer Electronics makers must learn: A successful IoT can’t be built on the cheap.

    Amazon spared no expense in developing and supporting the Echo, and the investment has been repaid by excellent Word-of-Mouth. This is the antithesis of the cheap CE approach: A well-funded company with proven technical expertise in Cloud services, a successful history with Kindle devices, and, above all, a determined group playing the long game with Jeff Bezos at the helm.

    Reply
  2. Tomi Engdahl says:

    Linux Trojan Brute Forces Routers to Install Backdoors
    http://www.securityweek.com/linux-trojan-brute-forces-routers-install-backdoors

    A Linux Trojan that emerged more than a year ago is once again actively targeting routers in an attempt to install backdoors on them.

    Dubbed Linux.PNScan, the threat was detailed last year, when it was targeting mainly devices with ARM, MIPS, or PowerPC architectures. Now, security researchers from Malware Must Die! say that this ELF worm is hitting x86 Linux systems, with a focus on embedded platforms, specifically those in the “network area of Telangana and Kashmir region of India.”

    Last year, Doctor Web researchers suggested that the Trojan might have been installed on routers attacked by its authors, who exploited the ShellShock vulnerability running a script with corresponding settings. The threat, researchers said, was designed for the sole purpose of brute forcing routers and install a script on them which in turn would download a backdoor based on the router architecture (ARM, MIPS, or PowerPC).

    The worm Malware Must Die! researchers have observed recently appears to be Linux.PNScan.2, a variation of the original Trojan. Unlike Linux.PNScan.1, which attempted to crack login combinations using a special dictionary, this threat targets specific IP addresses and attempts to connect to them via SSH using one of the following combinations: root;root; admin;admin; or ubnt;ubnt.

    The malware, researchers say, is re-infecting i86 Linux machines in the specified target network, and it might have been doing so for the past six months, although it was believed to be inactive. The worm hits one embedded system, then scans for more and attempts to infiltrate them as well. The attacker, researchers suggest, might be of Russian origin.

    Reply
  3. Tomi Engdahl says:

    Auto Cybersecurity Dissected: Who, Where & What

    http://www.eetimes.com/document.asp?doc_id=1330355

    Thanks to the Jeep hack that led to Chrysler’s recall of 1.4 million vehicles last year, car OEMs today see automotive cybersecurity as a real-world problem that could ravage their bottom line.

    This change in perception, compared with just a year ago, is seismic.

    Incumbents in the computer world and embedded operating system companies — including Symantec, VMware, WindRiver, Green Hills — have joined the stampede.

    “Everything is gearing up” for cybersecurity technologies, said Egil Juliussen, director of research & principal analyst for automotive technology at IHS Markit.

    Yet, in reality, “Auto cybersecurity is still an emerging market” that comes with “minimal historical data on market size and market segments,” he acknowledged.

    “Any security is better than nothing if you have a vehicle with an embedded cellular module/modem or a smartphone integration solution,” noted Greg Basich, senior analyst at Strategy Analytics. “Given that the frequency of automotive hacks is increasing, and the media is paying attention, OEMs need to do something for their existing vehicle models and electronic architectures.”

    Reply
  4. Tomi Engdahl says:

    Embedded Evolution
    http://semiengineering.com/embedded-evolution/

    When a car is hacked or data stolen, who gets blamed? Normally the software, but it is hardware that really created the problem.

    Fast forward through a couple of decades (OK, three) and things are very different. Processing power is almost unlimited, if you are willing to accept multi-core architectures. On-chip memory exists by the gigabyte, and even off chip memory takes almost no space at all. So much can be integrated into a single die that the need for off-chip components is a fraction of what it used to be. But within those changes we have transferred a large part of the problem from hardware to software.

    Sure, they have almost unlimited horsepower and memory and huge libraries of software laying around for them to pick up and integrate, but they are probably less equipped to deal with some of the challenges they face today than they were 30 years ago. Ask a software engineer how long a task will take and it is unlikely that he can tell you the maximum time. He probably cannot even tell you an average time with a reasonable level of confidence.

    What we have created is a mess. We could have provided most of those gains in a much more controlled manner if we had imposed some changes or restrictions on software.

    Message-passing systems could have been much faster and a small amount of shared memory space would have eliminated the need for highly complex and costly cache coherence systems.

    The solution chosen was easy to implement at that time and appeared to have minimal impact. Both of those decisions turned out to be anything but easy or cheap. They have brought us to where we are today, with processing systems that are very difficult to utilize well, with insecure systems that allow one task to spy on another, with high overheads in silicon and a lack of tools for software engineers that would enable quality software to be produced.

    We are again trying to fix those flaws with yet more bandages—a little bit of hardware and some more software to try and recreate what could have been done in the first place. Hypervisors are placing restrictions on software that they cannot share memory. And while today that is at a coarse level of granularity, how long will it take before the industry agrees this was good and should be propagated further through the system? When will hardware do what it should have done from the beginning and create secure memory architectures and multi-processor cores implemented with high-speed message-passing systems?

    Sure, it would take time before the software engineering community was ready to fully take advantage of these new capabilities. But let’s face it, they still cannot use the “features” we gave them 20 years ago. It’s time for the hardware industry to accept they are the ones responsible for data breaches and hacked cars and stop blaming the software. It is time to start designing complete systems, rather than relying on the wall between hardware and software to make half the job easier at the expense of the other half.

    Reply
  5. Tomi Engdahl says:

    Plant Security: The Moving Threat, the Effective Response
    http://www.designnews.com/author.asp?section_id=1386&doc_id=281451&cid=nl.x.dn14.edt.aud.dn.20160902.tst004c

    As manufacturers take advantage of the efficiencies of connectivity, the expanded network opens up significant threats of cyber attack. Hacking criminals are getting more sophisticated as plants are becoming more vulnerable, a bad combination. Yet cybersecurity is advancing in its ability to ward off intrusions.

    Much has changed since the days when a plant network was wired. The danger of hacking existed, but the entry points were defined and protection was less complicated. The Industrial Internet of Things (IIoT) has created significantly greater exposure. “The IIoT is a significant challenge. First you do have a much larger attack surface. There is a proliferation of connected devices. Every new device brought onto the network is a target for hackers,” said Grau. “Plus, many of these devices are deployed outside of the current IT security perimeter. This creates significant new security challenges.”

    Embedded systems have made cybersecurity more complicated. For one, the usual IT security solutions are not as effective with embedded devices. Plus, the potential damage from an attack is greater. “Many of the IIoT devices are embedded systems that require new security solutions. Traditional IT and PC security approaches won’t work on these specialized devices,” said Grau. “If an IT system is hacked the consequence is data loss. If an IIoT system is hacked the power grid can go down, flights can be grounded, productions lines can be shut down, and real physical damage can be done. People can die.”

    Intrusion Detection

    Many cyber attacks are designed to be stealth operations where the attacker hides in the system and nabs data undetected. Consequently, intrusion detection has become a new front on the cyber battleground. “Intrusion Detection Solutions (IDS) for IIoT need to be customized to the nature of the devices. Small devices with limited resources need a solution tailored to the types of attacks they are likely to experience while not overwhelming the limited resources of the device,” said Grau. “At the same time, the sophistication of the Intrusion Detection Solution must scale up to support more powerful gateway and control systems.”

    Intrusion detection works from its ability to identify suspicious behavior in the network. IDS can spot cyber behavior that is outside the expected activity on the network. “The key is to monitor for, detect and report anomalous traffic,

    Preventing Attacks

    The backbone of effective cyber protection is knowledgeable professionals who keep abreast of new dangers as well as new prevention developments. Those professionals could be either trained employees or hired guns. “It requires a team of dedicated experts to keep up with the current attacks and cybersecurity countermeasures. Many OEMs are designating an internal cybersecurity champion to work with outside experts and cybersecurity firms to coordinate their solutions and ensure they are staying current and building the appropriate solutions,”

    Attackers Are Gaining Strength

    In recent years, the nature of cyber criminals has changed. Gone are the days of teenage showoffs or disgruntled employees. Hacking has become an organized criminal enterprise. “Attackers are becoming more sophisticated over time. They are learning about new vulnerabilities and developing automated attack tools to exploit those vulnerabilities,”

    Reply
  6. Tomi Engdahl says:

    Millions of embedded devices use the same hard-coded SSH and TLS private keys
    http://www.networkworld.com/article/3009139/millions-of-embedded-devices-use-the-same-hard-coded-ssh-and-tls-private-keys.html

    The keys were hard-coded by manufacturers and can be used by attackers to launch man-in-the-middle attacks

    Thousands of routers, modems, IP cameras, VoIP phones and other embedded devices share the same hard-coded SSH (Secure Shell) host keys or HTTPS (HTTP Secure) server certificates, a study found.

    By extracting those keys, hackers can potentially launch man-in-the-middle attacks to intercept and decrypt traffic between users and millions of devices.

    Researchers from security firm SEC Consult analyzed firmware images for over 4,000 models of embedded devices from more than 70 manufacturers. In them they found over 580 unique private keys for SSH and HTTPS, many of them shared between multiple devices from the same vendor or even from different ones.

    When correlating those 580 keys with data from public Internet scans, they found that at least 230 keys are actively used by over 4 million Internet-connected devices. Around 150 of the HTTPS server certificates they recovered are used by 3.2 million devices and 80 of the SSH host keys are used by 900,000 devices.

    SSH host keys are used to verify the identity of a device that runs an SSH server.

    SEC Consult’s analysis revealed that many embedded device manufacturers hard-code the same private keys across their own products. However, there were also cases where the same keys were found in products from different manufacturers.

    Those situations are typically the result of vendors building their firmware based on software development kits (SDKs) received from chipset makers, without bothering to change the keys that are already present in those SDKs.

    House of Keys: Industry-Wide HTTPS Certificate and SSH Key Reuse Endangers Millions of Devices Worldwide
    http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html

    In the course of an internal research project we have analyzed the firmware images of more than 4000 embedded devices of over 70 vendors. The devices we have looked at include Internet gateways, routers, modems, IP cameras, VoIP phones, etc. We have specifically analyzed cryptographic keys (public keys, private keys, certificates) in firmware images. The most common use of these static keys is:

    SSH Host keys (keys required for operating a SSH server)
    X.509 Certificates used for HTTPS (default server certificate for web based management)

    In total we have found more than 580 unique private keys distributed over all the analysed devices. Correlation via the modulus allows us to find matching certificates.

    Reply
  7. Tomi Engdahl says:

    Security
    Level 3 Communications warns that various botnets are attacking devices and infecting them with malware. Most of those devices are Internet of Things devices, with 95% of such devices being cameras and digital video recorders, about 4% are home routers, and compromised Linux servers represent less than 1%, the company’s Level 3 Threat Research Labs says.

    Source: http://semiengineering.com/the-week-in-review-iot-16/

    Reply
  8. Tomi Engdahl says:

    Making Drones Secure
    http://semiengineering.com/making-drones-secure/

    Current-generation drones are imperiled by multiple security weaknesses. Is the semiconductor industry doing enough to address the problem?

    Critics have accused drones of creating multiple dangers, including invading privacy, colliding with other aircraft, threatening personal safety and even frightening livestock. Yet the biggest drone threat of all may turn out to be attacks made on the vehicles themselves.

    Radio control octocopter (Drone/ UAV) carrying SLR professional camera in the mid-air.

    Drones, also known as UAVs (unmanned aerial vehicles) and UASs (unmanned aerial systems), need a variety of internal components to work effectively. The list includes MEMS (such as accelerometers, gyroscopes, magnetometers and pressure sensors), GPS modules, processors and digital radios. Together, these components tell a drone where to go, how to orient itself and how to avoid collisions, among other things. Yet many of these same components can also be exploited to wrest control away from a drone’s authorized operator or onboard navigation system.

    “There’s a big variety of hardware modules, as well as supporting software and firmware that are used for different UAS configurations,” says Oleg Petrovsky, a senior research engineer at HP Enterprise Security Services. “Overall, each UAS has to have a flight controller, a receiver, electronic speed controllers, motors and, perhaps, a telemetry module. Each could be vulnerable to a number of physical and electronic type of attacks.”

    Reply
  9. Tomi Engdahl says:

    Internet of Threats
    http://smart-industry.net/making-world-safe/

    Today more and more everyday devices are interconnected. While they are certainly making life easier, they have also created new attack vectors for hackers. As we begin to enter the world of IoT it is important to be aware of and understand the new and expanded security risks involved and how to combat them.

    Now that we are going to connect everything to the Internet, new opportunities are arising for cybercrime. The IoT refers to any object or device which connects to the Internet to automatically send and/or receive data. These include automated devices which remotely or automatically adjust lighting or HVAC (heating-ventilationair-conditioning), security systems, such as security alarms or Wi-Fi cameras, including video monitors used in nursery and daycare settings, medical devices, such as wireless heart monitors or insulin dispensers, thermostats, wearables, such as fitness devices, modules which activate or deactivate lights, smart appliances, such as smart refrigerators and TVs, office equipment, such as printers, entertainment devices to control music or televisionfrom a mobile device, and fuel monitoring systems, just to name a few. As organizations and vendors rush to create a totally connected society, they are typically faced with two daunting questions.

    The first: How to develop products quickly enough to gain a time-to-market advantage, with the markets and applicable regulators dictating requirements and thus the level of investment in product security by vendors. And the second: How to embed security throughout the lifecycle of IoT product development, as this will result in higher costs and slower time to market, albeit clearly adding value in the short, medium, and long term. Both are tough questions, but unless cyber-security is considered in every phase of IoT development, including requirement setting, product design and developmental, as well as deployment, the problems companies have encountered with embedded systems in the past will seem like child’s play.

    A word of warning from the FBI

    A public service announcement by the Federal Bureau of Investigation released last September details a number of specific IoT risks, and it warns companies and the general public to be aware of new vulnerabilities that cybercriminals could exploit. Specifically, the FBI worries that exploiting the Universal Plug and Play protocol (UPnP) widely used in many modern IoT devices will be a pathway of choice for many cybercriminals.

    Other scenarios to Feds worry about are the possibility of compromising IoT device to cause physical harm, to overload them, thus rendering them inoperable, and to intercept and interfere with business transactions.
    On the other hand security leaks could be used by intelligence services to get access to areas of interest.

    In July 2015 Gartner published the fourth edition of the IoT Hype Cycle. IoT has the potential to transform industries and the way we live and work. This Hype Cycle helps enterprises assess the levels of risk, maturity and hype that are associated with a transformative trend.

    Predicting security for IoT

    Digital security is defined as a combination of current cybersecurity and risk practice with digital business practice to protect all digitalized assets of an organization, whether at the core of the enterprise or at its edge. It is the alignment of information security, IT security, operational technology security, IoT security and physical security to form cybersecurity solutions. An IoT business solution is a heterogeneous mix of several assets including IoT endpoints such as sensors, devices, multidevice systems, fleets, and actors, one (or more) IoT platform(s), and various nonIoT back-end systems which all have to be included into an overall security solution. An IoT platform is a software suite or cloud service (IoT PaaS) that facilitates operations involving IoT endpoints, cloud and enterprise resources. Looking for IoT platform offerings, the advice for CIOs, planners and architects not only should include device and its application software management, data aggregation, integration, transformation, storage and management, event processing, analysis and visualization, self-service user interface, but also security.

    To protect hardware and firmware from compromising attacks and assist in the delivering integrity and confidentiality of the data those systems process it is recommended to implement embedded software and systems (ESS) security which is practice and technology designed for engineers and developers. The requirements of ESS are complex, because the devices have long field lives, are often accessible to attackers, andneed policies and mechanisms for provisioning and patching. Cybersecurity planners and architects must gain a full understanding of these issues.

    Planning for IoT security

    Internet-connected computing capabilities related to smart building, industrial control systems and medical applications were the most commonly cited concerns after consumer products. While these types of applications do not receive much IoT hype in the press, the use of embedded computing in those devices will cause major breakage in existing IT management and IT security visibility, vulnerability assessment, configuration management and intrusion prevention processes and controls.

    Simultaneously, they need to address both existing as well as new technologies, seamlessly spanning both Information Technology (IT) and Operational Technology (OT) as well as subsystems and processes without interfering with operational business processes.
    The Industrial Data Space initiative which emerged from the research project Industrial Data Space (IDS) of the German Federal Ministry of Education and Research aims at creating a secure data space that supports enterprises of different industries and different sizes in the autonomous management of data.

    Cybersecurity for medical devices

    According to a new market research report “IoT Healthcare Market by Components, Application, End-User – Global Forecast to 2020”, published by MarketsandMarkets, the global IoT in healthcare market is expected to grow from US$ 32.47 Billion in 2015 to US$ 163.24 Billion by 2020. Thus security threats to medical devices are a growing concern. The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices and thus represents also dangers for the human being. Just imagine what could happen if somebody tries to remote control your pacemaker.

    In January, the U.S. Food and Drug Administration (FDA) issued draft guidance outlining important steps medical device manufacturers should take to continually address cybersecurity risks to keep patients safe and better protect public health. The draft guidance details in a separate chapter “Medical Device Cybersecurity Risk”

    Reply
  10. Tomi Engdahl says:

    IoT Devices With Default Telnet Passwords Used As Botnet
    https://it.slashdot.org/story/16/09/11/1155202/iot-devices-with-default-telnet-passwords-used-as-botnet

    IoT devices, like DVR recorders or webcams, which are running Linux with open telnet access and have no passwords or default passwords are currently a target of attacks which try to install malware which then makes the devices a node of a botnet for DDoS attacks. As the malware, called Linux/Mirai, only resides in memory, once the attack has been successful, revealing if your device got captured isn’t so easy, and also analyzing the malware is difficult, as it will vanish on reboot.

    Experts from MalwareMustDie spotted a new ELF trojan backdoor, dubbed ELF Linux/Mirai, which is now targeting IoT devices.
    http://securityaffairs.co/wordpress/50929/malware/linux-mirai-elf.html

    Experts from MalwareMustDie have analyzed in August samples of a particular ELF trojan backdoor, dubbed ELF Linux/Mirai, which is now targeting IoT devices. The name of the malware is the same of the binary,”mirai.*,” and according to the experts, several attacks have been detected in the wild.

    The ELF Linux/Mirai is very insidious; it is still undetected by many antivirus solutions as confirmed by the very low detection ratio in the VirusTotal online scanning service.

    “The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR or WebIP Camera, the Linux with Busybox binary in embedded platform, which what this threat is aiming.” states the analysis from MalwareMustDie Blog.

    And continues: “The threat was starting campaign in early August even if this ELF is not easy to be detected since it is not showing its activity soon after being installed: it sits in there and during that time, no malware file will be left over in system, all are deleted except the delayed process where the malware is running after being executed.”

    This means that when the infections succeeded, it is not easy to distinguish an infected system by a not infected one, except than from the memory analysis, and we are talking about a kind of devices that are not easy to analyze and debug. The normal kind of analysis conducted from the file system or from the external network traffic doesn’t give any evidence, at the beginning.

    “Countries that are having Linux busybox IoT embedded devices that can connect to the internet, like DVR or Web IP Camera from several brands, and countries who have ISP serving users by Linux routers running with global IP address, are exposed as target, especially to the devices or services that is not securing the access for the telnet port (Tcp/23) service“

    At the moment for all the sysadmins who want to protect their systems there is a list of mitigations actions:

    If you have an IoT device, please make sure you have no telnet service open and running.
    Blocking the used TCP/48101 port if you don’t use it, it’s good to prevent infection & further damage,
    Monitor the telnet connections because the Botnet protocol used for infection is the Telnet service,
    Reverse the process looking for the strings reported in the MalwareMustDie detections tool tips.

    But, what we know about this Linux/Mirai ELF malware exactly, and why it is not so common among the malware analysts?

    Reply
  11. Tomi Engdahl says:

    Organizations must update network access policies to address attacks on IoT devices, says Gartner
    http://www.cablinginstall.com/articles/pt/2016/09/organizations-must-update-network-access-policies-to-address-attacks-on-iot-devices-says-gartner.html?cmpid=Enl_CIM_CablingNews_September122016&eid=289644432&bid=1524170

    By 2020, Internet of Things (IoT) devices will outnumber users with laptops, tablets or smartphones by more than 3x, predicts Gartner, Inc.

    By 2020, 21 billion of Internet of Things (IoT) devices will be in use worldwide, estimates the researcher. Of these, close to 6 percent will be in use for industrial IoT applications. However, IT organizations have issues identifying these devices and characterizing them as part of current network access policy, say technology analysts from Gartner. The researcher concludes that infrastructure and operations (I&O) leaders must therefore update their network access policies to seamlessly address the onslaught of IoT devices.

    “Many IoT devices will use the established bandwidth of the enterprise network provided by the IT organization (i.e. wireless 1.3 Gbps of 802.11ac Wave 1, or 1.7 Gbps of 802.11ac Wave 2). However, the researcher emphasizes that it is important that the IT organization works directly with facilities management (FM) and business units (BUs) to identify all devices and projects connected to the enterprise infrastructure and attaching to the network.

    Once all of the devices attached to the network are identified, the IT organization must create or modify the network access policy as part of an enterprise policy enforcement strategy. This should determine if and how these devices will be connected, as well as what role they will be assigned that will govern their access.

    In order to monitor access and priority of IoT devices, I&O leaders need to consider additional enterprise network best practices. These can be defining a connectivity policy, as many IoT devices will be connected via Wi-Fi; performing spectrum planning — many IoT devices may be using 2.4GHz, but may not be using 802.11 protocols such as Bluetooth, ZigBee or Z-Wave, which may create interference; or considering packet sniffers to identify devices that may do something undesirable on the network.

    While more IoT devices are added to the enterprise network, I&O leaders will need to create virtual segments. These will allow network architects to separate all IoT assets (such as LED lights or a video camera) from other network traffic, supporting each FM application or BU process from other enterprise applications and users.

    Reply
  12. Tomi Engdahl says:

    Monday, September 12, 2016
    LuaBot: Malware targeting cable modems
    https://w00tsec.blogspot.fi/2016/09/luabot-malware-targeting-cable-modems.html?m=1

    During mid-2015 I disclosed some vulnerabilities affecting multiple ARRIS cable modems. I wrote a blogpost about ARRIS’ nested backdoor and detailed some my cable modem research during the 2015 edition from NullByte Security Conference.

    Vulnerability Note VU#419568 and it got lots of media coverage. I did not provide any POC’s during that time because I was pretty sure that those vulnerabilities were easily wormable… And guess what? Someone is actively exploiting those devices since May/2016.

    The malware targets Puma 5 (ARM/Big Endian) cable modems, including the ARRIS TG862 family. The infection happens in multiple stages and the dropper is very similar to many common worm that targets embedded devices from multiple architectures.

    Reply
  13. Tomi Engdahl says:

    Home> Community > Blogs > Eye on IoT
    Zombie-proof your IoT design
    http://www.edn.com/electronics-blogs/eye-on-iot-/4442673/Zombie-proof-your-IoT-design?_mc=NL_EDN_EDT_EDN_today_20160913&cid=NL_EDN_EDT_EDN_today_20160913&elqTrackId=8c7e2111ba6b4537b6384b308c0bcee5&elq=45c9648aa602409c8f2fef230e54a088&elqaid=33840&elqat=1&elqCampaignId=29576

    Home> Community > Blogs > Eye on IoT
    Zombie-proof your IoT design
    Richard Quinnell -September 09, 2016

    inShare7
    Save Follow
    PRINT
    PDF
    EMAIL

    When asked about security features, many IoT device developers still express reluctance to implement protections. “There’s nothing hackers would want from this device,” many rationalize. But without cyber-security, your device risks being forced to join a zombie army known as botnet.

    In case you have not heard of them, botnets are collections of connected devices that are running malware allowing an external party to use them without the owner’s awareness. In particular, the abuser can make these connected devices accept and relay messages via their Internet connection. As the device user never sees these messages (they target a fourth party), this hijacking operation can go unnoticed indefinitely.

    While an individual device may not be particularly interesting to an abuser (aka, a bot-herder), an army of them can be very useful. Two of the most common uses for a botnet are distributed denial-of-service (DDoS) attacks and dissemination of spam emails.

    Traditional botnet recruits are insecure home network routers and personal computers. But with rising numbers of IoT devices in deployment, many of them with little to no security, the bot-herders are beginning to change their conscription targets. A recent survey reported in Dark Reading found a botnet based on the BASHLITE malware family with more than one million zombies, 96% of which were IoT devices.

    Without increases in security for next-generation IoT designs, such zombie armies can only be expected to grow.

    The problem, as many developers exclaim, is that “Security’s too expensive!” It’s true that many of the traditional security processes and algorithms require many more compute resources than small IoT devices can provide. Further, these processes and algorithms don’t scale down effectively to match resource constraints. But if adding security into a design seems expensive, consider the cost of not having it. Companies have already had their products tank and their reputations shredded, and sometimes been forced into million-dollar recalls, because their IoT designs had eschewed security. And everyone pays if the bot-herders build and unleash zombie armies based on your unprotected design.

    And cost may not be an issue for much longer. Devices like the Microchip ECC508 have started becoming available for tacking security onto microcontroller-based designs for under a dollar.

    So, developers thinking of creating a new IoT device should at least stop casually dismissing security and start considering it as seriously as every other design tradeoff.

    Reply
  14. Tomi Engdahl says:

    In the rush to bring the IoT to consumers, security and privacy are often overlooked. Rambus’ Aharon Etengoff advocates for a new paradigm to provide secure foundations for connected devices.

    Security is “often overlooked” for the IoT
    http://www.rambusblog.com/2016/09/14/security-is-often-overlooked-for-the-iot/

    The Online Trust Alliance (OTA) has determined that the overwhelming majority of publicly reported Internet of Things (IoT) vulnerabilities publicly disclosed over the last year could have been easily avoided.

    According Craig Spiezle, Executive Director and President of the Online Trust Alliance, security and privacy is often overlooked in the rush to bring connected devices to market.

    “If businesses do not make a systemic change we risk seeing the weaponization of these devices and an erosion of consumer confidence impacting the IoT industry on a whole due to their security and privacy shortcomings,” he stated.

    The most glaring IoT security failures analyzed by the OTA included the omission or lack of rigorous security testing throughout the development process; the lack of a discoverable process or capability to responsibly report observed vulnerabilities; insecure or no network pairing control options and a lack of testing for common code exploits and limited transport security and encrypted storage for user IDs and passwords. Last, but certainly not least, the OTA found that a number of IoT devices lacked a sustainable and supportable plan to address vulnerabilities through the product lifecycle, including a dearth of software and firmware update capabilities, along with insecure and untested security patches and updates.

    “Security starts from product development through launch and beyond but during our observations we found that an alarming number of IoT devices failed to anticipate the need of ongoing product support,” said Spiezle. “Devices with inadequate security patching systems further opens the door to threats impacting the safety of consumers and businesses alike.”

    A new paradigm, designed from the ground up to provide secure foundations for connected devices, is clearly long overdue. Devices should be secured throughout their lifecycle from chip manufacture, to day-to-day deployment, to decommissioning.

    According to Steven Woo, VP of Systems and Solutions at Rambus, the semiconductor industry is slowly beginning to realize IoT security is a critical goal that needs to be treated as a first-class design parameter. Nevertheless, software is often selected as the security medium of choice because it is relatively simple to deploy and layer on top of existing systems.

    “It’s certainly no secret that software-based security can be hacked. However, a silicon-based hardware root-of-trust offers a range of robust security options for IoT devices. Enabled by Moore’s Law, integration of a silicon root-of-trust into IoT silicon makes a lot of sense. As more and more devices are brought online, the importance of heightened security will only increase. Providing hardware-based security via a root-of-trust is going to be very important going forward,” he added.

    OTA Finds 100% of Recently Reported IoT Vulnerabilities Easily Avoidable
    https://otalliance.org/news-events/press-releases/ota-finds-100-recently-reported-iot-vulnerabilities-easily-avoidable

    IoT devices could be used as weapons if security and privacy best practices are not followed

    The Online Trust Alliance (OTA), the non-profit with the mission to enhance online trust, today announced that every vulnerability or privacy issue reported for consumer connected home and wearable technology products since November 2015 could have been easily avoided. Specifically, OTA found had device manufacturers and developers implemented the security and privacy principles outlined in the OTA IoT Trust Framework, the recently reported susceptibilities would have never occurred.

    “In this rush to bring connected devices to market, security and privacy is often being overlooked,” said Craig Spiezle, Executive Director and President of the Online Trust Alliance. “If businesses do not make a systemic change we risk seeing the weaponization of these devices and an erosion of consumer confidence impacting the IoT industry on a whole due to their security and privacy shortcomings.”

    Reply
  15. Tomi Engdahl says:

    Over 840,000 Cisco Devices Affected by NSA-Linked Flaw
    http://www.securityweek.com/over-840000-cisco-devices-affected-nsa-linked-flaw

    An IOS software vulnerability identified recently by Cisco while analyzing the firewall exploits leaked by the group calling itself Shadow Brokers has been found to affect hundreds of thousands of devices located around the world.

    The flaw, tracked as CVE-2016-6415, exists in the Internet Key Exchange version 1 (IKEv1) packet processing code of Cisco’s IOS, IOS XE and IOS XR software, and it can be exploited by a remote, unauthenticated attacker to access memory content that could contain sensitive information.

    In order to determine how many devices are affected by this vulnerability, The Shadowserver Foundation has conducted an Internet scan for the Internet Security Association and Key Management Protocol (ISAKMP), which is part of IKE.

    “We are querying all computers with routable IPv4 addresses that are not firewalled from the internet with a specifically crafted 64 byte ISAKMP packet and capturing the response,” the organization explained.

    Reply
  16. Tomi Engdahl says:

    Hosting Provider OVH Hit by 1 Tbps DDoS Attack
    http://www.securityweek.com/hosting-provider-ovh-hit-1-tbps-ddos-attack

    OVH, one of the world’s largest hosting companies, reported on Thursday that its systems were hit by distributed denial-of-service (DDoS) attacks that reached nearly one terabit per second (Tbps).

    Octave Klaba, the founder and CTO of OVH, revealed on Twitter that the company detected a “lot of huge DDoS” in the past days. A screenshot posted by Klaba shows multiple attacks that exceed 100 Gbps, including simultaneous attacks that totaled nearly 1 Tbps. The largest single attack recorded by OVH peaked at 799 Gbps and 93 MMps.

    This is not the only major DDoS attack reported in recent days. Earlier this week, investigative cybercrime journalist Brian Krebs said his blog, KrebsOnSecurity.com, had been targeted in an attack that peaked at 665 Gbps. While it hasn’t been confirmed, some evidence suggests that the attack was carried out in retaliation to a recent blog post exposing the operators of a booter service called vDOS.

    He pointed out that Akamai had been providing service at no cost. Before this attack, the largest DDoS attack mitigated by the company measured only 336 Gbps.

    CloudFlare is confident it can help and it has already offered its services to Krebs. The company’s founder and CEO, Matthew Prince, said they had seen this type of attack before.

    Krebs said the attack on his website appears to have been powered almost exclusively by a very large botnet of compromised IoT devices, such as webcams and routers, and no amplification has been used. The expert suggested the same “cannon” has also been tested against OVH and other organizations.

    Reply
  17. Tomi Engdahl says:

    150,000 IoT Devices Abused for Massive DDoS Attacks on OVH
    http://www.securityweek.com/150000-iot-devices-abused-massive-ddos-attacks-ovh

    The hosting provider OVH continues to be targeted by massive distributed denial-of-service (DDoS) attacks powered by a large botnet capable of generating significant attack traffic.

    The first major attack was reported last week by investigative journalist Brian Krebs, whose website had been hit by a 620 Gbps attack.

    OVH, one of the world’s largest hosting providers, later reported that its systems had been hit by simultaneous attacks that peaked at nearly 1 terabit per second (Tbps).

    According to Octave Klaba, the founder and CTO of OVH, the attacks are powered by more than 150,000 Internet of Things (IoT) devices, including cameras and DVRs, capable of launching attacks that exceed 1.5 Tbps.

    Reply
  18. Tomi Engdahl says:

    Disobey 2016 – Harry Sintonen – Pwning the Powersockets
    https://www.youtube.com/watch?v=6oh62GBkBuc

    Harry Sintonen presents results of his research into how (in)secure a certain IoT device is, and how it can be exploited.

    Reply
  19. Tomi Engdahl says:

    Sad reality: Look, no one’s going to patch their insecure IoT gear
    ‘Consumers are ready to roll the dice with their privacy every time they buy a gadget’
    http://www.theregister.co.uk/2016/09/29/internet_of_things_security_patching/

    If you think ordinary people are going to look out for and apply firmware fixes to patch vulnerabilities in the Internet of Things, you’re crazy.

    It’s going to be down to manufacturers to secure IoT devices, Intel Security’s chief technical strategist says, because consumers will cheerfully give away their security and privacy in the name of convenience.

    Scott Montgomery said time and time again non-geeks have shown little interest in the security of their IoT gizmos and were willing to put up with major security failings in things like home alarm systems and door locks in exchange for ease of use.

    “Internet security and privacy are already tricky and industry hasn’t done a great job of making it more accessible and easier – that’s on us,” he told the Structure Security conference in San Francisco on Wednesday. “But consumers are very, very ready to roll the dice with their privacy every time they buy a gadget.”

    A lot of manufacturers aren’t getting the message either, he noted, citing two particularly worrying cases.

    Medical equipment was also singled out for his scorn. There are thousands of health-related devices that are connected to the internet, he said, but there was little reason to do so and the results meant that you can pick up their data online with very little effort.

    “If you look at any dark web search engine you’ll be able to look at live MRIs going on right now,”

    However, industry has got the message on IoT security very clearly, he said, citing Exxon as being a clear leader in the field. The oil giant has been conducting a massive infrastructure overhaul with the intention of adding in IoT sensors from oil wells to refineries.

    As part of that, Exxon has told its suppliers to take a much firmer look at how these sensors can be locked down.

    US Homeland Security launches IoT willy-waving campaign
    Our policies are gonna be the best, ignore all the rest
    http://www.theregister.co.uk/2016/09/22/homeland_security_launches_iot_campaign/

    The US Department of Homeland Security has announced plans to make the internet-of-things just a bit more complicated – by trying to shove itself into the market with a new security framework.

    On Thursday, assistant secretary for cyber policy at the DHS Robert Silvers told the Security of Things Forum in Cambridge, Massachusetts, that his department had decided to develop “a set of strategic principles” for IoT manufacturers that would ensure that security is built into future products.

    While no one is going to disagree about the need for drastically improved security in this market, there are already a number of other government departments working on the issue, including the Federal Trade Commission (FTC), the Department of Commerce, and the Department of Transportation – begging the question why the DHS should get involved at all.

    Reply
  20. Tomi Engdahl says:

    Pisspoor IoT security means it’d be really easy to bump off pensioners
    Oi, digi-utopians. Start putting your house in order, says CW event speaker
    http://www.theregister.co.uk/2016/09/29/cambridge_wireless_iot_event_regulation_security/

    Two things are fixed on everyone’s minds when it comes to the Internet of Things: security and law. How does industry overcome the threats posed by these two hurdles?

    Speaking at yesterday’s Cambridge Wireless IoT event in London, Max Heinemeyer from Darktrace was all in favour of automating away the security problems.

    He advocated letting machine learning take the strain of countering IoT malware – precursors to the gigantic botnet that floored infosec journalist Brian Krebs’ website earlier this week – and the emerging threat of hijacks and botnets.

    “When I think about these new technology solutions,” said Heinemeyer, “I think what can save us from the IoT problem is to let machines do the heavy lifting. If you’ve ever worked in a security operations centre with signature detection systems, it’s not possible to keep them up to date manually.”

    I’ve told you about a problem, now here’s the solution

    A former member of the Chaos Communications Club hacker collective in Germany, Heinemeyer was – conveniently – able to put forward a machine learning solution made by his employers which just so happens to be a solution to the IoT security problem. He emphasised how, once installed, it learns how the client’s network operates over a period of two to three weeks and then act on unusual activity from there.

    “Earlier we heard of the DDoS attack against Brian Krebs with an IoT network. I jumped onto a client’s network and it took me three minutes to find an IoT device trying to attack Krebs,” said Heinemeyer, who identified the culprit device as a CCTV camera.

    Infamous “security tools” outfit Hacking Team was infiltrated by an IoT device modified to exploit a zero-day vulnerability, continued Heinemeyer, who gave a similar example of how one of Darktrace’s customers was attacked: “It wasn’t an attacker from the internet. Someone used chodan.io to find a fingerprint scanner. What he did then was guess the default admin password – which was [username] admin, [password] admin – got access to the administration toolkit, then used this to pivot into the main network.”

    Where does government and regulation fit in with the IoT, then? The 50-strong audience heard from Derek McAuley of the University of Nottingham, who left your correspondent with a vague sense of unease about the whole shebang.

    “We already live in a world where there’s a massive amount of regulation,”

    “There will be regulation on IoT in certain spaces,” he said. “We actually have to look at the individual sectors and the Things within these sectors and say ‘what regulation applies’?”

    Highlighting the US Federal Trade Commission’s webpage on “what to know about webcam hackers” and talking about how the FTC cracked down on firms selling shonky webcams with little or no built-in security features, McAuley said: “The regulation that was applied was nothing to do with technology, it was to do with consumer protection. Sanctions were applied and many of those companies shut down the next day.”

    He continued on this theme, highlighting how real-world regulations already apply to the Internet of Things – or rather, can be made to apply to it – and warned that the biggest challenge may not be impending regulation or security challenges alone, but also user confidence.

    FUD? Not so much – hyperbole masks a real problem here

    Showing the audience a schematic of someone’s connected house “pulled randomly from the internet,” complete with automatic garage doors, self-ordering fridge, the whole works, McAuley said: “What could go wrong with that?” The next slide was a news story titled “Automatic garage door openers: hazards for children,” and went on to explain a nasty incident where junior had got hold of a remote control and squashed himself in the garage door.

    “Unlike privacy,” he said, “you’re not going to be able to get fuzzy at the edges here. There’s one thing that’s common across the whole world: if you kill children with your technology, people are going to get angry and they’re going to come after you.”

    If you really take it to extremes, McAuley pointed out, you could even leverage the IoT as a real-world attack vector.

    Reply
  21. Tomi Engdahl says:

    Krebs Warns Source Code Leaked From Massive IoT Botnet Attack
    https://it.slashdot.org/story/16/10/02/2039229/krebs-warns-source-code-leaked-from-massive-iot-botnet-attack

    The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Infected systems can be cleaned up by simply rebooting them — thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot…

    Now that the source code has been released online for that 620-Gbps attack, Krebs predicts “there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems.”

    Source Code for IoT Botnet ‘Mirai’ Released
    https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

    The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

    The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

    Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.

    Sources tell KrebsOnSecurity that Mirai is one of at least two malware families that are currently being used to quickly assemble very large IoT-based DDoS armies. The other dominant strain of IoT malware, dubbed “Bashlight,” functions similarly to Mirai in that it also infects systems via default usernames and passwords on IoT devices.

    According to research from security firm Level3 Communications, the Bashlight botnet currently is responsible for enslaving nearly a million IoT devices and is in direct competition with botnets based on Mirai.

    “Both [are] going after the same IoT device exposure and, in a lot of cases, the same devices,” said Dale Drew, Level3’s chief security officer.

    Infected systems can be cleaned up by simply rebooting them — thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot.

    Reply
  22. Tomi Engdahl says:

    There is a conundrum here that a solution needs to be found that is effective but not so overly complicated that it cannot be accomplished by people unsophisticated enough to properly secure their IOT devices in the first place. However, advising people to reboot and change passwords may not be enough. Is there some information they can pull from their router that would indicate they are part of a botnet? Are there any relatively inexpensive and fairly plug and play appliances or apps that would provide indications or early warning for people who want to be conscientious about this but are not full-time cybersecurity professionals or researchers?

    “Reboot/unplug/replug/ the device, and/or reset it to its factory default settings (most devices have a tiny button you need to press and hold for this) and then change the default credentials.”

    Source: https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

    Reply
  23. Tomi Engdahl says:

    It seems like these IoT devices should have been designed to initiate an outbound connection back the the vendor, and then the customers could remotely control their devices by simply connecting to the vendor’s website with a browser. Then the device would not have a public IP and therefore no Internet presence. The downside is that if an attacker managed to compromise the vendor’s server(s), then they have a one-stop shop for remotely controlling a LOT of people’s IoT devices.

    The other side is the vendor would charge for it and when the vendor decides to discontinue your device or your service, tough.

    Source: https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

    Reply
  24. Tomi Engdahl says:

    Brian Krebs / Krebs on Security:
    Source code behind IoT device botnet Mirai, responsible for DDoS of KrebsOnSecurity, publicly released by Hackforums user — The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) …

    Source Code for IoT Botnet ‘Mirai’ Released
    http://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

    The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

    The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

    Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.

    Reply
  25. Tomi Engdahl says:

    Stickers emerge as EU’s weapon against dud IoT security
    Whitegoods-inspired security rating scheme under discussion
    http://www.theregister.co.uk/2016/10/10/eu_commission_preps_iot_security_privacy_rules/

    The European Commission is readying a push to get companies to produce labels that reveal the security baked into internet-of-things things.

    The labelling effort is part of a broader push to drive companies to better handle security controls and privacy data in the notoriously insecure and leaky devices.

    Deputy head of cabinet Thibault Kleiner told Euractiv the Commission may push companies to develop labelling for secure internet-of-things devices.

    The stickers plan is modelled on labels applied to white goods and other domestic appliances, as consumers apparently understand this kind of labelling.

    The risk posed by sloppily-secured things was demonstrated neatly by a recent DDoS attack, rated the world’s largest to date, which emerged from a large internet of things botnet.

    Commission plans cybersecurity rules for internet-connected machines
    http://www.euractiv.com/section/innovation-industry/news/commission-plans-cybersecurity-rules-for-internet-connected-machines/

    The European Commission is getting ready to propose new legislation to protect machines from cybersecurity breaches, signalling the executive’s growing interest in encouraging traditional European manufacturers to build more devices that are connected to the internet.

    A new plan to overhaul EU telecoms law, which digital policy chiefs Günther Oettinger and Andrus Ansip presented three weeks ago, aims to speed up internet connections to meet the needs of big industries like car manufacturing and agriculture as they gradually use more internet functions.

    But that transition to more and faster internet connections has caused many companies to worry that new products and industrial tools that rely on the internet will be more vulnerable to attacks from hackers.

    EU lawmakers want to dispel those fears by creating rules that force companies to meet tough security standards and go through multi-pronged certification processes to guarantee privacy.

    “That’s really a problem in the internet of things. It’s not enough to just look at one component. You need to look at the network, the cloud. You need a governance framework to get certification,”

    Kleiner said the Commission would encourage companies to come up with a labelling system for internet-connected devices that are approved and secure.

    There are currently around 6 billion internet-connected devices in use worldwide, and that figure is predicted to soar to over 20 billion by 2020, according to research by consultancy Gartner.

    The internet of things is a catchphrase that has caught on with Brussels legislators and lobbyists, who use it to describe devices that haven’t used internet connection up until now—but will in the future, like connected cars that predict traffic or calculate ways to save fuel, or refrigerators that alert a person when they’re running out of food.

    The EU labelling system that rates appliances based on how much energy they consume could be a template for the cybersecurity ratings: Kleiner pointed to that as “something I’d apply to the internet of things”.

    Some hardware manufacturers are sceptical of the Commission’s plans to require certification for different parts of internet-connected devices and instead want hardware like SIM cards to be approved as security guarantees that can be used with appliances, Kleiner acknowledged.

    Reply
  26. Tomi Engdahl says:

    A SSHowDowN in security: IoT devices enslaved through 12 year old flaw
    http://www.zdnet.com/article/a-sshowdown-in-security-iot-devices-attack-devices-through-12-year-old-flaw/

    A vulnerability which has existed for over a decade in OpenSSH has led to today’s IoT devices being used in targeted attacks.

    A vulnerability which has existed for over a decade in OpenSSH has led to today’s IoT devices being used in targeted attacks.

    In what researchers call the “Internet of Unpatchable Things,” a 12-year-old security flaw is being exploited by attackers in a recent spate of SSHowDowN Proxy attacks.

    The Internet of Things (IoT) is an emerging market full of Wi-Fi and networked devices including routers, home security systems, and lighting products. While the idea of making your home more efficient and automating processes is an appealing one, unfortunately, vendors en masse are considering security as an afterthought for thousands of devices now in our homes, leaving our data vulnerable.

    There is another edge to this sword — by connecting such vulnerable devices to the web, attackers can harness these products to create armies of traffic-generating systems which can be used to overload legitimate services.

    On Wednesday, cloud service provider Akamai Technologies released a report into rising IoT-based attacks which documented the discovery of cyberattackers utilizing a 12-year-old vulnerability in OpenSSH to remotely generate vast amounts of traffic in a recent spate of SSHowDowN Proxy attacks.

    The security flaw being exploited to create IoT slave networks, CVE 2004-1653, relates to OpenSSH default configurations which enables TCP forwarding and port bounces when a proxy is in use.

    While the vulnerability itself is nothing new, the research team found that the continual failure of IoT device vendors to secure IoT and implementing default and hard-coded credentials is throwing the door wide open for attackers to exploit them.

    Akamai says that SSHowDowN Proxy large-scale attacks are being made possible through millions of vulnerable devices, including CCTV, satellite antenna equipment, routers, and external storage products.

    Lax credential security has paved the way for attackers to access web admin consoles of vulnerable devices, create SSH tunnels and launch attacks only against internal networks which host IoT devices, but also “any kind of Internet target and against any kind of Internet-facing service such as HTTP, SMTP and network scanning,” according to the team.

    “We’re entering a very interesting time when it comes to DDoS and other web attacks; ‘The Internet of Unpatchable Things’ so to speak,”

    “New devices are being shipped from the factory not only with this vulnerability exposed but also without any effective way to fix it,” Kobrin added. “We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”

    change any factory and default credentials as soon as you activate your products, and for the more technically-minded, establishing inbound firewall rules which prevent SSH access from external forces will also improve security.

    CVE-2004-1653
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1653

    Reply
  27. Tomi Engdahl says:

    Wi-Fi baby heart monitor may have the worst IoT security of 2016
    Gaping security holes, but a fix may be coming for Owlet
    http://www.theregister.co.uk/2016/10/13/possibly_worst_iot_security_failure_yet/

    Not long ago, top computer security researcher Jonathan Zdziarski was blessed with a new baby and did what a lot of parents do – spent money on gizmos to keep an eye on it.

    One of the devices was an Owlet – a sensor that babies wear in a sock that monitors their heartbeat and relays that data wirelessly to a nearby hub. This internet-connected home unit can then ping out an alert to the parent’s smartphones if anything is amiss.

    Zdziarski told The Reg that his suspicions about the device were first raised when he looked at the end-user license agreement, which has a big section indemnifying the company from litigation if the device malfunctions and the wearer dies. But he found even more worrying details when he started examining the device’s code.

    The Owlet base station encrypts data sent to and received from the manufacturer’s servers, which contact parents’ phones if needed. But the ad-hoc Wi-Fi network linking the base station to the sensor device is completely unencrypted and doesn’t require any authentication to access.

    A single unauthenticated command over HTTP can make the Owlet base station leave your home Wi-Fi network and join one of your choosing; you can also take control of the system and monitor a stranger’s baby and prevent alerts from being sent out.

    “This would be simple to do by someone scanning port 80 [on the Wi-Fi network], which the base station is locked into using,” he said. “The whole interface is non-authenticated, so if you go into the IP address for the base station you can delete specific Wi-Fi networks, disconnect the Wi-Fi altogether, and ultimately break the alerts.”

    Zdziarski also said that, based on a quick examination of the code, there didn’t appear to be a software update mechanism in place to fix these issues. Owlet has since told The Reg that there is an update mechanism that the company uses regularly.

    Reply
  28. Tomi Engdahl says:

    IoT Startup Taps Blockchain
    Industrial end nodes ride Bitcoin, LoRa
    http://www.eetimes.com/document.asp?doc_id=1330620&

    A startup is now in trials with a novel design for Internet of Things nodes targeting industrial uses. Filament wrote its own mesh networking protocol to significantly expand the range of LoRa networks and tapped the Bitcoin blockchain as part of its approach to security.

    Reply
  29. Tomi Engdahl says:

    Brian Krebs / Krebs on Security:
    Researchers: Friday’s internet outage, caused by DDoS attack on DynDNS, was powered in part by a Mirai-based botnet of DVRs and cameras with XiongMai components — A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites

    Hacked Cameras, DVRs Powered Today’s Massive Internet Outage
    http://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/

    A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.

    Earlier today cyber criminals began training their attack cannons on Dyn, an Internet infrastructure company

    Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.

    According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.

    “It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn.

    “At least one Mirai [control server] issued an attack command to hit Dyn,”

    As I noted earlier this month in Europe to Push New Security Rules Amid IoT Mess, many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet.

    “The issue with these particular devices is that a user cannot feasibly change this password,”

    The wholesalers and retailers of these devices might then be encouraged to shift their focus toward buying and promoting connected devices which have this industry security association seal of approval. Consumers also would need to be educated to look for that seal of approval. Something like Underwriters Laboratories (UL), but for the Internet, perhaps.

    Until then, these insecure IoT devices are going to stick around like a bad rash — unless and until there is a major, global effort to recall and remove vulnerable systems from the Internet. In my humble opinion, this global cleanup effort should be funded mainly by the companies that are dumping these cheap, poorly-secured hardware devices onto the market in an apparent bid to own the market. Well, they should be made to own the cleanup efforts as well.

    Reply
  30. Tomi Engdahl says:

    That massive internet outage, explained
    https://www.cnet.com/how-to/what-is-a-ddos-attack/

    What even happened on Friday? Your favorite websites were down, and it was all because one company got attacked. Here’s how it happened, and why it’s likely to happen again.

    Why Friday’s Massive Internet Outage Was So Scary
    Hackers have turned our cheap electronic devices against us. And at this rate, it’s only going to get worse.
    https://newrepublic.com/article/138084/fridays-massive-internet-outage-scary

    Reply
  31. Tomi Engdahl says:

    Webcams used to attack Reddit and Twitter recalled
    http://www.bbc.com/news/technology-37750798

    Home webcams that were hijacked to help knock popular websites offline last week are being recalled in the US.

    Chinese electronics firm Hangzhou Xiongmai issued the recall soon after its cameras were identified as aiding the massive web attacks.

    They made access to popular websites, such as Reddit, Twitter, Spotify and many other sites, intermittent.

    Security experts said easy-to-guess default passwords, used on Xiongmai webcams, aided the hijacking.

    The web attack enrolled thousands of devices that make up the internet of things – smart devices used to oversee homes and which can be controlled remotely.

    In a statement, Hangzhou Xiongmai said hackers were able to take over the cameras because users had not changed the devices’ default passwords.

    Xiongmai rejected suggestions that its webcams made up the bulk of the devices used in the attacks.

    “Security issues are a problem facing all mankind,” it said. “Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”

    It has also pledged to improve the way it uses passwords on its products and will send customers a software patch to harden devices against attack.

    Could this happen again?

    Yes, and it probably will. The smart devices making up the IoT are proving very popular with the malicious hackers who make their living by selling attack services or extorting cash by threatening firms with devastating attacks.

    Before the rise of the IoT it was tricky to set up a network of hijacked machines as most would be PCs that, generally, are more secure. Running such a network is hard and often machines had to be rented for a few hours just to carry out attacks. Now anyone can scan the net for vulnerable cameras, DVRs and other gadgets, take them over and start bombarding targets whenever they want.
    Why should I care if my webcam is hijacked?

    For the same reason you would care if your car was stolen and used by bank robbers as a getaway vehicle.

    And because if your webcam, printer or DVR is hijacked you have, in effect, allowed a stranger to enter your home. Hackers are likely to start using these gadgets to spy on you and scoop up valuable data. It’s worth taking steps to shut out the intruders.

    Can the IoT-based attacks be stopped?

    Not easily. Many of the devices being targeted are hard to update and the passwords on some, according to one report, are hard-coded which means they cannot be changed.

    There is also the difficulty of identifying whether you are using a vulnerable product. A lot of IoT devices are built from components sourced from lots of different places. Finding out what software is running on them can be frustrating.

    Also, even if recalls and updates are massively successful there will still be plenty of unpatched devices available for malicious hackers to use. Some manufacturers of cheaper devices have refused to issue updates meaning there is a ready population of vulnerable gadgets available.

    Why are these devices so poorly protected?

    Because security costs money and electronics firms want to make their IoT device as cheap as possible. Paying developers to write secure code might mean a gadget is late to market and is more expensive. Plus enforcing good security on these devices can make them harder to use – again that might hit sales.

    Who was behind the massive web attacks?

    Right now, we don’t know. Some hacker groups have claimed responsibility but none of their claims are credible.

    Reply
  32. Tomi Engdahl says:

    24 hours in the life of my home router by Francisco J. Rodriguez
    http://securityaffairs.co/wordpress/52632/iot/24-hours-life-home-router.html

    Recently a massive DDoS attack has disconnected a large portion of users from the Internet, hackers exploited IoT devices. Is your router secure?

    “Are we ready to live in a world where all devices are exposed to cyber attacks?”

    Have you ever wondered happens in your home router and that threats lurk in the moment you press the power button?

    In this article, I intend to analyze the attacks and the cybersecurity events I have received in my personal router in Spanish ISP. This information may lead you to become aware of the high risk of having these devices connected to the web, even when we expose our lives on social media.

    We recommend you to visiting http://routersecurity.org/ to find more information about bugs and detected vulnerabilities in the last years to home routers and some recommendations.

    Reply
  33. Tomi Engdahl says:

    Device Makers Face Legal Trouble Over Internet of Things Attack
    http://fortune.com/2016/10/25/dyn-lawsuits/

    The legal test looks at consumer harms.

    Who should be held responsible for last week’s security breach that took out parts of the Internet?

    That question is becoming more pressing as regulators and the public begin to grasp the implication of the first major “Internet of things” attack, in which hackers hijacked millions of everyday devices such as security cameras and printers, and cut off access to major websites like Amazon and Twitter for hours at a time.

    Increasingly, the security community is focusing on the role of the device makers, whose products contained a major security flaw. Namely, the companies did not require consumers to change a default password, which is what made it so easy for hackers to conscript so many Internet-connected devices into the botnet army that carried out last week’s attack.

    Some of the companies, which include little-known Chinese manufacturers but also familiar names like Panasonic and Xerox, have begun a recall of the devices. But for now, many of their products remain out in the wild with their software “unpatched.” That means they remain compromised. Worse, hackers have released the source code to control the botnet army, meaning future attacks using devices of this nature are all but certain.

    This raises the question of whether the device makers should be held legally responsible. Even though they had no role in directing last week’s attack on the Internet, such an attack was not hard to foresee—especially since there have been reports of compromised cameras, and other Internet-enabled devices, for years.

    According to Michael Zweiback, an attorney with Alston & Bird and a former cyber-crime prosecutor, legal action is most likely to come in the form of lawsuits, and investigations by the Federal Trade Commission and state attorneys general.

    A harder question is whether U.S. consumers who purchased the compromised devices, which also include network routers and baby monitors, can bring lawsuits of their own.

    While class action lawyers may be watching the situation closely, a legal victory would be no sure thing. Even though the companies appear to have been negligent by failing to introduce tougher password protection, consumers would still have to show they were harmed. And right now the test for showing harm is unclear.

    The situation is different for Dyn, the Internet service company that was the direct target of last week’s attack by the millions of compromised devices, since the firm had to directly absorb the cost of the attack.

    Reply
  34. Tomi Engdahl says:

    Chinese Company Recalls Cameras, DVRs Used In Last Week’s Massive DDoS Attack
    https://www.techdirt.com/articles/20161024/08552535872/chinese-company-recalls-cameras-dvrs-used-last-weeks-massive-ddos-attack.shtml

    For some time now, security researchers have been warning that our lackadaisical approach to Internet of Things security would soon be coming home to roost. Initially it was kind of funny to read how “smart” fridges, tea kettles and Barbie dolls did an arguably worse job than their dumb counterparts with a greater risk to privacy and security. But as we collectively realized that these devices not only created millions of new home and business attack vectors, but could also be used to wage historically-unprecedented DDoS attacks, things quickly became less amusing.

    Last week, the theoretical became very real with the massive attack on DNS provider DYN, which knocked a swath of companies and services off the internet for a large portion of Friday.

    Mirai botnet malware recently released to make compromising and harnessing such devices easier than ever. But the group also notes that targeted devices included everything from cameras to… your cable DVR

    Brian Krebs notes that the lion’s share of these devices were manufactured by a Chinese company named XiongMai Technologies, which almost instantly found a huge swath of its product line contributing to the attack

    For what it’s worth, XiongMai was quick to issue a statement announcing that it would be recalling some of its products (mostly webcams), while strengthening password functions (Mirai often depends on default usernames and passwords) and sending users a patch for products made before April of last year.

    And while that’s all well and good, that’s just one company. There are dozens upon dozens of companies and “IoT evangelists” that refuse to acknowledge that they put hype and personal profit ahead of security, by proxy putting the entire internet at risk. Not only do most of these devices lack even the most fundamental security, they usually provide no functionality to help users determine if they’re generating traffic or participating in attacks. And these devices are often sitting behind consumer-grade routers on the network that have equally flimsy security while using default username and password combinations.

    Reply
  35. Tomi Engdahl says:

    Map shows which state have more unprotected cams
    https://www.hackread.com/firm-recall-webcams-after-dyn-ddos-attack/

    Remember, it was the Mirai botnet that played a vital role in the DDoS attack on Dyn servers. The fact that Mirai’s developer leaked its source code online also played a vital role in the rapid increase of this botnet. Last month, the same botnet was used for conducting the Internets largest ever DDoS attack of 1 Tbps on OVH hostings as well as the 665 Gbps attack on Brian Krebs blog by hacking over 145,000 webcams.

    If you own a security camera or any IoT device HackRead urges you to change their default login credentials now to avoid getting your device compromised and used in further DDoS attacks.

    Reply
  36. Tomi Engdahl says:

    Mirai Botnet Linked to Dyn DNS DDoS Attacks
    https://www.flashpoint-intel.com/mirai-botnet-linked-dyn-dns-ddos-attacks/

    Key Takeaways

    Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware.
    Mirai botnets were previously used in DDoS attacks against the “Krebs On Security” blog and OVH.
    As of 1730 EST, the attacks against Dyn DNS are still ongoing. Flashpoint is coordinating with multiple vendors and law enforcement to track the infected devices that constitute the botnet being used to conduct these attacks.
    Flashpoint will continue to monitor the situation to ensure that clients are provided with timely threat intelligence data.

    Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware. Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French internet service and hosting provider OVH.

    Reply
  37. Tomi Engdahl says:

    Your DVR Didn’t Take Down the Internet—Yet
    https://www.wired.com/2016/10/internet-outage-webcam-dvr-botnet/

    Last week ended with a mid-level internet catastrophe. You may have noticed that for most of Friday popular sites like Netflix, Twitter, Spotify (and yes, WIRED) were inaccessible across the East Coast and beyond. It’s still unknown who caused it, but by now we certainly know what: An army of internet-connected devices, conscripted into a botnet of unimaginable size. And who owns those devices? Well, lots of people are saying you do. As far as we know, they’re wrong.

    A Different DVR

    Let’s start with the silver lining: Despite what you may have heard, your webcam and DVR and baby monitor and smart refrigerator almost certainly aren’t complicit in last Friday’s collapse. You’re not an accessory to botnet. At least, not this time.

    It’s true that what took down the internet was a botnet comprising internet-connected devices, and that those devices included hundreds of thousands webcams and DVRs, two items many people keep in their homes. That’s not the type implicated in this attack, though. As it turns out, the type of botnet in question, called Mirai, recruits not the Late Show-recording computer your cable company installed, or to the Dropcam you point out the window.

    The zombie webcam army responsible for Friday’s mayhem instead consists of industrial security cameras, the kind you’d find in a doctor’s office or gas station, and the recording devices attached to them. Also? They’re mostly ancient, by technological standards.

    “Most of these were developed in 2004 on down the line,”

    Adding to the vulnerability of those creaking machines is that they’re often connected directly to modems, making it easier for hackers to gain control.

    “That’s one minor yet important factor here to consider,” says Allison Nixon, Flashpoint’s Director of Security Research. “If I plugged in one of these DVRs to my home network, it would not be publicly accessible. I would not even have to worry about the vulnerability.”

    That’s because smart home devices are typically tucked behind a firewall, on non-routable networks that don’t interact with the internet at large. “Typically those type of devices aren’t openly exposed to the Internet,”

    Chain of Command

    Many of the affected cameras and DVRs can be traced back to a single manufacturer: Hangzhou Xiongmai, a Chinese electronics company that has since recalled all of its potentially compromised products. Xiongmai makes what’s known in the industry as “white label” products, fully formed hardware or components that are sold to more prominent brands, which then distribute them under their own names. This makes it incredibly hard to tell if your small business is using compromised devices made by Xiongmai.

    “Some of these subcomponents have their own embedded operating system, with embedded default passwords in some cases,”

    Security experts are unsure if the Xiongmai recall will be successful; it’s hard enough to motivate people to return their car to the dealer, much less a security camera of unknown provenance. The path forward to prevent another devastating botnet attack is equally unclear. What the Mirai incident did show, though, is that IoT’s security problems run deeper than whatever name is on the box the device comes in. And that has implications beyond a large-scale internet outage.

    “Even though the DDoS was bad, it brings to light the failure around the supply chain management problem,” says Heiland.

    That ubiquity isn’t entirely without reason. The IoT market as a whole was worth $600 billion in 2014, according to a recent study from Grand View, which expects it to grow to nearly two trillion dollars by 2022. With numbers that robust, what company wouldn’t want a sliver?

    The problem with this proliferation, though, is that not all of these companies are skilled at connecting appliances and other electronics to the dangerous wonderland that is the internet. Fortunately for them, competence has not been a barrier to entry. Not as long as there are white label providers like Xiongmai.

    “So many vendors that are making available IoT-based technology don’t necessarily have any idea how to produce those products,” says Heiland. “There’s a toothbrush company out there with embedded technology in their toothbrush now. They may not understand security implications, or have a solid security management program, so when issues are identified they don’t know how to fix the problems, or even know how to approach those problems.”

    More can go wrong than just a botnet. In one high-profile supply chain issue, insecure, internet-connected baby monitors from several different manufacturers allowed voyeurs to watch (and even talk to) small children from half a world away.

    So no, your DVR didn’t bring down Spotify last week, and your webcam didn’t crash Reddit. That honor goes largely to more industrial products. That doesn’t mean they’re necessarily safe, though. Or if they are, that they’ll stay that way.

    “People shouldn’t be afraid of their light bulb,” says Wikholm. Yet. But you should be aware that if it has an internet connection, that bulb could be turned against you.

    Reply
  38. Tomi Engdahl says:

    Botnet Recall of Things
    http://hackaday.com/2016/10/26/botnet-recall-of-things/

    After a tough summer of botnet attacks by Internet-of-Things things came to a head last week and took down many popular websites for folks in the eastern US, more attention has finally been paid to what to do about this mess. We’ve wracked our brains, and the best we can come up with is that it’s the manufacturers’ responsibility to secure their devices.

    Chinese DVR manufacturer Xiongmai, predictably, thinks that the end-user is to blame, but is also consenting to a recall of up to 300 million of their pre-2015 vintage cameras — the ones with hard-coded factory default passwords.

    Xiongmai’s claim is that their devices were never meant to be exposed to the real Internet, but rather were designed to be used exclusively behind firewalls. That’s apparently the reason for the firmware-coded administrator passwords. (Sigh!) Anyone actually making their Internet of Things thing reachable from the broader network is, according to Xiongmai, being irresponsible. They then go on to accuse a tech website of slander, and produce a friendly ruling from a local court supporting this claim.

    Whatever. We understand that Xiongmai has to protect its business, and doesn’t want to admit liability. And in the end, they’re doing the right thing by recalling their devices with hard-coded passwords

    Reply
  39. Tomi Engdahl says:

    DDoS-Capable IRCTelnet IoT Botnet Emerges
    http://www.securityweek.com/ddos-capable-irctelnet-iot-botnet-emerges

    A new malware family targeting Internet of Things (IoT) devices to ensnare them into distributed denial of service (DDoS) botnets has emerged.

    Dubbed Linux/IRCTelnet (New Aidra), the new botnet is built on the core code of Aidra, a previously known IoT malware family designed to launch DDoS attacks. What’s more, the threat shows some similarities with Tsunami/Kaiten (uses the same IRC protocol), with BASHLITE (IRCTelnet uses the same telnet scanner and infection’s injection code as this malware), and with Mirai (uses its leaked credential list).

    Targeting routers and modems, the newly spotted malware features encoded command and control (C&C) information, as well as hardcoded Italian language messages in the communication interface, a security researcher going by the name of unixfreaxjp explains. The new botnet can launch DDoS attacks using UDP floods and TCP floods, along with other techniques, and uses both IPv4 and IPv6 protocols.

    The security researcher notes that the new piece of malware was observed infecting almost 3,500 hosts within only 5 days after it has been first detected. The malware uses telnet scans and brute force attacks for infection and the first infection campaign was observed on October 25.

    Reply
  40. Tomi Engdahl says:

    Belkin WeMo Devices Expose Smartphones to Attacks
    http://www.securityweek.com/belkin-wemo-devices-expose-smartphones-attacks

    Researchers from Invincea have identified serious vulnerabilities in Belkin WeMo home automation devices and their associated Android application. The vendor has fixed the mobile app and will soon release firmware updates to patch the device flaws.

    Belkin WeMo products are designed to allow users to control their home electronics from anywhere. The product line includes smart switches, cameras, coffeemakers, lightbulbs, humidifiers, heaters and even slow cookers.

    Researchers disclosed several serious vulnerabilities in this Belkin product line back in 2013 and 2014. Due to the popularity and significant market share of these devices, Invincea Labs researchers Scott Tenaglia and Joe Tanen decided to take another look at WeMo products and discovered two serious flaws that can be exploited for various types of malicious activities.

    One of the issues found by Tenaglia and Tanen can be exploited to remotely gain root access to a WeMo gadget. When users program these Internet of Things (IoT) devices — for example, setting a switch to turn off at a specified hour, or changing a slow cooker’s heat setting after a certain time — they actually create a set of rules. These rules, created and managed via the WeMo Android application, are stored in a SQLite database that is uploaded to the device. The device unpacks the file, pulls the rule information via SQL queries, and updates the rules stored in its memory.

    The problem is that the value of a column in the rule database is not sanitized, allowing an attacker to insert a specially crafted value.

    Interestingly, once the attacker gains root access to the WeMo device, they actually have more privileges than a legitimate user. The only way for the user to remove the malware is through a firmware update from the vendor, but experts warned that the attacker can easily break the firmware update process and prevent the victim from regaining access to their device.

    The second vulnerability found by Invincea researchers, the one affecting the WeMo Android app, is a cross-site scripting (XSS) issue. An attacker who has network access to a vulnerable WeMo device can execute arbitrary JavaScript code in the context of the Android application.

    Reply
  41. Tomi Engdahl says:

    Why Light Bulbs May Be the Next Hacker Target
    http://www.nytimes.com/2016/11/03/technology/why-light-bulbs-may-be-the-next-hacker-target.html?_r=1

    The so-called Internet of Things, its proponents argue, offers many benefits: energy efficiency, technology so convenient it can anticipate what you want, even reduced congestion on the roads.

    Now here’s the bad news: Putting a bunch of wirelessly connected devices in one area could prove irresistible to hackers. And it could allow them to spread malicious code through the air, like a flu virus on an airplane.

    Researchers report in a paper to be made public on Thursday that they have uncovered a flaw in a wireless technology that is often included in smart home devices like lights, switches, locks, thermostats and many of the components of the much-ballyhooed “smart home” of the future.

    The researchers focused on the Philips Hue smart light bulb and found that the wireless flaw could allow hackers to take control of the light bulbs

    That may not sound like a big deal. But imagine thousands or even hundreds of thousands of internet-connected devices in close proximity. Malware created by hackers could be spread like a pathogen among the devices by compromising just one of them.

    And they wouldn’t have to have direct access to the devices to infect them: The researchers were able to spread infection in a network inside a building by driving a car 229 feet away.

    Just two weeks ago, hackers briefly denied access to whole chunks of the internet by creating a flood of traffic that overwhelmed the servers of a New Hampshire company called Dyn, which helps manage key components of the internet.

    The new risk comes from a little-known radio protocol called ZigBee.

    The researchers found that the ZigBee standard can be used to create a so-called computer worm to spread malicious software

    So what could hackers do with the compromised devices? For one, they could create programs that help in attacks like the one that hit Dyn. Or they could be a springboard to steal information, or just send spam.

    They could also set an LED light into a strobe pattern that could trigger epileptic seizures or just make people very uncomfortable. It may sound far-fetched, but that possibility has already been proved by the researchers.

    The researchers showed that by compromising a single light bulb, it was possible to infect a large number of nearby lights within minutes.

    “We have assessed the security impact as low given that specialist hardware, unpublished software and close proximity to Philips Hue lights are required to perform a theoretical attack,” Beth Brenner, a Philips spokeswoman, said in an emailed statement.

    Reply
  42. Tomi Engdahl says:

    Hackers attacked the Lappeenranta based property boiler room

    Denial of service via a network cut off the heat distribution in at least two premises in Lappeenranta Finland. Attack poured both properties of heat distribution of the supervisory computer. Denial of Service Attack (distributed denial of service attack, DDoS) is knocked down in Lappeenranta two properties of heat distribution cared computer, Etelä Saimaa (Southern Saimaa) magazine reported on.

    - In these houses apartments heating and hot water heating went off

    - The unit’s own internal control system seeks to correct such jamming launching unit to the controlling computer again. Now devices increasingly started again and again, which switched heating control off, Rounela says.

    - This kind of problem is easy to fix once you know what it is about.

    Attack continued last week, several days until Thursday.

    Sources:
    http://www.tivi.fi/Kaikki_uutiset/verkkoisku-kylmensi-useita-taloja-suomessa-es-lammitys-ja-kuuma-vesi-pois-paalta-6597180?utm_source=Tivi_Uutiskirje&utm_medium=email&utm_campaign=Tivi_Uutiskirje
    http://www.esaimaa.fi/Online/2016/11/06/Hakkerit%20iskiv%C3%A4t%20lappeenrantalaisen%20kiinteist%C3%B6n%20pannuhuoneeseen/2016121454255/4?utm_source=dlvr.it&utm_medium=twitter

    Reply
  43. Tomi Engdahl says:

    Timothy J. Seppala / Engadget:
    Researchers demo weakness in ZigBee wireless protocol and Philips Hue, replacing lightbulb firmware from 350 meters away with worm that spreads across devices

    Hackers hijack Philips Hue lights with a drone
    From a quarter mile away.
    https://www.engadget.com/2016/11/03/hackers-hijack-a-philips-hue-lights-with-a-drone/

    Surprise! The Internet of Things is a security nightmare. Anyone who was online a few weeks ago can attest to that. The massive internet blackout was caused by connected devices, and new research from white-hat hackers expounds upon those types of vulnerabilities. The target? Philips Hue smart lightbulbs. While they’ve been hacked in the past, Philips was quick to point out that it happening in a real-world situation would be pretty difficult. Digital intruders would need to already be on your home network with a computer of their own — the company claimed that directly attacking the lightbulbs wasn’t exactly feasible. But this new attack doesn’t require that sort of access.

    In fact, all it takes is tricking the bulbs into accepting a nefarious firmware update. By exploiting a weakness in the Touchlink aspect of the ZigBee Light Link system (again!), the hackers were able to bypass the built-in safeguards against remote access. From there, they “extracted the global AES-CCM key” that the manufacturer uses to encrypt and authenticate new firmware, the researchers write (PDF).

    “The malicious firmware can disable additional downloads, and thus any effect caused by the worm, blackout, constant flickering, etc.) will be permanent.” What’s more, the attack is a worm, and can jump from connected device to connected device through the air. It could potentially knock out an entire city with just one infected bulb at the root “within minutes.”

    IoT Goes Nuclear:
    Creating a ZigBee Chain Reaction
    http://iotworm.eyalro.net/iotworm.pdf

    Reply
  44. Tomi Engdahl says:

    IoT Worm Could Hack All Smart Lights in a City
    http://www.securityweek.com/iot-worm-could-hack-all-smart-lights-city

    Researchers have demonstrated how an Internet of Things (IoT) worm designed to target smart bulbs can cause significant disruptions to lighting systems in a city. The malware can spread by itself, but attackers can also use cars and drones for distribution.

    The research was conducted by experts from the Weizmann Institute of Science in Rehovot, Israel, and Dalhousie University in Halifax, Canada. In their experiments, they targeted Philips Hue, as this is considered one of the most popular smart lighting products in the world.

    The worm developed by experts relies on the ZigBee wireless technology to spread from one smart lamp to another. Philips Hue products use ZigBee communications as part of ZLL (ZigBee Light Link), a global standard that allows consumers to remotely control LED fixtures, light bulbs, timers and switches. According to the ZigBee Alliance, the technology has a range of 70 meters (230 feet) indoors and 400 meters (1,300 feet) outdoors.

    Experts calculated that in a city the size of Paris, which has 105 square kilometres (41 square miles), just over 15,000 randomly located smart lights would be enough for the worm to spread in the entire city from a single malicious bulb. Researchers showed in a real-world experiment that the malware can also be delivered by driving around and targeting all Hue lights in the car’s path (i.e. wardriving) and by using a drone (i.e. war-flying).

    “By flying such a drone in a zig-zag pattern high over a city, an attacker can disable all the Philips Hue smart lights in city centers within a few minutes,” researchers explained in their paper.

    Once it infects a device, the malware enables the attacker to switch the lights on or off, permanently brick them, or abuse them for massive distributed denial-of-service (DDoS) attacks.

    IoT Goes Nuclear:
    Creating a ZigBee Chain Reaction
    http://iotworm.eyalro.net/iotworm.pdf

    Within the next few years, billions of IoT devices will
    densely populate our cities. In this paper we describe a new
    type of threat in which adjacent IoT devices will infect each
    other with a worm that will spread explosively over large areas
    in a kind of nuclear chain reaction, provided that the density
    of compatible IoT devices exceeds a certain critical mass. In
    particular, we developed and verified such an infection using
    the popular Philips Hue smart lamps as a platform. The worm
    spreads by jumping directly from one lamp to its neighbors,
    using only their built-in ZigBee wireless connectivity and their
    physical proximity. The attack can start by plugging in a single
    infected bulb anywhere in the city, and then catastrophically
    spread everywhere within minutes, enabling the attacker to
    turn all the city lights on or off, permanently brick them,
    or exploit them in a massive DDOS attack.

    Reply
  45. Tomi Engdahl says:

    ArduWorm: A Malware for Your Arduino Yun
    http://hackaday.com/2016/11/11/arduworm-a-malware-for-your-arduino-yun/

    We’ve been waiting for this one. A worm was written for the Internet-connected Arduino Yun that gets in through a memory corruption exploit in the ATmega32u4 that’s used as the serial bridge. The paper (as PDF) is a bit technical, but if you’re interested, it’s a great read.

    The crux of the hack is getting the AVR to run out of RAM, which more than a few of us have done accidentally from time to time. Here, the hackers write more and more data into memory until they end up writing into the heap, where data that’s used to control the program lives. Writing a worm for the AVR isn’t as easy as it was in the 1990’s on PCs, because a lot of the code that you’d like to run is in flash, and thus immutable.

    In the end, the worm is persistent, can spread from Yun to Yun, and can do most everything that you’d love/hate a worm to do. In security, we all know that a chain is only as strong as its weakest link, and here the attack isn’t against the OpenWRT Linux system running on the big chip, but rather against the small AVR chip playing a support role. Because the AVR is completely trusted by the Linux system, once you’ve got that, you’ve won.

    ArduWorm: A Functional Malware Targeting Arduino Devices
    http://www.seg.inf.uc3m.es/papers/2016JNIC.pdf

    Reply
  46. Tomi Engdahl says:

    15 IoT Devices Running on 7 Apps?
    http://www.eetimes.com/author.asp?section_id=36&doc_id=1330853&

    At Embedded Technology conference here, NXP executive broached the touchy topic of “smart home delays.”

    Given that the Internet of Things has become the biggest growth driver for semiconductors, the electronics industry’s love affair with IoT won’t be breaking up anytime soon. Except maybe with the whole idea of smart homes.

    Some chip vendors are finally acknowledging – publicly – what we’ve suspected all along:

    IoT is great for businesses angling to benefit from big data collection. But, really, what’s in it for us, the lowly consumers?

    I’ve been through the hype cycle for connected thermostats, smart lighting and connected door bells.

    Still, he raises a legitimate issue about smart homes. Beyond giving consumers the ability to turn lights on and off via smartphones, what else is there? “A lot of players [in the IoT space] overlooked the consumer experience,” Noel noted.

    15 connected devices on 7 apps
    He talked about a colleague — let’s call him Bob — who spent his own money to install 15 devices for his so-called smart home. These gadgets ranged from a smart thermostat to smart lights, intelligent door locks and high-IQ security cameras.

    Each one ran on a different app. So Bob ended up juggling, on his smartphone, “seven different apps,” from Apple’s Homekit to Samsung’s SmartThings to control 15 connected IoT devices.

    The end result? You guessed it. One frustrated spouse married to a geek husband who outsmarted himself.

    Each connected device must go through a commissioning process in the home network. Bob was surprised to find out that each smart lightbulb he installed lit up in the sequence in which he had screwed it in.

    Finding out your so-called smart home is not so smart after all would be a huge letdown for most consumers, especially after spending some 40 hours in installation (in the case of Bob).

    Hackers getting aggressive
    It turns out concerns expressed by 47 percent of consumers who cited “privacy risk/security concerns” as a barrier to IoT adoption in the Accenture report released earlier this year reflect verifiable problems.

    Look no further than a series of attacks on the Internet’s infrastructure last month, causing shutdowns in major services such as Twitter, Spotify and PayPal for many users around the world.

    Noel said, “Two years ago, people [developing IoT devices] didn’t think about security.”

    Hackers are becoming more aggressive. We now know that an army of vulnerable gadgets took down the Web. More important, hackers don’t need to be highly skilled to replicate attacks. They can mimic and piggyback on other hackers’ work

    Noel went on, “By the end of 2015, security researchers found with the help of Censys (a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet.) that lazy manufacturers of home routers and IoT devices have been reusing the same set of hard-coded cryptographic keys, leaving around 3 million of IoT devices open to mass hijacking.”

    Attack surfaces on IoT devices are many. Hackers can remotely attack the connection between Internet and service providers. They can scan the link and install malware. Impersonating IoT gateways or cloud service, or brute force credential guessing are certainly possible

    Once inside the connected home, hackers can make physical attacks on IoT devices through key extraction or reverse engineering. Eavesdropping, sniffing, spoofing and replay injections, for example, can enable local attacks.

    The results include stolen data, denial of service, physical malfunctions and even system hijacks and ransoming, the NXP executive explained.

    Completely unexploited
    In designing an IoT device, “You need to start with zero assumptions,” stressed Noel.

    It’s not as though no tools exist to prevent some hacking on each application. There are also programming tools to detect bugs in software.

    The hard reality is that “a lot of tools are completely unexploited,” said Noel.

    But Noel acknowledged that the company is finding out IoT security to be a whole different kettle of fish.

    A lot more players are participating in the open IoT ecosystem. They are operating in much more accessible, but fragmented market segments, using open API, he explained.

    This wide-open world makes security for connected smart home devices a lot more challenging.

    Reply
  47. Tomi Engdahl says:

    Irish eyes are crying: Tens of thousands of broadband modems wide open to hijacking
    D1000 can be directed to drop its firewall, allowing access to panel over the internet
    http://www.theregister.co.uk/2016/11/22/eir_customers_modems_vulnerable/

    Eir, Ireland’s largest ISP, has tens of thousands of customers with insecure ADSL2+ modems that appear to be vulnerable to remote takeover.

    Earlier this month, a security researcher writing under the name “kenzo” has posted a proof-of-concept exploit that demonstrates how an attacker might take control of an Eir D1000 modem.

    The ZyXEL-built Eir D1000 [PDF] comes with an open TCP port, 7547, which is used by the CPE WAN Management Protocol to manage the modems on Eir’s network. According to kenzo, the modem includes a TR-064 server for LAN-based configuration, to allow ISPs to set up software on the device. It’s not supposed to be accessible from the internet, but apparently it is.

    TR-064 commands can be used, among other things, to fetch Wi-Fi security keys and to set up an NTP server that disables the modem firewall, thereby opening the administration interface on port 80.

    “By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall,”

    A compromised modem could be used to attack other devices on the network or as part of a botnet.

    Last week, posting under the Twitter handle “Bobby ‘Tables”, Darren Martyn, a security researcher with Insecurity.net and former LulzSec hacker, appeared to confirm the vulnerability.

    https://twitter.com/info_dox/status/798600983437869057

    Reply
  48. Tomi Engdahl says:

    Google, other tech giants outline ways to improve IoT security
    They think it’s time to close security loopholes in connected home devices.
    https://www.engadget.com/2016/11/22/google-other-tech-giants-outline-ways-to-improve-iot-security/

    Google, Intel, Microsoft, Verizon, Comcast, Time Warner Cable and a handful of other tech industry giants joined former FCC Chief Technologist Dale Hatfield to form the Broadband Internet Technical Advisory Group in 2010, in an attempt to develop a set of best practices for broadband management and security. Today, BITAG laid out its recommendations for a rapidly growing industry within the world of online communication: the Internet of Things.

    Connected home devices occupy the wild west in terms of security and privacy practices; there’s little to no regulation in terms of the software that powers smart homes. BITAG says some IoT devices have security vulnerabilities relating to outdated software, unauthenticated and unencrypted communications, data leaks, malware, and service interruptions.

    This isn’t just speculation: IoT devices enabled two widely publicized DDoS attacks in October, one that took out the internet across the United States and another that disabled the website of security researcher Brian Krebs. The Krebs attack infiltrated an estimated 145,000 IoT devices, mainly security cameras and DVRs.

    BITAG recommends a handful of security standards for IoT devices, including timely, automated and secure software updates, password protection, and increased testing of customization options. The group also suggests implementing encryption best practices, plus the ability for these devices, particularly home alarm systems, to function if internet connectivity or the cloud fails. BITAG even wants to establish an industry cybersecurity program that includes a seal for certified “secure” devices.

    http://www.bitag.org/documents/Press_Release_-_Announcing_Publication_of_BITAG_Report_on_IoT_Security_and_Privacy_Recommendations.pdf

    Reply
  49. Tomi Engdahl says:

    Sh… IoT just got real: Mirai botnet attacks targeting multiple ISPs
    Now ZyXEL and D-Link routers from Post Office and TalkTalk under siege
    http://www.theregister.co.uk/2016/12/02/broadband_mirai_takedown_analysis/

    The Mirai botnet has struck again, with hundreds of thousands of TalkTalk and Post Office broadband customers affected. The two ISPs join a growing casualty list from a wave of assaults that have also affected customers at Deutsche Telekom, KCOM and Irish telco Eir over the last two weeks or so.

    Problems at the Post Office and TalkTalk both began on Sunday and collectively affected hundreds of thousands of surfers. Similar attacks against thousands of KCOM broadband users around Hull that started about the same time targeted users of telco-supplied routers. Thousands of punters at the smaller ISP were left without a reliable internet connection as a result of the assault, which targeted routers from Taiwanese manufacturer ZyXEL.

    It’s unclear who is responsible for the growing string of attacks on ISP customers across Europe or their motives. The mechanism of the attack is, however, all too clear. Hackers are using the infamous Mirai malware or one of its derivatives to wreak havoc. The IoT malware scans for telnet before attempting to hack into vulnerable devices, using a brute-force attack featuring 61 different user/password combinations, the various default settings of kit from various manufacturers. Up to 5m devices are up for grabs thanks to wide open management ports, according to some estimates.

    Jean-Philippe Taggart, senior security researcher at Malwarebytes, said: “The leaked Mirai code, poorly secured remote administration on IoT devices, coupled with the recent availability of a Metasploit module to automate such attacks make for an ideal botnet recruitment campaign.

    “So far, it seems the infection does not survive a reboot, but the malicious actors tend to disable access to the remote administration as part of the infection. This prevents the ISP from applying an update that would solve these issues. The botnet gains a longer life as users seldom reboot their routers unless they’re experiencing a problem.”

    Other experts imply further attacks along the same lines are inevitable because the state of router security is poor and unlikely to improve any time soon.

    “The current state of IoT security is in bad shape, and will get a whole lot worse before it gets any better. The Mirai botnet, which is powered by 100,000 IoT devices that are insecure by default, is just the most obvious and topical example.”

    Reply
  50. Tomi Engdahl says:

    Bluetooth-enabled safe lock popped after attackers win PINs
    If you use one, stop now. If you write heist movies, write safe-crackers out of your script
    http://www.theregister.co.uk/2016/12/15/bluetooth_commercial_safe_lock_popped_attackers_win_pins/

    Attackers can locate and pop safes protected with high security commercial locks thanks to poor Bluetooth implementations, say researchers at Somerset Recon say.

    The SecuRam ProLogic B01 locks are badged as the industry’s only Bluetooth-packing lock for safes that can be paired with smartphones.

    “The end result was a fully-automated attack that allows us to remotely compromise any Prologic B01 lock up to 100 yards away,” the team says.

    “… attackers can execute cheap and practical attacks to locate and map these devices, know when they are unlocked over Bluetooth low energy (BLE), and extract the PIN with which they were unlocked.

    “We have contacted SecuRam about this vulnerability, but since these devices are not capable of over-the-air firmware updates, it does not look promising that they will be patched.”

    Attackers could identify the devices by wardriving with an Ubertooth One and a 5dBi antenna capable of detecting the locks from the maximum 90 metres distance.

    If you use ‘smart’ Bluetooth locks, you’re asking to be burgled
    The bad ones send passwords in plaintext, the good ones can’t survive a screwdiver
    http://www.theregister.co.uk/2016/08/08/using_a_smart_bluetooth_lock_to_protect_your_valuables_youre_an_idiot/

    DEF CON Bluetooth-enabled locks are increasingly popular, but an analysis of 16 such devices shows 12 are easily hackable with inexpensive kit and some can be broken into from 400 metres away.

    In a presentation to the DEF CON hacking conference in Las Vegas security researcher Anthony Rose detailed how to hack these supposedly smart locks with using the US$100 Ubertooth sniffing device, a $40 Raspberry Pi, a $50 high-gain antenna, and a $15 USB Bluetooth dongle.

    “Smart locks appear to be made by dumb people,” Rose said. “Lots of manufacturers choose user convenience over security and aren’t bothered about fixing their hardware.”

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*