Distributed Censorship Or Extortion? The IoT Vs Brian Krebs

Now it’s official. The particular website that was hit by a record-breaking distributed denial of service (DDOS) attack that we covered a few days ago was that of white-hat security journalist [Brian Krebs]: Krebs on Security.

During the DDOS attack, his site got 600 Gigabits per second of traffic. It didn’t involve amplification or reflection attacks, but rather a distributed network of zombie domestic appliances: routers, IP webcams, and digital video recorders (DVRs). All they did was create HTTP requests for his site, but there were well in excess of 100,000 of these bots.

In the end, [Krebs’] ISP, Akamai, had to drop him. He was getting pro bono service from them to start with, and while they’ve defended him against DDOS attacks in the past, it was costing them too much to continue in this case. An Akamai exec estimates it would have cost them millions to continue defending, and [Brian] doesn’t blame them. But when Akamai dropped the shields, his hosting provider would get slammed. [Krebs] told Akamai to redirect his domain to localhost and then he went dark.

The Democratization of Censorship

[Krebs’] takeaway from the whole event is summarized in his blog post (now that he’s back online): “The Democratization of Censorship“. It’s worth a read, and we’re not going to try to one-up [Brian Krebs]. His basic point, however, is that it used to take a nation-state to censor information on the Web — strongman regimes or agencies with spooky contacts in big ISPs. But if any script-kiddie can leverage IoT devices with hardcoded passwords to pull selected websites off the Net, the game has fundamentally changed.

You’d have to be a fairly dedicated anarchist to say that this is a good development. After all, we haven’t traded government censorship and surveillance for private censorship. There’s just another actor on the stage, and what’s worse, that other actor is criminal. We understand that [Krebs] meant it in an ironic sense, but “democratization” is such a nice word that we hate to see it used here.

projectshield-580x381[Krebs] also makes the case that sufficiently motivated groups can now effectively silence journalists, and makes the case for thinking about how we can protect free speech on the Internet. For his part, [Krebs] is now hosted as part of a Google project (Project Shield) that aims to mitigate such attacks. (Ironically, Google still thinks of its adversary as “powerful institutions” rather than “some dude in his basement”.)

Organized Crime

The timing makes it look like it was the “vDOS” folks who were selling DDOS services, and two of whom are now in jail. They had a beef with [Brian] and they took him down. But while in [Krebs’] case it probably was personal and an issue of censorship, in the majority of cases it’s just about money.

725_ly9jb2ludgvszwdyyxbolmnvbs9zdg9yywdll3vwbg9hzhmvdmlldy8wzmmxzmq2m2iyzjiwm2izywmwmjhlzgvlmjjimwrinc5wbmcIn the last few years, ransomware has become so widespread that people outside the security community have even heard of it. But DDOS ransom attacks are the true growth industry. And these extortionists even have cute nicknames now: “booters” or “stressers”.

[Krebs] estimates that getting DNS services that will protect him in the event of a similar attack would cost him $100,000 to $300,000 per year. Clearly, he’s not able to fork out that much for legit protection, but the cost of protection against this sort of attack should provide an upper bound on how much ransom these criminals can ask for. As another data point, the ransom note delivered to ProtonMail suggests that the actual street price is as low as twenty Bitcoin — around $12,000. (They got hit, customers complained, and they paid.)

The point is that one could make a good living running a botnet of DVRs, threatening to knock websites off the Internet for a day or two. We see this as a much more likely threat than [Krebs’] fear of censorship. DDOS extortion is illegal and wrong, but where there’s money, there’s going to be a criminal to fit the crime.

Why? Why Not?

Given that botnets of DVRs can be converted into cash, [Krebs] was asked why he thought anyone would do this. Before the attack, whoever was running the IoT botnet had 100,000+ computers under their control, all of which were entirely under the radar. But now the IP addresses of all of these machines are known, and someone might get around to patching the devices someday. Who would burn a gigantic botnet just to make [Brian] mad?

deathstar[Krebs’] answer is terrifying, but probably spot-on. It doesn’t matter who launched the attack. There are tens of millions of insecure IoT devices out there. Using up 100,000 here or there is a drop in the ocean. Of the bazillions of IoT devices coming online this year, how many have hardcoded administrator passwords right now? How many will be found to be vulnerable to yet-unknown attacks in the near future?

We also cynically think that hitting [Brian Krebs] is good advertising for the groups who are selling DDOS extortion — if there was a single sysadmin who hadn’t heard of the concept, they will have now. Akamai touting the cost of defending against this sort of attack is the best publicity that the “booters” could have hoped for. Scale your botnet up, hit a rich target, and maybe you can approach the $100,000 payoff. (Not an actual suggestion.)

Whatever the motive, there are millions of unpatched routers and DVRs out there waiting to enlist in the next botnet. In June 2016, Sucuri wrote about defending against a “large” botnet of only 25,000 CCTV appliances. In August, Level 3 wrote about vulnerabilities in over one million units of one brand of DVR. What counts as a “large” botnet has quadrupled over a few months, and the amount of traffic that one can generate has kept pace. And all of this is just the tip of the iceberg.

Tiny Headless Servers Everywhere

twoserversThe problem is one that we’ve written about before, more or less obliquely. IoT devices contain headless computers that are connected to the Internet and talking to the outside world without human oversight. They’re what the layman thinks of as servers: a “box” somewhere with no GUI, accessed remotely, and dishing out data 24/7. The important difference between an IoT device and a traditional server is that the bigger server has an administrator who can apply patches and software tools that help him or her keep an eye on things.

With IoT devices, the ability to update, upgrade, audit, and administer is still in its infancy. The root passwords to some of the DVR devices used in this attack have been known since 2013, and scriptable attacks against the devices are included as a Metasploit module. A competent sysadmin would have patched that by now. (And a competent manufacturer never would have let that out the door.)

Instead the devices are administered by (millions of) people who don’t even really know that there’s a tiny little computer inside. These are people who have no idea about downloading and flashing firmware upgrades, or don’t understand they need to do so for a webcam.

Stereotypes abound, and as relatively sophisticated users we might feel smug. But are you 100% sure that there have been no firmware updates available for your router in the last couple months? We have better things to do than babysit our devices.

How to Fix It?

vDOS's Website, with prices
vDOS’s Website, with prices

The security problem of IoT appliances is real, and it has nothing to do with Big Brother using your Nest to tell what temperature it is now in your living room, not that we like that either. Exploiting botnets of IoT devices has become a viable criminal option. Unpatched IoT appliances are the (pre-service-pack-two) Windows XP machines of the moment: they’re a public menace because they enable criminal activity. And it’s going to take both industry involvement and user education to get us out of this mess.

One solution is remote-push firmware upgrades. Of course, this is its own avenue for malware distribution, but it might be less dangerous than leaving hard-coded administrator passwords in place, or running outdated software with known exploitable bugs. There are a number of known bad ways to implement this: a single key for all devices “hidden” in the EEPROM, for instance. What are the good ways?

People don’t like change, though, and heavy-handed (hello, Windows 10!), late, or failed push updates give the whole mechanism a bad rap. And companies go out of business or simply decide to pull support for their products. Other firms just don’t care. We can’t rely on businesses to secure our devices in perpetuity when they have no financial incentive to do so.

In short, the consumer IoT botnet problem is a thorny one, and it’s not one that we’ve heard the last of. What do we do?

118 thoughts on “Distributed Censorship Or Extortion? The IoT Vs Brian Krebs

  1. The problem I have with this is that these people who are prosecuted are still basically slapped on the wrist. I’m all for public & televised executions, with a lottery for who gets to pull the switch/blade release.

    1. Punishment as a deterrent is certainly not the most effect action we can take here. It’s a very big world, DDoS can happen in any country, but an attacker anywhere in the world. More robust punishments rely on catching the attacker and being able to prosecute them in a jurisdiction with stiff penalties.

      As Elliot pointed out, the real fix is to manufacture our devices with a security-first mindset. Admittedly, you can’t plug every hole in the ship. But if you make them much harder to exploit that is progress on multiple fronts: preventing botnets and protecting user equpiment/information.

      1. There will always be a criminal element, no matter how good the defenses. The point is to make the penalty so severe that the risk vs reward makes think twice. Obviously in the US the system is so flawed that taxpayers are paying billions of dollars per year to produce better criminals.

        1. OH! Ohhhh, I totally misinterpreted your original post… I thought you were advocating for the public execution of the people who leave hardcoded backdoors and default root passwords on the IoT devices they sell!

        2. Capital punishment has been proven time and time again to be ineffective in deterring crime, and the scenario you described wouldn’t look out of place in a dystopian cyberpunk story.

          1. I can read it in my head, it follows a wrong side of the tracks counter counter security hacker who is mixed up in a gangland world, where he has to expose potential security whistleblowers to his bosses, so they can send in the hitmen, before somebody important loses their head over lax security.

        3. That is a completely failed exercise. The problem is that you are evaluating how a criminal may react to tougher penalties based how *you* would react and criminals do not react in the same way as *you*. You Americans have higher rates serious crime like serial murder in stated where you *have* the death penalty.

          So what America seems to be saying is that Americans really don’t care how many people suffer and die paying the price for this failed practice as long as you get to choose the color of the sand you stick your head into.

          1. On the other hand, stricter penalties and ad campaigns to change attitudes have all but eradicated drink-driving in the UK.
            But policing the net will only work if you have the will power to put boots on the ground and extract the criminals from wherever to try them in the courts. Plus find the guys at the top of the food chain, not just the disposable script kiddie at the bottom.
            I’d bet an increasing number of these ransom type crimes could be traced back to IS or similar groups. Seems like such a good source of funds.

          2. I can see how the DD example applies to consumer carelessness, but there’s no profit in DD, it’s not something someone with a criminal mindset aspires to do. On the corporate side, there’s profit in being “careless”, by spending as little time and effort on the product as possible. For the blackhats, who can lease botnets for negotiable instruments, it’s the core business.

        4. The fundamental issue, which you failed to address, is that those who organize these botnets are virtually untouchable. They’re gathering devices all over the planet, to swarm any server on the planet, while they themselves can be anywhere on the planet. Stiffer penalties are absolutely useless if they’re in a jurisdiction that isn’t covered (more than a few countries come to mind), and even more so if you can’t even figure out who/where they are.

          Forget the US system; if the people organizing devices into botnets are out of reach, there is no penalty, period. It’s a far more actionable plan to cut their legs out from under them by locking down IoT devices better, as was the case with the article’s Windows XP example.

          Windows got (a little bit) better at not becoming part of a botnet, and the number of zombie computers started to come down. The challenge here is to get a large number of companies to clamp down, not just the singular Microsoft. (as well as solving the technical challenge of administration of fixes and updates, as mentioned above)

    2. I have always thought that their tactics could work in reverse. Now a days with crowd funding I am sure a mercenary or 2 could be funded to take care of these individuals. Carry this over to spammers, fake antivirus trojan authors, etc. $12k could probably take care of the problem permanently rather than just pay off the criminal. Having to deal with something like that would probably make an enterprising individual considering black hat extortion think twice about embarking on that kind of career.

        1. The biggest step might be eliminating the DRM backed by DMCA 1201 which interferes with adversarial security research. When anyone can tear into your devices, and then *publicly* shame you for having issues without going to jail for it, then manufacturers might think twice about security. (as well as a lot of software and non IoT manufacturers)

      1. Yeah, you’d be amazed, there’s criminals that think they are smarter than law enforcement despite getting caught for the same petty offences pretty much every 2 weeks they are on the street. They blame it on “bad luck” or “dirty tricks” by the cops, like being right there when they smashed the window or something. Then also there’s the lack of rationalization that certain things are wrong, “It was there for the taking.”, “That’s what insurance companies are for.”, “Didn’t look like anybody was using it at the moment.” Such that laws saying things are wrong and punishable don’t really sink in, because by their own internal moral compass, they aren’t “really” doing anything wrong.

        In this instance, the rationale is probably something like “Just providing a service.” and “Not taking anything anybody would actually miss.” (On the device end)…. they are hitmen, amoral for this purpose, it’s their livelihood, and they are smarter than the enforcement, so they think. However, the people contracting their services probably know damn well it’s wrong and they are hoping to escape culpability by arms lengthing the execution of it through blackhats. Severe penalties at that end may help. However, when blackhats can “direct market” by extortion tactics and directly profit rather than being guns for hire, then obviously those measures aren’t going to sway them much. Visible enforcement might be the key, start getting known names in the subculture behind bars, even if it’s temporary and for relatively minor stuff.

        1. I have said, to more than one young male, “If your getting caught then crime is not for you!”
          It’s a crass way to put it but it gets the message across in a way they can reason with.

  2. Force ISP’s to look for “weird traffic” coming from homes, Tell people they have a problem if they don’t sort it cut them off. Now I know this sounds harsh and doesn’t go after the real problem the botnet owners but it would force the public to take action.

      1. Agreed lets not give them more excuses the real problem is device manufactures making bad or lazy software.
        Such as do you really need a 1Ghz cpu for a thermostat and do you really need to leave all to network tools in place of a smart TV?

    1. It’s impossible to any ISP to tell between some user’s browser accessing Brian Krebs website and the webcam of said user accessing it.
      And even if the ISP can detect 10.000 access to that site at the same time, monitoring every single connection from every single client is way too much work to any ISP tackle…

        1. Record them is very different from analyze them, detect malicious behavior and react to it.

          Anybody can count people entering the door without hassle, but recording them, realizing some people entered 50 times in 30 minutes, and 4 guys always get inside together is a complete different job.

          1. Actually monitoring a million doors (IP addresses) for the ones which were leading to the DDOS target and sending an email to the owner of those IP addresses that says, “If you have one of these (known list of compromised devices), there is a good chance it is under the control of hackers. Contact the manufacturer of the device…” would not be that hard for an ISP. It might also get some of those devices off the internet and put pressure on the manufacturers to not release vulnerable equipment.

    2. I think ISP’s already do that. I keep getting calls from the Microsoft Internet techs, they tell me there are corrupt files coming from my computer.

      Only trouble is I always thank them effusively because I keep seeing these files flying out of my router and can’t make ’em stop and I do not want to hurt the Internets. I ask if I need a rootkit, and they always hang up for some reason.

  3. Have cities pass a local ordinance against default pass words on IOT devices. When found they would be warned and given 30 days to set a proper password, then fined $30 – sort of a parking ticket, that gets added to the taxes if unpaid. This would give the guilty party an incentive to pay it and correct his devices or hire an IT guy to fix them. This could become a growth industry, cities are desperate for new sources of $$, so they would all pile on and this would make every city on earth do it. The larger cities can have their own IT departments scan for exposed IOT devices. Online centers would emerge with the default PW of all manner of IOT devices. ISPs could be tasked by the city to scan their clients and send them a notice or give it to the city.
    In time pushback would make the IOT manufacturers create unique long passwords for their stuff, with it printed on them – easy enough to insert into the manufacturing process

    1. I like your idea of applying pressure somewhere in the system, but I feel like fining the non-security-aware folks is a bit like blaming the victim.

      But since this has become a public problem, I don’t think it’s entirely wrong for there to be public standards. Like the UL for electrical safety, or whatever other safety standards. Maybe there should be minimum cyber-security standards for goods to be sold. Now just get all the governments of the world to agree on what they should be…

      1. Victim?
        In many countries if you own firearms, you are obligated by law to secure them against theft. If they can prove that you failed to meet law given requirements and your firearm was stolen, (and likely used for criminal activity), you will face court.
        Same should apply here, just because the user is too ignorant to realize he’s being a danger to others does not mean he should be completely free to keep doing so.
        Nobody will listen that you didn’t understand the tax law, nobody will listen that sou didn’t know XY is explosive/toxic/carcinogenic/all of the mentioned, you will face court. The same principle is already being used elsewhere, so there’s no excuse to use it for this IOT BS…

        1. “Same should apply here, just because the user is too ignorant to realize he’s being a danger to others does not mean he should be completely free to keep doing so.”

          OK, that’s a fair argument. Should we then also have mandatory licensing and permits for routers to ensure that the public knows enough? Preferably with state-funded security courses?

        2. We all know networked appliances are fundamentally different than firearms. No firearm yet made can be securely locked up in your home, while simultaneously under the control of a criminal from half the world away. If such a weapon were created, the owner would certainly be held harmless, while the manufacturer would be destroyed by the courts.

    2. In the event one part of the problem is device users leaving default pass words unchange. Your suggestion that manufactures giving each device an unique pass word and affixing a label with that password on the device is one solution. Another solution would be to make the device nonoperational until the owner changes the default pass word. That way the user can change to the password to something they can remember easily. Most local governments get underwear in a bind if they are required to do something The reaction is to comply in a haphazard fashion that make things more difficult they need be.

  4. IoT can be done properly, it just isn’t trivial to do so.

    I’d posit that the vast majority of IoT deployments amount to a device that connects to a cloud service, and that cloud service is what the customer interacts with. In that situation, there’s no reason that the IoT device couldn’t require SSL with a private root. If that private root were properly managed, and if the SSL stack in the device was a good one, that would raise the bar quite a bit.

    Now, depending on the device, making it capable of SSL may be a lot to ask ( Probably not a DVR or a webcam, but a light bulb?) today, but we’ve already seen WiFi become a cheap commodity bolt-on. Can SSL be far behind?

    1. With enough IOT devices out there, semi autonomous bots can be released by script kiddies to scan and start millions of these things so harass and badger people the kiddie does not like. Once out there, they will be able to store themselves on IOT devices and propagate.
      This means a solution, like your house cloud with SSL will become mandatory for civilization

  5. This DVR and IoT claim doesn’t really pass the sniff test. What’s the evidence that this was the cause? It’s far easier to break into and create a botnet using PCs that generally browse out to the web or web servers/other services that have open ports rather than devices that are generally behind NAT devices or corporate firewalls.

    1. Passes the sniff test just fine to me:

      1) IoT device wants to be remotely controlled by the user’s smartphone when the user is not home (that’s the entire point of them being Internet-enabled, after all)
      2) User’s smartphone could be anywhere in the world and the IoT device is behind a router
      3) IoT device must therefore open a port for itself, bypassing the usual protections afforded by the router’s NAT
      4) IoT device is now accessible to the user’s phone, but is also exposed to everyone else on the Internet
      5) IoT device’s security was largely an afterthought, and it is quickly hacked
      6) IoT device’s security flaws are exactly the same across all instances of the device, so once one is hacked the rest follow
      7) Hacker now has control of a hundred thousand devices and their bandwidth
      8) Unlike a PC, IoT device is always on and the user has no easy way of telling if it’s been compromised

      1. For #3, the device in question phones out. My wifi thermometer, for example, talks only out to Honeywell. It doesn’t open incoming ports, so there’s no vector in. I’ll grant that not all devices do that, and that’s an issue itself (what happens when Honeywell shuts the service down). Even when I’m home and want to talk to the thermometer, I have to log into Honeywell’s service to then talk back to the thermometer.

          1. The thermometer probably just posts data every certain time period, then you can connect to honeywell to see that data. There could still be no actual port open to connect to the thermometer.

        1. Are you talking thermometer or thermostat?
          Thermometer doesn’t really make sense, that you would call it back.
          Thermostat on the other hand makes perfect sense and in that case, there is a port open.

    2. I’m not sure what you’re sniffing, but that’s exactly the point. All of these devices are over-qualified to send an obnoxious number of http requests. Now, a device behind a firewall/nat would be harder to hijack (or know was out there) but I suspect if the service they were naturally calling-home to was compromised then they would all happily obey their new master.

  6. We don’t seem to be thinking about the cause, even though we’ve identified it – educating the users.

    Either that, or the tesla model of ‘we will update your car and you can’t stop us’. Of course some of us will choose to find a way to override Tesla, but the vast majority are just going to allow them to keep patching, and trust them that the patches are doing good(tm).

    This also will become one of the ways IPv6 could become interesting to home users – instead of everything hidden behind a NAT and your ISP not being fully aware of which device is making those requests, we can far more easily identify a device by it’s IPv6 IP, and point out to a user what it’s doing.

    Janice next door might not be 100 % up to date with her technology, but she can’t deny when her ISP asks her why her CCTV system was pushing data to china last week that she isn’t concerned a little. (Of course this requires a lot of buy in from ISP’s who seem to want to be considered ‘hands off’ with what happens to the traffic they carry – odd compared to how Tesla are so hands on with what drivers do with their cars. It’s definitely a tricky balance.)

    1. I’d settle for people hacking into these devices and wiping them out. Fixing security holes is more than you can expect out of someone shovelling the sewage out of the internet. (The hero we deserve, etc etc)

  7. You’ll only get companies to care about security when they are required to by law and/or it costs them money. The best solution seems to be to turn the devices on their makers and DDoS them with their own machines. A slower way would be to just brick every vulnerable IoT device.

    1. I’d settle for every vulnerable device just screaming at the user for 24h before returning to regular service. Something along the lines of “Hi there! I’m a device with a COMPUTER INSIDE vulnerable to being manipulated into and internet weapon AND YOU SHOULD COMPLAIN TO MY MANUFACTURER RIGHT NAOW! LALALALALALALALALALALALALALALALALALALALALALALALA!”

      I figure the press will have a field day and only a couple of high-profile instances of a brand of smart TV or music streaming box getting mass-patched to spout annoying messages for a day will get some manufacturers rethingking their risk calculus…

        1. Making the internet a better place?

          If a company had all their smart TV’s start going berserk in people’s homes, it could lead to recalls and most certainly with consulting security experts on how to stop it. White hats creating pressure on manufacturers to fight black hats and creating work for other white hats seems like a win-win to me.

  8. Make the manufacturers of IoT-devices liable if they don’t follow basic security practice like disallowing default passwords.

    If you sell a smartphone with exploding batteries, you have to call back the devices and pay for any damages done by your faulty product. If you don’t handle this properly, the administration can force the manufacturer and have them pay penalties.

    The same could be imposed for bad IT security.

    The big question is just how long after the sale the manufacturer is responsible and has to publish security updates. I’d say the manufacturer must state that upfront and print it in big letters on the packaging of the device (“at least 5 years of security service”).

    1. I think this is the right way. (Consumer) routers were and i suppose are a “swiss cheese” as we say here – with a lot of holes. WTF are the manufacturers doing??? And as a supplement we also need to educate people about basic security stuff, but this will be *really* difficult…..
      Looking at security and privacy i think we should also try to “get the internet out of the things” (love this title!) where it isn’t *really* needed (really controversial word). Yes, it might be usefull some times but honestly, something like a fridge with internet access!?!? (Yeah, no fridges involed in this attack – or maybe?).

      1. I know, what about mods to IoT devices to ensure physical presence of the authorised user when they are to be used, like you could have an IoT coffee machine that only does anything if you enable the button on it, or an IoT lightbulb with an arm/disarm switch, for convenience, maybe you could mount that on a nearby wall, so you don’t have to reach up to the fitting all the time….

    2. I don’t think your two different scenarios are comparable.

      Sure getting politicians to introduce legislation about exploding batteries makes some sense as any idiot and even a politician knows what an exploding battery is and means.

      BUT … getting politicians to create a perceived solution about a problem they don’t understand based on a technology they don’t understand can only make things worse.

      Technology legislation in my country has all but destroyed the entire industry. We still have some game programmers left and there isn’t much more than that.

      Even out internet connections are more about enabling the government to track everything we do than enabling any internet based industry to be competitive on global markets.

      I used to work in that industry. I bailed out when legislation was introduced that meant that I could get up to 25 years imprisonment for security testing my own servers simply because stupid politicians can’t tell the difference between security testing and hacking or they simply didn’t understand that security testing existed and was required.

      The end result is that my country is either the leading, or one of the leading targets for the various forms of cyber crime (hacking).

      1. — quote —-getting politicians to create a perceived solution about a problem they don’t understand based on a technology they don’t understand can only make things worse.—- /quote —
        Oh yes. :-/
        Speaking about pentesting and this stuff: In 2007 the Bundestag in Germany introduced the so called hacker paragraph. Here its in english: https://www.gesetze-im-internet.de/englisch_stgb/englisch_stgb.html#p1754
        There was a huge discussion if pentesting is still legal, i mean for this you need tools that also can be used to hack a server. Finally the gouvernment said that if you make legal stuff you can use these tools but the entire thing is quite imprecise. Can somebody legaly code and publish a tool that can be used for pentesting but also for hacking? According to german wikipedia a lot of people now publish on foreign websites/servers.
        german article (no english version): https://de.wikipedia.org/wiki/Vorbereiten_des_Aussp%C3%A4hens_und_Abfangens_von_Daten
        I think this is a perfect example for politicians not understanding anything of what they do. Of course you can use $tool to make “bad things”, but you can also test your server and fix security holes to avoid that it will be hacked and used for other “bad things”. With a knife i can cut tomatoes or kill my neighbor, let’s prohibit knifes…

        1. I wouldn’t be surprised if our legislation was based on that in part. It has destroyed an industry and been a dismal failure here. It achieved the very opposite to it’s intentions.

  9. I’d say a can of worms, but then you can go fishin’.
    More like a can of stinkbugs! I wouldn’t want any of these things around anyway. Maybe that is a good name for the IoT…stinkbugs! They are known to have stink-ins and procreate.
    If touched they can stink up the whole internet.

  10. IPFS (https://ipfs.io/) seems like a more viable alternative to police-state-internet I’m still cutting my teeth on the subject so perhaps I’ve misunderstood, but it seems like the old ways didn’t account for human nature (malicious) so we need new ways to run it.

  11. The distributed part of DDOS may be a key point, are these device really hiding in the crowd or can their behaviour and characteristics actually be clustered well enough to sandbox them when they start misbehaving?

    1. Depends.

      In one recent case, all of the devices were the same, and they all had the same browser type string. Makes them very easy to filter out. But then the booters learn, and craft better fake strings and randomize referrer tags and so on.

      Cat and mouse.

  12. In a lot of ways DDoS are also a problem that nobody /really/ wants to fix until it’s on a grand scale…

    …in another life I was a developer for one of the biggest private game servers (for a pretty solid run we were consistently Top5 on probably the most popular site for tracking such things for what is probably the most successful game of all time… …we weren’t exactly strictly legal. anyway…) and our competition regularly resorted to DDoS attacks and due to the nature of our servers hosts weren’t exactly the most cooperative… …but since the servers I wanted to work on were essentially down and I was bored as a result I took the initiative to comb the server logs and make the phone calls.

    Long story short(er)- I eventually got the Internet shut off for a university somewhere in Thailand because one of their students thought it would be a good idea to turn all the computers at his school into his personal botnet and the school administration ignored the repeated attempts at communication by the nice lady I talked to in Brussels (of all places).

    I still believe the only reason I have that story to tell is purely because I think I impressed Brussels Lady when I told her the why and how I ended up with her phone number the first time I called.

    Lots of good times in that other life and that was what cemented my place as staff. At the time I was a Junior Dev. and that was my first real independent contribution, and a pretty big one at that… One day, all of a sudden, players started connecting again as DNS pools started updating with our new IPs after being down for nearly a month and I finally got to be like ‘So. Um… Here’s this thing that happened…’

    Wow… That was a ramble. Thanks to anyone that came along as I shared that memory.

  13. The irony is that the whole affair is of our own making. “Let’s hook EVERYTHING up to the Net and await Shangri-La…” Well, idealistic fantasies don’t really work like that. There’s a Real World, and it’s even worse than the tripe pushed by MTV back in the 90’s. Let’s give everyone a car, but not spend on cent on new roads.

    1. I kinda agree in that some things such as a refrigerator or toaster do not need to be connected to the Internet and other stuff such as power meters probably should never be directly connected.

      1. A refrigerator running a BT-SLIP behind NAT is perfect, even in IPV6 land.
        Nat sucks when you want your stuff to be really seen, for the rest NAT works pretty good followed by opening ports if the thing can’t update to a real constant security updates server that is meant for net facing.

  14. ddos is to security as bologna is to meat..

    I’d bet money they tried SQLi and exploit frameworks on the domain before they fell back to ddos.. This is the flow of modern “hackers”.. News outlets take them serious though..

    1. I believe I wrote “script kiddies”. :) (Or maybe that didn’t make it through the edits…)

      But I half agree. On one hand, bot-herding is not an intellectual pursuit. It’s weak-sauce hacking. Run a script to look for known vulnerabilities. Yawn. (There may be nuances in the coordination and control that I’m glossing over.)

      On the other, the potential for directed damage is real. And if Krebs is right, it’ll be used for petty grudges as well as medium-scale extortion. That’s pretty crappy.

      1. Researchers eventually sink-hole their C&C and report IPs, The IP part has a large delay if it even is acted upon.

        Sink-hole comes from binary-exploitation(memory corruption or design-flaw) which takes binary and packet analyses. Which is expensive time-wise which is why it doesn’t happen much.

        You can actually thank signature based anti-virus solutions for this problem in it’s entirety.. They should be purely sandboxes behavioral analyses by now..

        They security industry doesn’t want things like working anti-malware or memory controllers that do things like hash page tables and thus kill all type of code execution exploits.

  15. What I’d like to know is, why can’t a site make itself unavailable if the number of connections exceeds x amount of connections per second from the same IP? The botnets can ddos all they want and the requests would be dropped.
    Am I missing something here?

    1. You can drop every packet coming in from every IP that is hitting DoSing your box, but that doesn’t prevent them from saturating the ISP’s incoming bandwidth. That is also only assuming that you don’t have to deal with spoofed IPs… if the IPs are being spoofed, then all you’re doing is banning the whole world while new IP addresses pop in to continue the DDoS ad infinitum.

  16. It would be interesting to see the industry react if a vigilante hacker turned the IOT devices back on their own manufacturer’s infrastructure. I bet IOT security would be taken more seriously if they understood the risk it poses to them. <-DO NOT DO THIS,,,SERIOUSLY!

    1. That reminds me of an old saying –
      I wouldn’t personally murder him but I would shake the hand of the man that did.

      But seriously – responsibility for security is very much a “perceived” thing with the public having expectations that are *not* based on a sound technical knowledge.

      And that will probably result in manufacturers doing something about this … eventually … don’t hold your breath because it wont happen until there is a serious disruption that causes inconvenience to a very large number of everyday people, causing them to discuss it publicly.

  17. I think going forward, having a basic framework with security in mind for every major IoT category that is public domain would be worthwhile, as it would remove much of the excuses the creators of IoT devices have for not securing devices. However that project would require something along the lines of Rosetta Code with funding, donations from some big corporations, or some interesting Machine Learning code to generate the code.

  18. what i would do if i was going to make an iot device i would give it a cpu of only enough power to do it’s job and enough bandwidth to do the job and enough memory and storage for the firmware.

    the firmware would live on a read only rom chip requiring the unsoldering and resoldering of a new chip to change.

    in the case of a nest thermostat i would

    1. give it a 500 khz to 1 mhz cpu so it would be too slow to even be worth hacking.

    2. 1k of ram maybe even less to make it too small for the device to store the variables to generate urls to attack.

    3. the rom chip for the firmware would be read only requiring unsoldering and resoldering to replace if a bug fix is needed. so the rom cant be hacked and make the rom proprietary

    4. sit on the device for years doing internal beta testing before releasing to insure the bugs are worked out.

    5. give it only 300 baud bandwidth so 1. hackers would find it to painfully slow to even want to hack and 2. if it was hacked you could watch in a terminal that it is sending unwanted data.

    6. make the device read only by remote so you could only see the temperature of your house but you could not change it so a hacker could not for example run the heat until it got to 90 then run the air conditioner until it got to 60 and repeat until it runs up thousands in electric and fuel bills.

          1. @RÖB
            This was a misunderstanding. I’m aware that an AVR can programm itself using a bootloader (like on every Arduino), but afaik the AVR has to stop for this and resets afterwards. I thought there was some secret way to run code from RAM (which really would have surprised me because of the architecture). This would be really useful.

          2. The way the Arduino bootloader works is just the chosen way for convenience.

            FLASH blocks can be written on the fly from RAM (Registers) or a serial source or by any other means at runtime. No reset is required unless you are writing to the bootloader area. So arbitrary code can be written and executed though whatever means is left open. There are even special jump instructions for executing loaded code.

            Not all Atmel AVR’s support this.

          3. I just looked at the ATmega328p data sheet and page 26 says –
            “The SPM instruction that writes into the Application Flash memory section must reside in the Boot Program section.”

            But am sure that some of the AVR’s support application level writes to program memory.

            Perhaps the 664 or 1284 as I have worked with them more than the 168/328.

      1. I’m pretty sure Micah Scott managed to pretty comprehensively gain control of a Harvard architecture uC in some work of hers featured on here the other day, though to be fair she is in a different league to your average script kiddie building IoT botnets.

    1. a lot of devices would become essentially useless with that approach, we might lament the issues brought along with firmware updates and overpowered hardware, but it is essentially what has allowed and will allow quite a bit of innovation, if everything was that limited there would essentially be little left to hack or experiment with, for people and companies alike.

      as for sitting on products for that long only doing bug fixing is ridiculously expensive and while you are doing that someone else will be designing something better, cheaper or easier and sell it to your waiting customers, it cant be done unless the stakes are very high, it would also mean that anything one produced would be several years behind any new known technology and trend, ones device might even need changes faster than one could vet them to remain relevant.

  19. International standards prevent rubbish products from, for example, dumping emc into the airwaves or back into the mains.
    Can we not have a new standard that forces best practices on IOT manufacturers? Then ISPs could shut off consumers with grey imports that aren’t up to scratch without the ‘how was I to know?’ reaction from non-techies. There’d be a transition period for all the junk already out there already but at least it’d mean diminishing numbers. Even a voluntary standard would help discerning but less knowledgeable consumers.
    Heck, I want to get an IP webcam for my pond but I don’t know how to ensure I’m not just putting a welcome mat out for the bad guys!

    1. Expect pay more for devices.
      A better fix use something that is supported by open source software instead of depending on security though obscurity.
      Security through obscurity doesn’t work at all once something becomes ambiguous.

  20. First of all, I’m no networking guru so it’s understandable why I’d never have thought of this sort of exploit, but it’s amaing to me that those who are didn’t see it coming from a mile away. From Krebs article on it, the best fix is is to be found in ISPs doing something they could have and should have already done, but haven’t because of… drum roll… MONEY (as usual). If you want to get down the road to fixing this vulnerability, make the following LEGALLY MANDATORY. Excerpts from his column:

    The problem of DDoS conscripts goes well beyond the millions of IoT devices that are shipped insecure by default: Countless hosting providers and ISPs do nothing to prevent devices on their networks from being used by miscreants to “spoof” the source of DDoS attacks.

    BCP38 is designed to filter such spoofed traffic, so that it never even traverses the network of an ISP that’s adopted the anti-spoofing measures. However, there are non-trivial economic reasons that many ISPs fail to adopt this best practice.

    Fortunately, there are efforts afoot to gather information about which networks and ISPs have neglected to filter out spoofed traffic leaving their networks. The idea is that by “naming and shaming” the providers who aren’t doing said filtering, the Internet community might pressure some of these actors into doing the right thing (or perhaps even offer preferential treatment to those providers who do conduct this basic network hygiene).

    A research experiment by the Center for Applied Internet Data Analysis (CAIDA) called the “Spoofer Project” is slowly collecting this data, but it relies on users voluntarily running CAIDA’s software client to gather that intel. Unfortunately, a huge percentage of the networks that allow spoofing are hosting providers that offer extremely low-cost, virtual private servers (VPS). And these companies will never voluntarily run CAIDA’s spoof-testing tools.

    As a result, the biggest offenders will continue to fly under the radar of public attention unless and until more pressure is applied by hardware and software makers, as well as ISPs that are doing the right thing.

    1. I suggest that you make it mandatory for politicians to have brains before politicians make laws making it mandatory to do some weird stuff that they know nothing about or you end up with laws that say TCP/IP packets should always travel in the same direction as the wind.

  21. To 99% of the Hackaday readers I will sound incredibly stupid – or at least totally backwards: Our house has light switches, motorized blinds, central heating, power outlets and thermostats … none of which talk to the outside world. Even though I love technology and especially electronics, I cannot see any benefit in light fixtures that have a pathological urge to talk to my toaster oven or other light fixtures.

    A lot of the problems described above stem from the perpetual need of marketing departments to come up with new features every year. Having studied marketing myself, I know that 80% of the technology out there is the result of said marketing departments to create hypothetical scenarios for potential use of their products that appear appealing to the targeted users … as a user, I need to ask myself what do I REALLY need? Chatty home appliances? No. Most certainly not. This problem can (and should) be a non-issue for most people.

    1. I agree. I am not against a smart home but i really don’t understand why EVERY SINGLE DEVICE has to be connected to the net. If people really (think that they) need to control their toaster and fridge while on vacation at least use some internal bus that connects all these things to A SINGLE computer connected to the net. Something like a RaPi is documented and runs Linux, should be much easier to secure and update (even automated) than 10s of undocumented computers with proprietary firmware. And you could probably put much smaller (with less power) processors inside the devices too.

    2. Then ask yourself why marketing does what it does and you land back at money, interest rates for loans, investors that have to be paid.. growth.
      I suggest you to read some Gesell.

      1. Having worked in marketing for quite some time now, I know quite well how and why we work. We apply some simple rules of psychology to brainwash people (consumers) in wanting stuff they don’t need. Why are we doing it? In my case because of the greed and immoral behavior of one specific investor. So it’s not only our industry’s addiction to growth, it’s also a lack of values and ethics – on both sides: big corporations and consumers are in what seems to be deadlock situation of wanting “new” cheap stuff and supplying “new” cheap stuff.

        Hackaday used to cater to those who found a way out: make your own stuff that does exactly what you want it to do and learn something in the process. And that’s exactly why I am so incredibly bored with what should be a non-issue for the HAD audience: some mass-produced junk is vulnerable to hacks… well, there you are. You have all the ingredients for a vulnerable system and the results should not come as a surprise to anybody. From HAD I’d expect stories of how to break out of obsolete patterns of consumerism and yet find fun in hi-tech.

        1. Well yes and no.

          This article highlights an issue that is before all those who want to “make your own stuff that does exactly what you want it to do and learn something in the process”.

          Modern hacking is just as much about writing soft/firmware as it is about making hardware. For example, I personally was always a hardware hacker in earlier days. I did however do machine language programming in the very early days of computers and I went back to coding in later life. Now I like VHDL and micro-controllers which is a bit of a mix but at the same time I can pick up manual tools and make the additional stuff to go with an electronic prototype (like an enclosure or robotic parts) and then write the code to run it.

          All of these things are a part of modern day hacking. Coding and the issues that come with soft/firmware (and things *like* IoT protocols) are unavoidable obstacles today so this article raises and issue that many here will need to understand at some stage.

          HAD is catering for many different forms of hacking and that probably wasn’t a decision they made. It’s simply that hacking has diversified into may different areas. If it hadn’t then we would all be phreaking phone networks.

          1. Yes, this makes total sense to me and you are a 100% right. But (and you knew there would be a but): Before ending up in marketing, I was an industrial designer (LEGO Mindstorms team, amongst other things). My education was very heavy on occupational medicine, human factors etc. but I didn’t really “connect the dots” until I ended up at LEGO. At Lego, everything is centered around basic human needs, play patterns and the development (and needs) of young and old brains. We knew, that certain ways of interacting with objects makes people happy (and, to a certain extend, boosts their mental horsepower). Interestingly, this effect is way stronger with physical objects then it is with 2D representations – maybe because it is “multi-sensory”…

            So when HAD “developed” by following trends away from physical objects/hacking, there was an inevitable shift away from people’s true (neurological) needs. This might sound naive and simplistic but as much as we don’t exercise enough, we also neglect our brain’s needs in terms of spatial problem-solving and tactile experiences – both dimensions are key to the fun in making and hacking … and living, BTW. Yes, hacking has evolved but it has also become a poorer and neurologically less rewarding experience. HAD has to decide how to solve the old dilemma of “giving the customers what they want” vs. “giving the customers what they need” – one approach pays the bills, the other one secures a long-term relevance of your “brand”.

  22. There was an ongoing discussion about whether owners of unsecurable (ie Android 4.0) devices should have the option to upgrade for a lower price by surrendering their device and/or blacklisting its IMEI/ESN/WiFi/ etc via a secure website so it can still be used disconnected eg for games and other applications. This would be a lot better than the alternative and provide a valuable income stream for people who recycle these devices if 25 old dinosaurs = 25% off the cost of a new Android device.

    Little protip: an old antique circa 2008 junker can be turned into a very effective DAB radio with a very simple firmware update by using its onboard decoder (now freed up by permanently turning off its internal GSM/3G/WiFi) and the LCD controller used to display graphical content such as RDS.
    Also most of these can be made to output through the (unused) speaker rather than headphone jack with the existing radio hardware retrofitted as a secure WiFi repeater.

  23. I’m wondering how much trouble could be prevented by the simple expedient of refusing a network connection beyond the local network until the user changes the password and sets an explicit flag.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.