After a tough summer of botnet attacks by Internet-of-Things things came to a head last week and took down many popular websites for folks in the eastern US, more attention has finally been paid to what to do about this mess. We’ve wracked our brains, and the best we can come up with is that it’s the manufacturers’ responsibility to secure their devices.
Chinese DVR manufacturer Xiongmai, predictably, thinks that the end-user is to blame, but is also consenting to a recall of up to 300 million 4.3 million of their pre-2015 vintage cameras — the ones with hard-coded factory default passwords. (You can cut/paste the text into a translator and have a few laughs, or just take our word for it. The company’s name gets mis-translated frequently throughout as “male” or “masculine”, if that helps.)
Xiongmai’s claim is that their devices were never meant to be exposed to the real Internet, but rather were designed to be used exclusively behind firewalls. That’s apparently the reason for the firmware-coded administrator passwords. (Sigh!) Anyone actually making their Internet of Things thing reachable from the broader network is, according to Xiongmai, being irresponsible. They then go on to accuse a tech website of slander, and produce a friendly ruling from a local court supporting this claim.
Whatever. We understand that Xiongmai has to protect its business, and doesn’t want to admit liability. And in the end, they’re doing the right thing by recalling their devices with hard-coded passwords, so we’ll cut them some slack. Is the threat of massive economic damage from a recall of insecure hardware going to be the driver for manufacturers to be more security conscious? (We kinda hope so.)
Meanwhile, if you can’t get enough botnets, here is a trio of recent articles (one, two, and three) that are all relevant to this device recall.
[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.
With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.
Brace yourselves. The rest of the media is going to be calling this an “IoT DDOS” and the hype will spin out of control. Hype aside, the facts on the ground make it look like an extremely large distributed denial-of-service attack (DDOS) was just carried out using mostly household appliances (145,607 of them!) rather than grandma’s old Win XP system running on Pentiums.
We can argue all day about whether a digital video recorder (DVR) or an IP webcam is an “IoT” device and whether this DDOS attack is the biggest to date or merely among them, but the class of devices exploited certainly are not traditional computers, and this is a big hit. Most of these devices run firmware out of flash, and it’s up to the end user (who is not a sysadmin) to keep it up to date or face the wrath of hackers. And it’s certainly the case that as more Internet-facing devices get deployed, the hacker’s attack surface will grow.
Why did the DDOS network use these particular devices? We’re speculating, but we’d guess it’s a combination of difficult-to-update firmware and user “convenience” features like uPnP. To quote the FBI “The UPnP describes the process when a device remotely connects and communicates on a network automatically without authentication.” You can see how this would be good for both the non-tech-savvy and hostile attackers, right? (Turn off UPnP on your router now.)
We alternate between Jekyll and Hyde on the IoT. On one hand, we love having everything in our own home hooked up to our local WiFi network and running on Python scripts. On the other hand, connecting each and every device up to the broader Internet and keeping it secure would be a system administration headache. Average users want the convenience of the latter without having to pay the setup and know-how costs of the former. Right now, they’re left out in the cold. And their toasters are taking down ISPs.
The link above goes to [Jerry Whiting’s] discussion on the topic. He’s certainly an interesting speaker, but make sure you’re using headphones at work as the language can be a bit sultry once in a while. He aims the lesson at the Occupy movement, but it’s a fun listen for any conspiracy theorist out there. The topics run the gamut, starting with the specter of physical access, then moving on to protecting your network through traffic analysis and using key pairs. This Security 101 segment comes in two parts (the first one is embedded after the break), each a bit more than thirty minutes. He’s planning to post a second lesson covering hashes and encryption. Continue reading “Keep others from snooping in your digital life”→
While we’re sure that just about everyone has heard about the conflict between Russia and Georgia, few have probably heard about the role of cyber attacks in the conflict. Shortly before Russia’s armed response, Georgian state web servers were attacked by individuals assumed to be Russian hackers. This attack almost completely obliterated Georgia’s online presence by shutting down the website for the Ministry of Defense, and the Central Government’s main site. The Russian attackers seem to be using some form of sustained DDoS to keep many Georgian sites offline. In an effort to preserve some web presence, the Georgian Government transferred [President Mikheil Saakashvili]’s site to a US hosting provider in Atlanta. The Ministry of Foreign Affairs even created a BlogSpot page after their website initially went down. While politically motivated DDoS attacks have not been rare in past months, this seems to be the first time where the attacking party can be clearly identified. This seems to be the start of a trend where the unconventional methods of cyber warfare are used to gain an advantage over the enemy.