Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Networking Hardware

A Sophisticated Grey Hat Vigilante Protects Insecure IoT Devices (arstechnica.com) 143

Ars Technica reports on Hajime, a sophisticated "vigilante botnet that infects IoT devices before blackhats can hijack them." Once Hajime infects an Internet-connected camera, DVR, and other Internet-of-things device, the malware blocks access to four ports known to be the most widely used vectors for infecting IoT devices. It also displays a cryptographically signed message on infected device terminals that describes its creator as "just a white hat, securing some systems." But unlike the bare-bones functionality found in Mirai, Hajime is a full-featured package that gives the botnet reliability, stealth, and reliance that's largely unparalleled in the IoT landscape...

Hajime doesn't rashly cycle through a preset list of the most commonly used user name-password combinations when trying to hijack a vulnerable device. Instead, it parses information displayed on the login screen to identify the device manufacturer and then tries combinations the manufacturer uses by default... Also, in stark contrast to Mirai and its blackhat botnet competitors, Hajime goes to great lengths to maintain resiliency. It uses a BitTorrent-based peer-to-peer network to issue commands and updates. It also encrypts node-to-node communications. The encryption and decentralized design make Hajime more resistant to takedowns by ISPs and Internet backbone providers.

Pascal Geenens, a researcher at security firm Radware, watched the botnet attempt 14,348 hijacks from 12,000 unique IP addresses around the world, and says "If Hajime is a glimpse into what the future of IoT botnets looks like, I certainly hope the IoT industry gets its act together and starts seriously considering securing existing and new products. If not, our connected hopes and futures might depend on...grey hat vigilantes to purge the threat the hard way."

And long-time Slashdot reader The_Other_Kelly asks a good question. "While those with the ability and time can roll their own solutions, what off-the-shelf home security products are there, for non-technical people to use to protect their home/IoT networks?"
This discussion has been archived. No new comments can be posted.

A Sophisticated Grey Hat Vigilante Protects Insecure IoT Devices

Comments Filter:
  • by Anonymous Coward on Monday May 01, 2017 @12:44AM (#54331725)

    While those with the ability and time can roll their own solutions, what off-the-shelf home security products are there, for non-technical people to use to protect their home/IoT networks?

    A hammer.

    • And thus the original poster was enlightened.
    • by raymorris ( 2726007 ) on Monday May 01, 2017 @02:08AM (#54331879) Journal

      Both "non-technical people" amd "home networks" combined make that a tough one. A business full of non-technical people, or just people who don't specialize in security, can use a "experts included" solutions from companies like Alert Logic, but that's probably not reasonable for a home network.

      A typical home network can be made noticeably more secure from these kinds of attacks by simply turning off UPnP on the router, though. Without UPnP, by default devices on the network can't be accessed from outside, from the internet. The standard router configuration using overloaded NAT (aka PAT) has the side effect of acting like a strict firewall. It's not an enterprise-grade firewall, just a simple packet filter, but it does prevent incoming connections / attacks, except for any port-forwards that are manually configured.

      Other than disabling UPnP, the other main thing I can think of is keeping software and firmware up to date, at least for security patches. Devices running old versions are the low-hanging fruit for bad guys. The new software might have new security holes that nobody knows about, but the old version definitely has security holes that everybody knows about, and the bad guy and just run a script to automatically exploit those vulnerabilities.

      Sorry I don't have better answers right now. The lack of good answers is why Australia is looking at having the ISP take care of some protection. The ISP can see trends across the whole network, and more importantly they can spend a few thousand dollars per month to contract with companies like Cisco TALOS and Alert Logic to deploy and monitor sophisticated, modern security systems. Yeah that brings up privacy issues, so there is no great solution that I can see.

      • Sorry I don't have better answers right now.

        Easy. Companies should be liable for gross negligence. Things like default passwords haven't been best-practice for a decade now.

        Leaving the telnet port open has been a bad idea for a long time.

        • If they are grossly negligent, they already ARE liable.

          The question is, who was hurt and by how much? They are liable *to somebody* for *some* amount of money. That's the hard part.

          • by TWX ( 665546 )

            Hit 'em via their business liability insurance. When their insurance rates skyrocket then maybe they'll start paying attention to things like information security.

            Yes, this will mean that products will cost more. Nothing is free though, either you have to pay for it, take on risk by not having it, or you have to do it yourself. Right now far too many operate with that middle choice.

            • Agreed, insurance companies are really good at analyzing and mitigating risk. Insurance companies created the fire code and Underwriters Laboratories to reduce fire risk. If you don't meet fire code and UL your insurance rates are much higher, so businesses make and buy UL approved stuff. That hints at general approaches which may work well for information security, and specifically at *enforcement* - insurance companies look at a property before they underwrite a multi-million dollar policy, and require re

              • by TWX ( 665546 )

                Insurance companies also created the IIHS, Insurance Institute for Highway Safety. In twenty years they've compelled the automakers to go from cars that have a high likelihood of killing their occupants in moderate-speed collisions and cars that are extremely expensive to repair in 5mph collisions to cars that will do a much better job of protecting their occupants in even fairly high-speed collisions and are generally reasonable to fix if involved in 5mph collisions. It took a combination of embarrassing

        • Things like default passwords haven't been best-practice for a decade now. Leaving the telnet port open has been a bad idea for a long time.

          Be careful what you wish for. Attaching anything to the net without a firewall to protect it has been a bad idea for a long time, too. If you don't have a firewall blocking open telnet ports, who is liable?

    • by AmiMoJo ( 196126 )

      A simple, open source app would do. Have a blacklist of known crap, and some simple port scans. If an defective device is found, prompt the user to ask the vendor for a repair or their money back.

    • While those with the ability and time can roll their own solutions, what off-the-shelf home security products are there, for non-technical people to use to protect their home/IoT networks?

      A hammer.

      Simply forcing the user to change the default login and password would be a good start, and preventing the user from using passwords like "passw0rd" or "123456" would also help.

  • by Anonymous Coward on Monday May 01, 2017 @01:04AM (#54331763)

    Hajime prevents these devices from being taken down. Instead it adds them to a botnet under the control of someone we don't know. Just because they say they're whitehat doesn't mean they are, and none of their behavior actually supports that claim. They attack other people's systems, instate defenses to maintain the ill-gotten control and use the devices to attack more devices, all without a public mandate. That's black hat.

    • Re: (Score:2, Redundant)

      does the executable have ddos capabilitys? or just spreading abilitys? Chances are the person really is whitehat or he would be trying to hide the bot a little better.

    • by Doke ( 23992 )
      The bot currently only spreads and protects the device it's on. It's quite open about doing that; not using any stealth to hide. That is obviously a white-hat approach. The concern is that this is now a huge botnet, and potentially could be taken over by a black-hat.

      As we've tried to tell the politicians a thousand times, nothing is so secure the bad guys can't take it over for misuse.

  • by CaptainDork ( 3678879 ) on Monday May 01, 2017 @01:32AM (#54331829)

    ... but the comments, so far, are not of value to those who want some red meat.

    "While those with the ability and time can roll their own solutions, what off-the-shelf home security products are there, for non-technical people to use to protect their home/IoT networks?"

    I gotta think of everything?

    Hire this genius to make blister-pak retail-ready solutions available to everyone.

    Inject the goddam thing by remote to protect it.

    There's gold in them thar hills, I tell yun.

    • What about hiring this person to build the attack into a router. The router routinely attacks devices on its local network, and doesn't let those devices susceptible to attack communicate with the rest of the internet. Non-technical people would get an off-the-shelf router that protects them from needing to research their (and their kids) IOT device purchases. The router vendor gets to advertise "locks out most possible IOT vulnerabilities on your network," and the susceptible devices are not part of some r
  • by Anonymous Coward

    He's not protecting devices. He's compromising them.

    He's exploiting a machine, to make it do what he wants it to do. Maybe most of us agree with why (stupid unsecured devices) but he's still exploiting it.

    He's not a "greyhat" he's a blackhat (or a script kiddy, depending on how you look at it). He's making peoples computers do things they never agreed was acceptable to them.

    Vigilante justice. Lets not celebrate this person.

    • by Highdude702 ( 4456913 ) on Monday May 01, 2017 @05:20AM (#54332189)

      Script Kiddie refers to somebody using somebody elses malicious code because they can not write their own. Which is not what this guy has done.

      ajime doesn't rashly cycle through a preset list of the most commonly used user name-password combinations when trying to hijack a vulnerable device. Instead, it parses information displayed on the login screen to identify the device manufacturer and then tries combinations the manufacturer uses by default... Also, in stark contrast to Mirai and its blackhat botnet competitors, Hajime goes to great lengths to maintain resiliency.

      This guy obviously is NOT a script kiddie. As long as he doesnt have ddos capability and doesnt turn to nefarious purposes hes doing everybody a favor, and hes not even bricking the devices. which you guys were bitching about last week. so what, you people just want to LEAVE the exploitable low hanging fruit for the ddos script kiddies to get? are you stupid?

      • by moeinvt ( 851793 ) on Monday May 01, 2017 @08:16AM (#54332557)
        " As long as he doesnt(sic) have ddos capability and doesnt turn to nefarious purposes hes doing everybody a favor,"

        Max Butler [wikipedia.org] thought he was doing everyone a favor when he created a worm to patch a security flaw in BIND. No nefarious intent or purposes. Doing something which merely accesses a system, especially a government system, is considered a criminal act however. The Feds don't accept the argument: "Just a white hat, securing some systems." They came down hard on him and he ended up in prison.
        The person or people who did this better remain anonymous, especially if the botnet touched any government hardware.
        • I didn't say our shitty justice system wasn't going to bother him. I'm stating that way he's doing is morally right. And anybody that says otherwise is scum, because the fact that he's not bricking them, which I thought was a plenty good idea in the first place. He is actually protecting consumers from being exploited for harm and also protecting what would be the resulting ddos victims. We all know the justice system in America is flawed. That was never in question.

    • by Anonymous Coward

      He's not protecting devices. He's compromising them.

      He's exploiting a machine, to make it do what he wants it to do. Maybe most of us agree with why (stupid unsecured devices) but he's still exploiting it.

      He's not a "greyhat" he's a blackhat (or a script kiddy, depending on how you look at it). He's making peoples computers do things they never agreed was acceptable to them.

      Vigilante justice. Lets not celebrate this person.

      That's pretty much what a "grey hat" is though. Somone who does black hat things for white hat reasons.

  • I suppose this might be a better solution than brickerbot, if people just replace their bricked IoT gadget with another insecure IoT gadget.

  • by Gravis Zero ( 934156 ) on Monday May 01, 2017 @03:37AM (#54332025)

    The problem with this solution is that the companies are not getting the negative financial feedback (punishment) that they need to correct their behavior.

    I've said it before [slashdot.org] but it's worth repeating.

    IoT vendors will only secure their devices after it starts costing them money or are legally required to do so.

    The best option is to hijack the IoT devices to DDoS their makers because it creates a direct feedback loop. The more insecure devices they sell, the more it will cost them to host their company's website(s). For extra points, only target their parent company. ;)

    • by Highdude702 ( 4456913 ) on Monday May 01, 2017 @05:23AM (#54332191)

      I'm normally 100% against ddos. But this actually sounds like it might hurt. Bot finds device info, loads up ip for company who's product it is. fires off many UDP and ICMP packets at those ip's until the internet is pulled.

      • I'm normally 100% against ddos. But this actually sounds like it might hurt. Bot finds device info, loads up ip for company who's product it is. fires off many UDP and ICMP packets at those ip's until the internet is pulled.

        I was going to say that the problem with this plan is that clones of the product will also join the ddos on the makers of the original, but upon reflection this is actually a benefit

        • Could also grep everything in the html folder to find a brand name or part number which is somewhere on most devices web interface.

    • DDoS their makers

      The economics is strong with this one.

      If they can evade, though, they might not care and there will be secondary collateral damage (if they move IP's, use Cloudflare, etc.). The customers still need to be involved to ruin their reputations as well. Perhaps after a time the bots should still brick themselves.

      • by Gravis Zero ( 934156 ) on Monday May 01, 2017 @08:37AM (#54332627)

        The customers still need to be involved to ruin their reputations as well. Perhaps after a time the bots should still brick themselves.

        A curious idea but if it's too obvious then they may just dismiss it as "some hacker's fault" and possibly exchange it for a new one instead of laying the blame on the maker. I think a better solution to this would be to allow the device to function... but only intermittently and/or heavily delayed. This way they are more likely to leave negative reviews of the product itself. It's translating to the owner that insecure/connected devices are terrible products that is the challenge. When this is done it's merely left to survival of the fittest.

        • That't almost perfect. i cant think of any flaws, but as you said "then they may just dismiss it as "some hacker's fault" " However it would have a much bigger impact.

      • by Doke ( 23992 )
        DDOSing the manufacturers is interesting. However, the device has to not work for the user as quickly as possible, so they can return it quickly. Ideally, the naive user will think it's dead on arrival, and review it that way. That will hurt the manufacturer's sales numbers and reputation.

        Perhaps the ideas could be combined. Have the bot change the device so the only thing it does is DDOS the manufacturer, and not pass any other traffic. I understand this would be much harder, and far more device sp

    • Securing your device is almost always the responsibility of the user and not the vendor. They have no control how the user uses it.
      • The vendor has all of the control because they are the ones who made the default configuration. Also, blaming users for shitty security on an IoT device doesn't actually solve any problems... unless you are a vendor of an IoT product with shitty security.

  • What is an IoT device, exactly? My conception is stuff like cameras and connected toasters, but in TFA the only device maker mentioned is MicroTik, who do routers and APs. Most articles like this are similarly fuzzy on what exactly they are talking about.

    • IoT pretty much means anything connected to the internet thats not a full computer. but honestly in the sense of this and hackers using exploits and default passwords in general... Basically anything connected to the internet. If it is not properly firewalled or put in to a "Walled Garden" as apple would try to say(and even they are vulnerable at times) is able to be hacked. The most recent rash of wifi cameras and shit like "alexa" or what ever they call it these days. routers, access points, and dozens of

      • by b0bby ( 201198 )

        It seems to me, though, that the biggest problems are with a couple of categories; primarily crappy cameras/dvrs which require a port to be forwarded for external access and which seem to often have hardcoded root passwords in addition to simple defaults. Almost everything else (Alexa, routers, cloud based cameras and thermostats) *are* firewalled/behind a NAT and really are only vulnerable to a local attack or a hack of the cloud provider. (The MicroTik example was especially puzzling, because you usually

  • Use a video server like Blue Iris or a home automation gateway like Vera to provide a single T on the I for your remote viewing needs.

    Use vera/homeseer/ISY for your home automation. Now you have at most 2 Ts on the I to worry about.

    I have almost 2 dozen HA devices (locks, power outlets, switches, bulbs, thermostat, sensors) and only 2 IP addressable devices.

  • I'm curious - how/why do IOT devices have sufficient memory to support communications protocols/addresses, a bittorrent-based client, etc.?
  • Figure out why it needs to be on the internet in the first place.

    • The problem is, a device does not need to be directly exposed on the Internet.

      Mirai and other botnets (including the so-called whitehat ones) are scanning the subnet and attacking all detected hosts.
      So if *any* device is compromised, for example a browsing tablet device, then all devices are quickly attacked.

      From the corporate side, this is handled using the structured approach (partitioning, firewalling, port control, vlan-ing, ...)
      All of which are lacking or absent in the consumer world.

      Hence my question!

This restaurant was advertising breakfast any time. So I ordered french toast in the renaissance. - Steven Wright, comedian

Working...