IoT Security Flaw Leaves 496 Million Devices Vulnerable At Businesses, Report Says (crn.com) 108
Nearly a half-billion Internet of Things devices are vulnerable to cyberattacks at businesses worldwide because of a 10-year-old security flaw, according to a new report from a security software vendor. From a report: The report was published Friday by Armis, a provider of Internet of Things security software for enterprises that focuses on detecting threats in IoT devices at workplaces. The Palo Alto, Calif.-based company has previously made security disclosures, including the BlueBorne malware attack that impacted 5 billion IoT devices.
Just desserts (Score:5, Informative)
If you let your appliances communicate with anybody but you, you deserve what you get.
Re:Just desserts (Score:5, Insightful)
If you let your appliances communicate with anybody but you, you deserve what you get.
If for some incredibly stupid reason you need the company toilets and cameras and other crap connected toa network, build a separate network for them that never connects to teh intertoobz.
Re: Just desserts (Score:3, Funny)
You should probably connect the toilet to the tubes unless you want to deal with a very unpleasant mess
Re: Just desserts (Score:4, Funny)
You should probably connect the toilet to the tubes unless you want to deal with a very unpleasant mess
So your saying your instinks are telling you they could become outstinks?
Automatic expiration (Score:5, Interesting)
All IOT devices should automatically cease functioning after 1 year without a firmware update. It should be the default deadpans switch to assume they are security compromised unless someone actively is maintained by them. Routers could be set up so protocol identities are increments every year and anything with an out of date protocol could be restricted in what it can do on the network.
Re: (Score:2)
All IOT devices should automatically cease functioning after 1 year without a firmware update. It should be the default deadpans switch to assume they are security compromised unless someone actively is maintained by them. Routers could be set up so protocol identities are increments every year and anything with an out of date protocol could be restricted in what it can do on the network.
Nobody would buy IOT devices that had to be replaced every year. Most manufacturers only offer firmware updates for a short period of time. It would be the end of IOT for anyone except enterprises that could afford to roll and maintain their own.
Maintainence contract (Score:2)
Precisely wrong. First you are right that no one would buy an nonmaintaiable IOT device but they would buy ones that the manufacturers promised to keep updated. You could do that now of course but people complain about the Apple tax or similar. But Apple routers and Apple TV are trivial to update because they do it via the attached computer. So do things like chrome computers and fire sticks.
Or you could contract with a third party if you dare.
The key point is that once someone is paying for it then it
Re: (Score:2)
All IOT devices should automatically cease functioning after 1 year without a firmware update.
You are assuming your vision of a security profile onto everyone. If your device isn't on the Intertubes there is nothing to worry about with security. Firmware updates should always follow if it ain't broke don't fix it -- not break it if you don't fix it.
Re:Just desserts (Score:5, Interesting)
Re: (Score:2)
But how can I see who's ringing my doorbell from work then? How can I see what's in my fridge when I'm out shopping? How can I turn up the AC when it looks like fluffy is getting a little hot while I'm out getting dinner?
I can't believe you don't care about these incredibly important use-cases for internet enabled everything!
Re: (Score:2)
If you let your appliances communicate with anybody but you, you deserve what you get.
If for some incredibly stupid reason you need the company toilets and cameras and other crap connected toa network, build a separate network for them that never connects to teh intertoobz.
Much easier said than done, unless you're a company with the means and desire to roll your own device every single time. Your investors might decide it's stupidity and fire the executives, if you waste your resources here...
Many (most?) IOT devices require Internets access in order to function. Here's a more practical and common example of iot devices: IP security cameras. Few and far between are the IP cam's you can use without internet connectivity.
Another example? Streaming video player devices.
Re: (Score:2)
Many (most?) IOT devices require Internets access in order to function. Here's a more practical and common example of iot devices: IP security cameras. Few and far between are the IP cam's you can use without internet connectivity. Another example? Streaming video player devices.. guess where they stream content from? Want a thermostat that trends your cooling data, crunches the numbers, and attempts to reduce your power consumption? it's going to send that data off to a server farm for number crunching. There's a long list.
Then you accept that hackers will pwn you and the risk is worth it.
Re: Just desserts (Score:3, Funny)
I laughed, she laughed, the toaster laughed, I shot the toaster; it was a good time. -PCP
Re: (Score:3)
But you didn't shoot the camera.
That was your mistake.
Re:Just desserts (Score:5, Interesting)
One of the most frustrating things about these IOT things is that they won't work properly unless they have an internet connection and are registered.
I don't actually own any IOT things but kindle - AFAICT you cannot have a 'collection' until it can talk to the internet.
Kindlefire, connect to a private network with no (non proxy) internet connectivity and it will refuse to automatically use the connection - even if there are no other connections available.
I'd guess things like nest are the same. The crazy thing is that I do have a way onto my internal network from outside - a VPN - I don't need each and every device trying to find its own way to punch holes through my firewall. I shouldn't have to have firewall rules to catch outgoing traffic and send it to an internal server so devices work. I shouldn't have to have special DNS zones to redirect traffic.
These devices even try to use their own hardcoded DNS servers and bypass the ones supplied by dhcp/radvd so more firewall rules to send that traffic to the only reachable dns servers.
Re: (Score:3)
A dedicated firewall box for IoT is a good idea. You can just block everything except the few IP addresses they need to contact. Hard coded DNS can be fixed by simply re-routing those IP addresses to your own server.
Re: (Score:2)
I'd like to say "sue them silly" (Score:5, Informative)
Stuff goes wrong, doesn't it always? Sue the contractor's company.
The contractor's company goes out of business with no assets left, while the contractor has another business he's running under.
I'm guessing vendors of these IoT PoS run under the same rules. You can sue the fuck out of them, win, and get some dust bunnies and used condoms nobody on the cleaning crew wanted to touch.
The attack: DNS rebinding (Score:5, Informative)
Here's the basic idea of the attack they are talking about.
An IoT thermostat can be controlled by your smartphone or computer, via a web service it exposes. Your smartphone might send data to a script at http://192.168.1.4/temp.pyc [192.168.1.4]
An attacker is able to put malicious JavaScript on a web page which changes the temperature. The attack manages to get around the same-origin policy. The bad guy has their web page, titled "NEST Troubleshooting", on nesttb.com. It loads a script from scripts.nesttb.com. Your browser does a DNS request to get the IP of scripts.nedttb.com and it comes back with 77.77.77.77 and a ttl (cache time) of 1 second. The script then calls http://scripts.nesttb.com/temp... [nesttb.com]. It's been more than 1 second, so the browser does another DNS request for scripts.nesttb.com. The DNS server gives the IP as 192.168.1.34. The attacker can now change your thermostat setting.
Prevention:
The device manufacturer should require authentication in order to change the setting. This should involve a TLS certificate for the client, bit at least use a username and password which is generated for each device separately.
The customer can mitigate the risk by using a local network other than 192.168.1.1/24. Try perhaps 192.168.106.1/24
The customer also prevent the attack completely by not buying a super expensive toy, and instead buying a normal programmable thermostat.
Re:The attack: DNS rebinding (Score:4)
This is the Slashdot I remember. :)
Re: (Score:2)
All that sounds like it relies on an insecure web browser to break out onto your local lan. Doesn't that make it a web browser issue?
This is like if a dam breaks and floods a village, you blame the homes for not being water tight.
Bullshit attack (Score:4, Insightful)
This is a bullshit attack. If they've already gotten to the embedded web server then they don't need you to change your thermostat.
Re: Bullshit attack (Score:2)
Why would they need you to change it?
I don't think you understood what he was talking about ...
Not tell embedded server. Their own server (Score:2)
The attack is carried out from their own web server.
They set up nest-troubleshooting.com on their own hosting account. A script on nest-troubleshooting.com accesses scripts.nest-troubleshooting.com.
scripts.nest-troubleshooting.com (sometimes) has the IP address 192.168.1.4, which is the same IP as your thermostat.
Re: (Score:2)
There are not 496 million NEST devices out there. Not all IoT devices are alike, most are very different from each other, they don't use a common operating system at all. So where did this 496 million number come from?
Re: (Score:1)
Re: (Score:2)
It is easy to be vigilant at first, but when you are faced with a flood of this crap it is often hard for a human to know what to do.
Synology NAS appliance: do you let it do automatic updates, or block it from the internet completely? The same thing goes for each vendor you use— do they get a black hole, or effectively unrestricted access (since everything is encrypted)?
Re: The attack: DNS rebinding (Score:5, Interesting)
If you REALLY want to be a rebel & be safe(r), pick a network between 172.16.x.x and 172.31.x.x
99.994% of people have *no* idea that range of private IP addresses exists. Everyone knows about 192.168.x.x, and almost everyone knows about 10.x.x.x, but I have yet to meet anyone who uses 172.16.x.x-172.31.x.x for their home network.
Re: The attack: DNS rebinding (Score:2)
Until the intern at Evil Corp reads your post and uses it is default instructions for their next IoT device...
Re: (Score:2)
Intern! Stop reading slashdot and get back to work!
Now,
Your boss
Re: (Score:2)
I do this because no company I've worked for has used that IP block avoiding all sorts of 'fun' NAT issues when I'm VPN'd in from home.
Re: (Score:2)
Re: (Score:2)
I use that range for industrial automation. The remote access VPN routers will not connect if the same network address range is used twice along the connection.
Usually the factories are on the 10.xx network, and you're likely to encounter the 192.xx network anywhere, so it's easy to get locked out of your remote machine if you use the common ranges.
Many of the (Siemens) Ethernet devices also use that range for the default IP, so it makes remote recovery much easier as well.
or use a decent router (Score:3)
Load up pfsense and you are protected from this. Even with default settings.
Re: (Score:2)
Thank you for that.
I don't understand how DNS rebinding works on a local device. How would the attacker at nesttb.com know the internal IP address of my IoT device? And how did they know I am the one making the DNS request at all since my DNS request really went to my ISP's DNS server, who then made the DNS request on my behalf?
Defaults and enumeration (Score:2)
Most home / small office routers by default assign themselves 192.168.1.1 and hand out IPv4 IPs starting at 192.168.1.2, handing them out in order. Therefore pretty . Uch every device in everyone's house will have one of 11 IPs 192.168.1.2 - 192.168.1.12. The attacker simply tries each in turn.
This attack can't be done with IPv6. You don't have everyone using the same default IPs with IPv6, and IPs aren't normally assigned in order.
Re: (Score:2)
In this example, the attack requires knowing the IP address of the camera, not the router. Although to your point, they could probably get it right in 256 guesses.
Darn few people have 255 devices (Score:2)
Generally, the first device connected is assigned .2, the next .3, etc. So it would be rare to find any device in a house with an IP higher than about .12
a provider of Internet of Things security software (Score:3, Insightful)
says these devices have security flaws.
wait, whut? no fucking way. really?
Re: (Score:2)
It's almost like they want to claim that companies who have no experience with networked devices because so far their main experience lies in a totally different segment of electronics where the "networked" part is only tacked on as an afterthought don't spend time and resources making a feature secure they mainly have as a sales gimmick.
They won't learn (Score:5, Informative)
Rule 1. IOT devices are insecure
Rule 2. In the event someone has a secure IOT device read Rule 1.
Re: (Score:2)
IoT could be made secure. The problem is that security costs time and money, and it ain't something people care or even know about. Especially in devices they don't consider "computers".
Re:They won't learn (Score:4, Insightful)
Re: (Score:2)
Yeah, because everyone knows as long as you don't find the horse, you can still pretend it's inside the barn.
Re: (Score:2)
Re: (Score:2)
If no one is digging into your code but your market share is big enough, me digging into your code will produce some exploits easily because nobody found them before me.
Re: (Score:2)
Hence the "Obscurity" part. I could have SQL injection issues all over, but if no one tries to exploit them then they are not a problem. Until someone does, but that's not the point!
Re: (Score:2)
Part of my job is to disassemble code and look for security flaws. It's a pretty expensive way to hunt for security flaws, but when the stakes reach 7 figures, it starts being worth it.
If the potential revenue (or damage, depending on what side you're sitting on) is big enough, someone will start looking for security flaws even if it means digging through obfuscated, self-modifying assembler code in a custom virtual machine.
Hell, game crackers do it for free, so...
Re: (Score:2)
Not just for free, the do it for FUN, I know, because I used to do it.
Re: (Score:2)
I once had a job that was basically reverse engineering well obfuscated software. One of the requirements of the job was also that you didn't have any police record. But ... how do you learn to reverse engineer well obfuscated software, let alone how to use the various tools of the trade?
"Don't ask - don't tell" got a whole different meaning there...
Re: (Score:2)
Re: (Score:2)
I shudder at the thought that there is actually a large bank with shoddy enough practices, processes and protocols to let a single guy have the admin password of a critical system.
Re: (Score:2)
Re: (Score:2)
Everything could be made secure. But it isn't and it's not going to happen anytime soon either. Not until people start dropping dead, and by then there will be so many insecure devices that instead of fixing the problem it's cheaper to make a Draconian example of the "hacker". This is already happening, the horse has bolted from the stables, and we CAN'T close the door, so now we crucify the person who finds the horse.
Well ... to play devil's advocate, stealing horses actually is illegal.
We don't just shrug and say "oh well, you should thank the horse thieves for testing your security. This should lead to stronger barn doors."
Re: (Score:2)
So is hacking, but that doesn't seem to be acting as much of a deterrent since most people are not caught. So the few they do catch are strung up to set an example, but the real problem is that most of these "hackers" are just script kiddies, and have no fucking clue. The serious malware out there is written in assembly, and the coders have decompiled the fucking decompilers and have written their source code in a way that makes the decompilers run around in loops. I m
Buy a new firewall (Score:3)
Have a modern OS be the only way back to the internet/cell phone for the IoT.
Firewalls and OS always stay updated and work on the internet?
Nothing on the internet can see the IoT. the IoT can only see the OS and firewall.
The OS takes what the IoT wants to communicate and makes such data secure, sending it in a modern way out to the user.
The user can interact with their IoT but the internet only detects a firewall.
Re:Buy a new firewall (Score:4, Interesting)
What exactly is this magical firewall you speak of? Most are simply stateful and port blocking, which means internally started communication is fine. When the device phones home (in what ever innocuous way, even with a hard-coded NTP request), they have full access. You can’t proxy the https traffic, so you really don’t have any of the easy means of control. You can try a few other tricks— but it gets to diminishing returns quickly.
Re: (Score:2)
That keeps the IoT working behind a secure network.
The OS can then pass on any requested data beyond the modern secure firewall as needed.
Re 'but it gets to diminishing returns quickly"
Think of the software sales and support at an OS and app level to secure the IoT in new ways. Upgrades to software networks every year to keep old IoT hardw
Re: (Score:1)
Haha his "new" fireall will be cloud-native and run an AI block chain.
Re: (Score:2)
What exactly is this magical firewall you speak of?
An ultra secure CISCO one of course!
Re: (Score:3)
Someone should build a Raspberry Pi firewall for IoT devices. It would basically block everything by default, and then have simple check boxes for different IoT devices that open up access to the necessary IPs/domains. Settings contributed by the community, similar to ad-blockers.
Throw in a bit of rate limiting. Second ethernet port can be a cheap USB thing, doesn't need to be fast. Build in WiFi so it can act as an AP. Could be a popular project, like the PiHole.
Re: (Score:2)
The OS takes what the IoT wants to communicate and makes such data secure, sending it in a modern way out to the user.
I'm not sure this means anything......
Re: (Score:2)
The IoT product is long past getting new support.
The user still wants to communicate over the internet with their IoT products.
Consumer AV scans can only do so much to tell the user about their home network and default passwords.
Time to think about the OS, software and firewall to try and protect wide open IoT expected to face the internet.
Good, but doesn't solve this issue (Score:2)
> Nothing on the internet can see the IoT. the IoT can only see the OS and firewall.
That's all good, but doesn't solve this issue. This vulnerability requires that:
Your computer or phone can see the web.
Your computer or phone can see the IoT.
This is why I don't trust IoT (Score:5, Interesting)
With various upgrades to my house (mostly solar), I've had to accept some IoT devices. So I've segmented my wireless network. There's an open wifi (secured by a passkey, I still consider this open), and there's a second wifi that needs 802.1X authentication. The IoT devices go to the open wifi, which is on its own subnet and vlan, and only has access through the firewall with QoS tuned down to 1 Mbps. The second wifi has its own vlan, and is routed to the internal wired network. But if I find that's been compromised its easy to shut it down. I have yet to come upon a consumer IoT devices that can work with WPA2-Enterprise & 802.1X, but my sample size is small.
Of course most people don't run Linux firewalls with 3 Ethernet cards, and level 2 managed switches at home. Prosumer tip: watch the switch manufacturer End-of-Life notices and pick up the switches at fire sale prices as everyone tries to dump their supply, don't buy off of EBay or refurbished, you never know what's one there.
Re: (Score:2)
Re: (Score:2)
Switches do generally last forever though, what happens when patches do cease is up to your security risk appetite. Assuming you know what you are doing and have them properly locked down with management IPs firewalled away or disa
Re: (Score:2)
Yes, so low [tomshardware.com] risk [bleepingcomputer.com]. For values of low that include near certainty, I guess.
Re: (Score:2)
Re: (Score:2)
OP didn't say buy the firewalls at EoL - just the switches. EoL is not the same as end of support, which mean you get a good few years before they go out of support and patches cease, so you get a decent switch for your home network, rather than your regular cheap SOHO model. Switches do generally last forever though, what happens when patches do cease is up to your security risk appetite. Assuming you know what you are doing and have them properly locked down with management IPs firewalled away or disabled, etc., then they're a pretty low security risk, barring some "packet of doom" style exploit.
Do you follow CERT? Cisco has tons of exploits in their gear, including countless backdoor accounts. Some that have been discovered and published on the internet that Cisco hasn't even acknowledged. You can't secure a switch against a known backdoor if the switch can be accessed.
Re:This is why I don't trust IoT (Score:4, Insightful)
The problem with microcontrollers and security is that security consumes a fair lot of processing power if done right. And while this is really no concern these days for a desktop or even a mobile computer (including smartphones), it still is a concern for lower end IoT devices powered by microcontrollers that can barely accomplish what their function is with the computing power they have.
And try to justify the 2.50 bucks for the extra IC (or the next powerful IC) to implement sensible security. Not to mention the hundreds of hours.
Re: (Score:2)
The problem with microcontrollers and security is that security consumes a fair lot of processing power if done right. And while this is really no concern these days for a desktop or even a mobile computer (including smartphones), it still is a concern for lower end IoT devices powered by microcontrollers that can barely accomplish what their function is with the computing power they have.
And try to justify the 2.50 bucks for the extra IC (or the next powerful IC) to implement sensible security. Not to mention the hundreds of hours.
Why does security have to consume a fair amount of processing power? This all depends on the attack surface of your project, but most of the things that need to be secured ought to be considered and planned for before you even write your first line of code. And checking input shouldn't be that time consuming for a microcontroller. The real costly part of security is the time it takes to properly implement and verify it.
Re: (Score:2)
Why does security have to consume a fair amount of processing power?
Because it's easier to just ACCEPT all connection attempts instead of piping them through multiple layers of filters. Even the most basic authentication scheme is more complicated and time consuming than allowing total access to everyone. Even if the gadget only connects actively and does not allow others to establish a connection, you have to sanitize input from your peer.
Re: (Score:2)
Why does security have to consume a fair amount of processing power?
Because it's easier to just ACCEPT all connection attempts instead of piping them through multiple layers of filters. Even the most basic authentication scheme is more complicated and time consuming than allowing total access to everyone. Even if the gadget only connects actively and does not allow others to establish a connection, you have to sanitize input from your peer.
But you should always be sanitizing your inputs, no matter where they came from. So the lost processing power SHOULD be zero because you should already be doing that anyway. And most hardware has cryptographic instructions that offload the verification of hashes and signatures so the only wasted processing power there is waiting for the bus to send and receive the request.
Re: (Score:2)
If they DID do it then we wouldn't have the problem we're having. The exact problem is that they're not sanitizing their input.
Re: (Score:2)
Security on MCUs isn't actually too hard. I implemented an RSA based system for encrypted GPS logging as a hobby project a while back, it wasn't much work. That was an 8 bit MCU which admittedly had AES acceleration (not uncommon now).
Thing is most of these devices are actually running some kind of RTOS on a 32 bit ARM, with crypto acceleration to support the WiFi stack. ARM SoCs with WiFi are super cheap now, well under $1 in quantity, e.g. the ESP8266. The manufacturers often offer free modules to handle
Re: (Score:2)
That is the second part of the problem. We're looking at engineers whose experience so far never included security. Someone who designs TV until very recently had no reason to know the first thing about network security. Let alone people who design refrigerators, stoves or washing machines. Suddenly these things "must" connect to the internet. What happens now is that some kind of internet connectivity kit is somehow haphazardly attached to the machine (or to paraphrase Homer Simpson, they take an existing
Re: (Score:2)
Prosumer tip: watch the switch manufacturer End-of-Life notices and pick up the switches at fire sale prices as everyone tries to dump their supply
I hear there's a lot of CISCO gear going cheap.
Re: (Score:2)
don't buy off of EBay or refurbished, you never know what's one there.
It doesn't matter where you get a router, you need to reflash it when you get it with something known good. In fact, it doesn't matter what it is, if it's reloadable, you need to reload it from known good media when you get it.
Suspicious (Score:2)
" The report was published Friday by Armis, a provider of Internet of Things security software for enterprises that focuses on detecting threats in IoT devices at workplaces"
I understand now.
Re: (Score:3)
Uh, yeah, it was. [slashdot.org] Big news at the time. This was a short while before they were acquired by Microsoft.
The real security threat is marketing hyperbole (Score:1)
IDIOT == Insecurely Designed Internet Of Things (Score:2)
A much more appropriate acronym.