Forbes: Hack on Putin's Intelligence Agency Finds Weapon to Exploit IoT Vulnerabilities (forbes.com) 36
"Red faces in Red Square, again," writes a Forbes cybersecurity correspondent:
Last July, I reported on the hacking of SyTech, an FSB contractor working on internet surveillance tech. Now, reports have emerged from Russia of another shocking security breach within the FSB ecosystem. This one has exposed "a new weapon ordered by the security service," one that can be used to execute cyber attacks on IoT devices. The goal of the so-called "Fronton Program" is to exploit IoT security vulnerabilities en masse — remember, these technologies are fundamentally less secure than other connected devices in homes and offices...
The security contractors highlight retained default "factory" passwords as the obvious weakness, one that is easy to exploit... The intent of the program is not to access the owners of those devices, but rather to herd them together into a botnet that can be used to attack much larger targets — think major U.S. and European internet platforms, or the infrastructure within entire countries, such as those bordering Russia.
But the article also notes that targetted devices for the exploits include cameras, adding that compromising such devices in foreign countries by a nation-state agency "carries other surveillance risks as well." It also points out that the FSB "is the successor to the KGB and reports directly to Russia's President Vladimir Putin," and its responsibilities include electronic intelligence gathering overseas.
"The fact that these kind of tools are being contracted out for development given the current geopolitical climate should give us all serious pause for thought."
The security contractors highlight retained default "factory" passwords as the obvious weakness, one that is easy to exploit... The intent of the program is not to access the owners of those devices, but rather to herd them together into a botnet that can be used to attack much larger targets — think major U.S. and European internet platforms, or the infrastructure within entire countries, such as those bordering Russia.
But the article also notes that targetted devices for the exploits include cameras, adding that compromising such devices in foreign countries by a nation-state agency "carries other surveillance risks as well." It also points out that the FSB "is the successor to the KGB and reports directly to Russia's President Vladimir Putin," and its responsibilities include electronic intelligence gathering overseas.
"The fact that these kind of tools are being contracted out for development given the current geopolitical climate should give us all serious pause for thought."
Dupe (Score:3)
This news was already posted to Slashdot two days ago?
https://tech.slashdot.org/stor... [slashdot.org]
Re: Dupe (Score:1)
You underestimate the dangers! (Score:2, Funny)
Russian hackers are unstoppable, and they are everywhere.
I was sitting at home last night, listening to nothing in particular, and suddenly noticed that my washing machine was hacked. It would be silent for a moment, and then go like "kgbeeeeee.. kpss kpss kpss kpss kpss kpss...", drone on for a while and stop with "gorbeeeee-ew". And when it was done, my laundry was still dirty.
I sat for a snack and then suddenly my toaster began whispering to me, and was like "PUT-tsk-tsk-tsk-tsk-tsk-INNNN!" and only d
Re: You underestimate the dangers! (Score:2)
Just turn it all off. Better to be naked, hungry and tired than a tool of the Kremlin.
Re: (Score:2)
Re: (Score:2)
Maybe you should hack up an internet-enabled dupe detector?
Maybe add it as a feature on the coffeemaker? Or toaster?
Dupes are reassuring (Score:2)
At least, this is evidence, we still have fallible humans for editors, rather than AI.
Except, maybe, it is just a poorly-implemented AI... Sigh...
So someone copied Mirai. Badly (Score:3, Interesting)
Wake me up when they find the real IoT malware - the one that blows up grids by using the on/off switches inside smart meters in a pre-programmed sequence until the grid safeties force the grid to start "cutting its own limbs".
The "blow up grid" part has existed in the Russian arsenal since the 1970es (in fact I know a couple of people who have done the math for it).
The smart meter bit? It is an obvious extension and they are hackable and have an on-off switch. So what could be done (and was originally planned to be done) by hacking the grid control can now be done by hacking the smart meter.
Re: (Score:3)
Re: (Score:2)
Besides, hacking of the grid is only momentary. A few minutes or hours later systems are reset and it's back up again, that's not what keeps power engineers awake at night.
A dozen people scattered around the country armed with second-hand deer rifles can shoot up the major substations and grid interties , and the grid crashes *hard*. Spares are brought in, and replace the damaged equipment, and new parts are ordered. Over the course of several days the disparate parts of the grid are reconnected and bala
Re: (Score:2)
Why are governments the only players you consider? And why are electronic attacks your only consideration?
Hardware attacks by non-state players would be devastating, cheap, easy, more expensive and longer lasting, and who are you going to "counter attack"? Think about New England without natural gas in the middle of winter because five mercenaries stole backhoes and tore up the pipelines. Or Las Vegas some summer without potable water for weeks because one Punjabi activist drove a bulldozer through the w
Re: (Score:2)
Many modern smart meters have safeguards against such an obvious attack. For instance, an immutable delay in the execution of such on / off commands, or a limit on the number of times such a command can be executed in a certain period of time. The smart meters used here don't even have an on / off switch, it's just a meter.
1. Every smart meter I have come across has an on-off switch. It is just a meter of it being advertised or not. It is the real reason for their deployment - ability to kill pensioners during a harsh winter for non-payment without the PR fallout. "It's the computer, it's not us". It is usually disguised under weasel words such as "demand load management" and "load shedding".
2. I said "hacked", I meant "hacked" - the meter, not the metering system. You are absolutely correct that the metering system has saf
Re: (Score:2)
Re: (Score:1, Troll)
They attack IoT devices in the hope of finding some that are on critical networks. There was a story a couple of years back about a casino that was hacked by initially using the IoT fish tank in their lobby to get inside their network.
High ranking politicians are probably the most likely to fall victim to this. For example we know that both Clinton and Trump had private email servers with sensitive information on their networks, and all it would take it for someone to plug in a vulnerable IP cam or their sm
Re: (Score:2)
> High ranking politicians are probably the most likely to fall victim to this.
If they are "the most likely", it's by a very thin margin. Arrogant developers or sysadmins, excited by available technologies and without the experienced to master security in depth, are also extremely vulnerable. I'm remembering very well developers and admins who stoed their SSH public keys and AWS secrets in NFS shares without Kerberos based NFS access, exposed to the Internet at large because of policy decisions made else
Re: (Score:2)
Policy decisions, including greedy VCs who refuse to cough up money to hire a security specialist for their new IoT toy. The habit of non-technical managers of expecting someone who's good at writing device firmware to also be expert in secure communications and building a secure web site and database is the **ONLY** reason why the article can claim "these technologies are fundamentally less secure than other connected devices". Done right there is no reason for a video doorbell to be less secure than the
Re: (Score:2)
> including greedy VCs who refuse to cough up money to hire a security specialist for their new IoT toy
Oh, my. This is a familiar cry from people excited by technology over practices. On various occasions, _I_ or my colleagues are the security expert brought in after the fact to clean up the mess. The problem is also not usually an IoT specific mess. It's a much earlier set of poor decisions at multiple levels that leave multiple holes at multiple levels of the company, ranging from credentials stored in
Re: (Score:1)
Congratulations, you just engaged with a Russian propaganda account and helped legitimize it. Look at the link in his sig... it's a Russian disinformation site.
Re: (Score:2)
Yes, and Clinton was advised to do so by her predecessors Rice and Powell, since it's the only way to avoid the official government policies on record keeping and destruction of documents.
Enough with this cyber-bullshit (Score:1)
Re:Enough with this cyber-bullshit (Score:4, Insightful)
That assumption is false. Propaganda in single-party states is *crude* compared to democracies.
In a democracy with a relatively free press it's a lot harder to hide stuff, so the amount of cover-up and the tools of obfuscation become much more sophisticated.
Whereas in a police state with obedient or state-controlled media, you don't have to do anything sophisticated: you just say "print what we tell you or you 'disappear' ", and people learn not to question the official word no matter how easy it is to see through it.
It's extremely easy to hide stuff when you control the media. It's when there's a free press that the really sophisticated tools of obfuscation get developed. Hence, The USSR's tools of obfuscation weren't actually that well developed.
Re: (Score:2)
Re: (Score:1)
The Russian networks are as secure as the NSA and GCHQ in the 1970-1990 decade.
Walk in only work. No photocopy services in the past. No data devices in 2020.
If anyone published anything Russia did that the CIA, NSA, MI6, GCHQ had found around 2020.... that would result not be for publication in the west for decades.
If Russia had a contractor problem why tell them? Let the CIA and MI6 work on that "contractor problem" without any nation alerting
I'd be surprised if they weren't doing this (Score:2)
I'd be surprised if they weren't doing this. Your average IoT gadget has more holes in it than Swiss cheese, and it never gets updated either. I'd frankly ban them at the federal level until they get their shit together.
Re: (Score:2)
If they'd just plan to never make updates, they could build them like toasters and it would be fine.
Platform the Attack (Score:2)
Free hacking (Score:2)
Security is like free speech - we all want it but it means that we are going to hear things we do not want to hear. You will never stop the bad stuff so instead make more of the good stuff.