Category Archives: IoT

Encouraging developments in the IoT security mess

By now you’re probably aware that the push to connect everything to the Internet has been at the cost of security. Many IoT (Internet of Things) devices are poorly secured and can expose users to significant threats. I always encourage people to consider whether they really need their toaster to be connected to the Internet, and disable that feature if the answer is no.

Until recently, the IoT landscape was like the wild west, with little or no regulation of the security aspects of these devices.

But there’s reason for optimism, as reported by Bruce Schneier. Consumer Reports, the venerable consumer protection organization, is now testing the security of IoT devices, starting with home security cameras. Hopefully CR’s focus on security will be extended to other types of IoT devices soon.

Goverments are also waking up to the threat. California’s new SB 327 law, which will come into effect in 2020, will require that all network-connected devices meet basic security requirements. Other governing bodies are sure to follow, hopefully soon. Ultimately, we should have security standards for connected devices everywhere.

These efforts seem likely to get the attention of IoT device manufacturers, and encourage them to improve the security of their products. In particular, IoT devices need better security out of the box, with risky features disabled by default instead of enabled. Many devices are still shipped with well-known default passwords, and remote administration access enabled by default.

Mirai botnet update

It wasn’t Russia, or China, or any other nation-state. The motive wasn’t political. The IoT-based Mirai botnet was created by three young American men as a tool for crippling Minecraft servers and related services.

Of course, once Mirai’s authors realized the unprecedented power of their creation, they started using it for other things: as a tool for gaining customers for an anti-DDoS service; to kick Brian Krebs’ web site off the Internet as revenge for outing the authors of vDOS; and later as a lucrative click fraud engine.

Last week, in a courtroom in Alaska, Mirai’s creators all pleaded guilty to charges related to Mirai, including conspiracy to violate the Computer Fraud and Abuse Act (CFAA). FBI agents had tracked the botnet’s activities to the trio.

While I’m happy that these assholes have been caught, and are likely to spend significant time behind bars, Mirai is a sobering reminder of the fragility of the Internet. The earliest version of the Internet was ARPANET, which was literally designed to withstand nuclear attack. But even nukes can’t compare with the power of smart, young people with plenty of spare time. Not long after the Internet was born, a college student named Robert Morris brought the nascent network to its knees with a simple software worm.

Meanwhile, because the Mirai authors shared the botnet’s source code (in a futile attempt to confuse investigators), Mirai clones are popping up regularly, and doing a lot of damage.

Still, it’s encouraging to see that the FBI and other agencies are getting better at tracking the perpetrators of these malicious schemes. Other recent arrests include the person behind an attack on Deutsche Telekom that used a Mirai variant; and the operator of the Kelihos botnet. Hopefully these arrests will provide a sufficient deterrent for those similarly inclined.

KRACK Wi-Fi vulnerability: what you need to know

Last week, security researchers identified a series of vulnerabilities affecting almost all Wi-Fi devices, from computers to refrigerators. The vulnerability could allow attackers to intercept wireless communications and potentially steal credentials and other sensitive information. The vulnerabilities are collectively referred to as KRACK.

The good news is that computers running Windows and Linux already have patches available. Microsoft included fixes in the October 2017 Patch Tuesday updates.

Apple says that fixes are ready for MacOS, but there’s no word on exactly when they will actually be made available.

The bad news is that mobile devices, particularly those that run Google’s Android operating system, are vulnerable, and in some cases, might stay that way indefinitely. That’s because even though Google has prepared fixes for Android, those fixes won’t get to devices made by other vendors until those vendors make them available. Some vendors are better than others at pushing updates to their devices. Worse, some devices running older O/S versions may never get updates at all, rendering them permanently insecure.

There are mitigating factors. First, because of the responsible way in which these vulnerabilities were reported, Microsoft and other major players have had time to develop fixes, while details of the vulnerabilities were kept relatively secret until recently. That means we have a head start on the bad guys this time.

Second, exploiting these vulnerabilities requires close proximity. Attacks based on these vulnerabilities can’t be executed over the Internet.

Use caution with unpatched devices

If you use a public Wi-Fi access point with an unpatched device, you’re exposed. So until patches for your device become available, you might want to disable its Wi-Fi when you’re not at home. Most devices have settings that prevent automatically connecting to Wi-Fi networks it finds in the vicinity.

IoT devices may remain vulnerable forever

‘Internet of Things’ (IoT) devices, including thermostats, cars, appliances, and basically anything that can have a computer stuffed into it, often connect to the Internet using Wi-Fi. There are no security standards for IoT devices yet, and many are extremely unlikely to ever be patched.

Recommendation: identify all of your IoT devices that have the ability to connect to the Internet. For each, make sure that you’re using a wired connection, or disable networking completely, if possible. As for devices that connect to the Internet via Wi-Fi and cannot or won’t be patched or disabled, consider taking them to the nearest landfill.

References

Brian Krebs investigation reveals author of Mirai worm

The Mirai worm has compromised thousands of IoT devices that were subsequently used in several recent, massive DDoS attacks, including one against the web site of Brian Krebs, well-known security researcher and blogger.

In an appropriately-lengthy post, Krebs describes the process by which he tracked down the identity of the author of the Mirai worm. It’s a fascinating read.

Krebs has published the results of similar investigations in the past, which is why he’s become a target for DDoS attacks, Swatting, and other despicable acts. It remains to be seen whether he will be the target of any new attacks in the wake of his Mirai investigation.

I applaud Krebs’ persistence and dedication in the face of these attacks. Here’s hoping he keeps fighting the good fight, for the benefit of Internet users everywhere.

Vivaldi 1.5

A new version of alternative web browser Vivaldi fixes a load of bugs, improves reader mode, and adds the ability to control home lighting.

Wait, what? Home lighting control? That’s right, Vivaldi 1.5 sports a feature that’s unlikely to have been on anyone’s wish list for their web browser. From the announcement: “Selecting which lights Vivaldi should control, the browser will synchronize your physical surroundings with the color of the web. This opens the door to a thrilling direction.” Apparently the Vivaldi developers are oblivious to the many serious security issues related to IoT devices, including the Philips Hue light bulbs on which this feature depends.

More usefully, Vivaldi 1.5 makes big improvements to tab and bookmark functionality, which in previous versions were at least partially broken in various, random ways. Version 1.5 seems to have addressed all of the remaining tab and bookmark issues.

Vivaldi 1.5 also includes changes to its update mechanism, and will now only download changes (not the entire browser) when updating itself. Presumably the Vivaldi developers noticed Microsoft was doing this for Windows 10 and decided to follow along. It’s a welcome change, but not exactly groundbreaking.

The official announcement post for Vivaldi 1.5 includes a list of all the changes. None of them seem to be related to security.

DDoS attacks on Dyn caused outages and slowdowns

If you use Twitter, reddit, Amazon, Tumblr, Spotify or Netflix, you may have noticed that they were slower than usual for parts of yesterday. That’s because the affected sites and services use Dyn, a DNS service provider, and Dyn was hit by two huge DDoS attacks yesterday.

The attacks lasted for a few hours, and while they certainly affected a lot of people, they were no more than an inconvenience for most. Still, the surge in the number and size of these attacks is troubling.

Analysis of the attacks shows that they were made possible by the Mirai botnet, which uses a huge network of poorly-secured (and now compromised) DVRs and security cameras. Those are the same tools used in the recent krebsonsecurity.com and OVH DDoS attacks. The source code for Mirai was released to the public recently, which means just about anyone could have caused the Dyn attacks.

Brian Krebs has more.

Update 2016Oct24: Dyn has released a statement about the attack on their systems, in which they clarify the timeline, and confirm that the Mirai botnet was involved. Meanwhile, security expert Bruce Schneier doesn’t believe that the recent attacks were perpetrated by a state actor such as China. He also doesn’t think they were related to the probing attacks he reported earlier. But he is concerned that the attacks will continue to grow in size and frequency, because nobody involved is motivated to fix the problem.

Chinese device maker Hangzhou Xiongmai has issued a recall for several of its webcam models that were used in the attacks. However, they are only one company out of hundreds (maybe thousands?) of companies producing poorly-secured IoT devices.

Update 2016Oct25: According to Brian Krebs, Xiongmai has also made vague legal threats against anyone issuing ‘false statements’ about the company. This is presumably part of a PR effort to improve the company’s image in the wake of the attacks, but it’s hard to see how this will help anyone. The company’s main objections apparently relate to statements by Brian Krebs and others about users’ ability to change passwords. Testing has shown that back-door, unchangeable passwords exist on some of the affected devices.

Regulating Internet connected (IoT) devices

At this point it’s clear that thousands of poorly-secured IoT devices were used in the recent large-scale DDoS attacks against krebsonsecurity.com and OVH. Ongoing analysis points to devices manufactured by a Chinese company called XiongMai Technologies, which makes generic Digital Video Recorder (DVR) and Internet camera devices that are sold to vendors who use them in their own products.

Chinese vendor Dahua sells products that use these vulnerable devices. Dahua products appear several times in the list of affected devices published by Brian Krebs, and Flashpoint Intel also identifies Dahua devices as being involved.

Companies like XiongMai Technologies and Dahua share the blame for flooding the Internet with these easily-co-opted devices. XiongMai Technologies created devices that are inherently insecure and unsuitable for direct connection to the Internet. Dahua either failed to comprehend the danger, or chose to ignore it, producing deeply flawed consumer devices and – as Brian Krebs puts it – dumping toxic waste onto the Internet. These devices are spread around the globe, most to be plugged in and forgotten for years, ready to be abused by whoever can find them. Some of these devices can’t actually be fixed, since their vulnerabilities exist in firmware that can’t be updated.

Dahua’s response to all this isn’t likely to reduce concerns, since it tries to shift the blame onto users who failed to change default passwords, while ignoring the fact that these passwords cannot be changed in some cases.

What can be done about this? Beyond locating and removing the current crop of vulnerable devices – a difficult task in itself – how can we avoid this situation in the future? Preventing poor quality products from entering the market is ultimately the responsibility of governments. Until authorities get involved, this is likely to keep happening. If they fail to act now, the attacks will continue to get worse until commerce is affected, at which point it will no longer be possible for governments to ignore the problem. Bruce Schneier shares this view.

The good news is that the European Union is already taking action. The EU is planning to upgrade its telecommunications laws, which are now expected to include requirements for labeling IoT devices that are secure and approved for Internet connection. This kind of labeling already works well for showing the energy usage of electrical appliances.

Kudos to the European Commission for recognizing that the ongoing flood of crappy IoT devices is a major contributor to Internet-related problems, including the recent, massive DDoS attacks. Let’s hope that other governing bodies wake up soon.

Confirmed: record-breaking DDoS attacks using IoT devices

Another week, another huge DDoS attack, this time against French web hosting provider OVH.

Analysis by security experts has now confirmed that these attacks used a huge network of compromised devices, mostly security cameras and Digital Video Recorders (DVRs). These devices are typically vulnerable out of the box, and unless they are configured properly, they remain vulnerable. Most of the devices in question run a version of BusyBox Linux.

Brian Krebs posted a list of manufacturers that produce hardware known to be affected, based on his research. But his list is only a starting point, and much more work is needed.

Adding to this nightmare is the news that the source code for Mirai, the botnet used for the recent, massive attacks, has been released to the public. We can (and should) expect more attacks in the coming weeks and months.

What can be done to stop this? The best solution would be to complete the work of identifying vulnerable hardware (make and model), and contact the owners of all affected devices with instructions for securing those devices. In practical terms, the first part is relatively straightforward work. The second part is problematic. Who is responsible if a device is being co-opted in DDoS attacks? The user? The service provider? The manufacturer? Many owners of these devices have no idea they are being used like this.

Eventually, the current crop of IoT devices being used in these attacks will be secured. But more new ‘smart’ devices are being manufactured and connected to the Internet every day. Until manufacturers stop shipping unsecure-by-default devices, we’re going to keep seeing these huge attacks.

Cory Doctorow on the future of the privacy wars

Noted writer and technology analyst Cory Doctorow just posted a new article on the Locus Online web site: “The Privacy Wars Are About to Get A Whole Lot Worse.”

After providing some background on the current privacy situation, and how we got here, Doctorow speculates on what will happen when even the absurd notice-and-consent terms of use agreements that we see (and blindly agree to) every day are gone, leaving us surrounded with devices that invade our privacy without any pretense at consent, all in the name of commerce.

In case you hadn’t guessed, we are talking about the Internet of Things. Despite plenty of warnings from privacy advocates, and numerous real-world examples of the consequences to privacy of poorly-designed devices, the current move toward ‘smart’, connected devices continues apace. And these devices won’t ask for your consent, they’ll just compromise your privacy by default.

Meanwhile, Doctorow wonders whether and when this will come to a head with some kind of legal challenge. There have been attempts to challenge the validity of terms of use agreements that nobody ever reads, but so far the results are not promising.

I’d like to see Microsoft singled out for its current Windows strategy, which includes gathering and transmitting user information, ostensibly for the purpose of providing better support, but which can also be used to better target advertising, another feature of newer versions of Windows. To be sure, these features are currently protected behind terms of use agreements, but even those could disappear in a world dominated by smart devices.

Doctorow is worried about this, and so am I.