Cyber attack yesterday, was possibly powered by IoT devices

[Billb2]

Still waiting for the first pacemaker hack..............
If that happens things will move along quickly when CNN goes ballistic.

 

[VirtualLarry]

Hmm, my internet went out the other day, and my FIOS router's power light was flashing green, for a short bit. Seemed like a soft-reset? Maybe due to a firmware flash?

Initially, I thought that Verizon was updating the firmware to block out this botnet, but now I think it might be 0wn3d by the botnet.

I know that Verizon FIOS routers are open to the "outside", at least to the extent that the manageability ports are open from the outside. They're supposedly protected, but who knows how well.

 

[Ichinisan]

I have wifi but I have it on a separate vlan, I do not like making stuff wireless unless it is specifically a mobile device. I wire everything that is stationary.

My biggest fear though is that Intel backdoor that was discovered a while back. It's essentially a separate cpu running on the same die. Very little is known about it, but essentially there is a backdoor where it can either use your NIC to communicate out, or it's built in 3G radio. There is very to little info about this or how to protect yourself. I was toying with a faraday cage for whole server room but it would require a pretty serious overhaul as I have a lot of stuff attached to the ceiling, not to mention the floor. And even if I succeed in blocking all RF, it can still use the NIC, and probably does so at a very low level so any amount of software firewall won't be enough. All the cpus/nics will just talk to each other at it's own layer 1, perhaps at a slightly different voltage or something. At least in theory. Little is known about how this actually works.

I would not be surprised if AMD does the same. This is probably mandated by the government.

https://www.youtube.com/watch?v=EjbQ-BDh4PU#t=1m19s

Watch from 1m19s to 2m12s.

 

[Ichinisan]

Yeah but it's also good idea to not actually connect stuff directly to the internet. even a basic NAT firewall will protect you. That's what I'm wondering about all these IoT devices being hacked... are people actually connecting these stuff DIRECTLY, like without a router? Or are they actually port forwarding... telnet, of all things? It just seems strange to me.

Devices can open up ports using UPnP. Also, with IPv6, there's no such thing as NAT.

 

[Eug]

What devices are we talking about? I can't any reference anywhere as to specific models hacked. I'm curious because not only do they need to be compromised, they also have to be directed to attack somehow. Are they writing scripts for all of these?

And yeah, whoever coined the phrase "Internet of Things" should be shot. The name is insanely stupid.

 

[Ken g6]

What devices are we talking about? I can't any reference anywhere as to specific models hacked. I'm curious because not only do they need to be compromised, they also have to be directed to attack somehow. Are they writing scripts for all of these?

Mirai supposedly hacks devices running BusyBox. Beyond that I suppose it's either a case of finding exploits or having a list of default passwords.

 

[Red Squirrel]

Devices can open up ports using UPnP. Also, with IPv6, there's no such thing as NAT.

Oh yikes do these actually open up ports with UPnP? Definitely a stupid implementation if that's the case. UPnP in general is a bad idea and should be turned off, but often is not. Lack of NAT in IPv6 is an issue too, I knew it would be from the get go when I heard about it but it seems to hurt lot of IPv6 people's feelings when you mention NAT. 😛 With a proper firewall like pfsense you don't necessarily need NAT, but most people won't have that.


But yeah typically if something like this gets exploited the script is then loaded and then other devices are exploited from it.

I enabled SSH without fail2ban on an internet facing VM once for fun. It was hacked within 5-10 minutes. By the time I noticed (my internet was essentially part of a DDoS at this point so it took no more than a few minutes to narrow it down) my hacked VM had already hacked 3 different SSH servers. One was a university somewhere in the states and another was some kind of federal server of sorts. IP was owned by DoD. I can't recall what the other was, just something less high profile like another home user or something. The script was nice enough to leave logs of what it did. Just comes to show how fast it can happen without proper security in place.

 

[Imp]

Hmm, my internet went out the other day, and my FIOS router's power light was flashing green, for a short bit. Seemed like a soft-reset? Maybe due to a firmware flash?

Initially, I thought that Verizon was updating the firmware to block out this botnet, but now I think it might be 0wn3d by the botnet.

I know that Verizon FIOS routers are open to the "outside", at least to the extent that the manageability ports are open from the outside. They're supposedly protected, but who knows how well.

A router/modem that auto-updates? I'm surprised... but I shouldn't considering that my cable box does it every freaking night at 2am.

 

[ultimatebob]

I would not even bother sending the password to them. They'd be locked out until they smarten up and don't expose that shit to the internet in first place.

Yeah, but I'd bet that a lot of people would probably think that the "device went screwy" and do a factory reset on it. Now they're back to the insecure factory password settings.

 

[John Connor]

UPnP: Universal Plug and Prey.

 

[zinfamous]

Robert Page, lead penetration tester at security firm Redscan, said: “It’s interesting that nobody has yet claimed credit for the attack. The relative ease at which DDoS attacks are to execute, however, suggests that the perpetrators are most likely teenagers looking to cause mischief rather than malicious state-sponsored attackers.”

Lead Penetration Tester.

How do I get that job?

 

[Ruptga]

Lead Penetration Tester.

How do I get that job?

So you're looking to test some penetrators?

 

[zinfamous]

So you're looking to test some penetrators?

well, depending on my role, the salary would have to scale appropriately.

 

[PliotronX]

I have also none, but i do worry about my TV which is a smart tv. It gets regular updates, so i assume and hope that any discovered security flaws get fixed too.
The raspberry pies i have are my own responsibility.

I also do not like the term. It is as if the person who invented it has a restricted vocabulary.

How about ICDs ? Internet Connected Device.

I prefer to think of it as IoDP: Internet of Default Passwords

 

[Ruptga]

well, depending on my role, the salary would have to scale appropriately.

Well I'm all out of video cards, but give me a week and I can pay you in all the candy you could want.

 

[[DHT]Osiris]

A camera with ipv6? Sure! 1Gb/full duplex connection? why not! What other shit can we throw on there? How about a telnet server? Can we squeeze a few backdoor usernames, you know, for 'patching'? Let's make it do dns queries and phone home to stuff we'll take offline! Moar cloud! Moar ipv6 addresses!

 

[KillerBee]

Here's an IoT self scanner

http://iotscanner.bullguard.com/

(It doesn't actually scan - it just checks if your IP is already listed)

 

[Red Squirrel]

Here's an IoT self scanner

http://iotscanner.bullguard.com/

(It doesn't actually scan - it just checks if your IP is already listed)

I have port 80 opened for something but if you go to it it just goes to a place holder page, so it seems to think that it's an IoT device. I'm guessing this is nothing more than just a port scanner. Still useful though if you want to double check if you have anything accessible from the outside.

Which got me thinking, would be neat to setup a site where it does a full nmap of your IP and emails you the results. (it can take a while to do a full scan). Wonder if there's any legal repercussions to setting something like this up.

 

[KillerBee]

I have port 80 opened for something but if you go to it it just goes to a place holder page, so it seems to think that it's an IoT device. I'm guessing this is nothing more than just a port scanner. Still useful though if you want to double check if you have anything accessible from the outside.

Which got me thinking, would be neat to setup a site where it does a full nmap of your IP and emails you the results. (it can take a while to do a full scan). Wonder if there's any legal repercussions to setting something like this up.

they also have the deep scanner
http://iotscanner.bullguard.com/deep-scan/

 

[Eug]

Here's an IoT self scanner

http://iotscanner.bullguard.com/

(It doesn't actually scan - it just checks if your IP is already listed)

That message in orange is concerning though. How does the Shodan indexing work?

they also have the deep scanner
http://iotscanner.bullguard.com/deep-scan/

Thanks guys. I have IP cameras but don't expose them to the net and have changed the default passwords. I also have a couple of NASes, but with the latest OS and security updates, and they are also not accessible over the net.

Xiongmai recalls 4 million IP cameras after DDoS attack.

http://time.com/4543930/china-firm-webcam-recall-cyberattack-xiongmai/

Researchers at the New York-based cybersecurity firm Flashpoint said most of the junk traffic heaped on Dyn came from internet-connected cameras and video-recording devices that had components made by Xiongmai. Those components had little security protection, so devices they went into became easy to exploit.

In an acknowledgement of its products’ role in the hack, Xiongmai said Monday that it would recall products sold in the U.S. before April 2015 to demonstrate “social responsibility.” It said products sold after that date had been patched and no longer constitute a danger.

Liu Yuexin, Xiongmai’s marketing director, said in an interview on Tuesday that Xiongmai and other companies across the home surveillance equipment industry were made aware of the vulnerability in April 2015. Liu said Xiongmai moved quickly to plug the gaps and should not be singled out for criticism.

“We don’t know why there is a spear squarely pointed at our chest,” Liu said.

 

[Kaido]

“We don’t know why there is a spear squarely pointed at our chest,” Liu said.

I actually agree with them, to a point. The problem is the lesson I learned in programming class: don't allow your users to do stupid stuff. All they need to do on future models is require a password change the moment you connect to the device...like literally not let the user get into the settings without providing the webcam with a new password. People constantly have problems with hacks & stuff like this because they don't change their default Linksys password from admin/admin to something else. The problem is, most people are not technical enough to know that they should do that, therefore the company does have a social responsibility to tweak the software to stupid-proof it. Same with email...imo 2FA should be required on everything. Mandatory quarterly password changes should be required. Amazon, Gmail, Outlook, Hotmail, Yahoo, you name it. Force your customers to protect themselves.

 

[R0H1T]

Bad timing or what 🙄
Intel Announces Atom E3900 Series - Goldmont for the Internet of Things & More

 

[Fritzo]

My SmartTV actually got infected by a "free movie" app on the Samsung store. I detected the traffic on my Juniper firewall a few weeks ago and ended up resetting the TV.

Wonder if something similar was the entry-point on other devices.

 

[Ruptga]

I actually agree with them, to a point. The problem is the lesson I learned in programming class: don't allow your users to do stupid stuff. All they need to do on future models is require a password change the moment you connect to the device...like literally not let the user get into the settings without providing the webcam with a new password. People constantly have problems with hacks & stuff like this because they don't change their default Linksys password from admin/admin to something else. The problem is, most people are not technical enough to know that they should do that, therefore the company does have a social responsibility to tweak the software to stupid-proof it. Same with email...imo 2FA should be required on everything. Mandatory quarterly password changes should be required. Amazon, Gmail, Outlook, Hotmail, Yahoo, you name it. Force your customers to protect themselves.

Hah, spear, to a point.

And how about no on that two-factor thing. Also the quarterly reset thing, I already have to do that and you know what I (and pretty much everyone else) do every single time? XXXXXX1, then next time it's XXXXXX2, and so on until it lets me reuse XXXXXX1. All it does is annoy users while marginally increasing password complexity. Policies that work will help without getting in the way, like how routers these days come with a preset password that's unique and in big print on the side of the unit.

 

[Kaido]

My SmartTV actually got infected by a "free movie" app on the Samsung store. I detected the traffic on my Juniper firewall a few weeks ago and ended up resetting the TV.

Wonder if something similar was the entry-point on other devices.

That's one of the things that scares me about putting Android in everything...massive security risks. Viruses, malware, botnets, you name it. As much as everyone complains about iOS being a walled garden, at least you can't download a fake free version of Angry Birds from Russian & get charged in a scam attack.