Attacks On The Internet Keep Getting Bigger And Nastier

[Decibel]

We NEED every single one of these devices to have a randomly generated default password. I'd like them to also be intrinsically locked down from accessing more than a few websites, each of which have to be manually approves by their owner.

Why on earth would my IP cam need unfettered access to the internet?

 

[cyclone3d]

We NEED every single one of these devices to have a randomly generated default password. I'd like them to also be intrinsically locked down from accessing more than a few websites, each of which have to be manually approves by their owner.

Why on earth would my IP cam need unfettered access to the internet?

So attacks like this can happen.

 

[drklu]

how are we suppose to put youporn on a fridge at home depot without it being connected to the internet!

 

[Deleted member 93354]

Dunno what you are talking about, but usenet is alive and well.... Maybe not in its original form thought, but it's FAAAAR more useful/safer than torrents hope to be. Max my download bandwidth over an SSl tunnel, and never uploading a thing, so no getting burned for 'sharing'.

My gawd people still use that archaic system? I guess I should not be surprised if IRC is still around.

 

[nutzo]

I'd pay $1 a month to have Hillary put in jail for her crimes.

Never going to happen, even if someone were release video of her ordering hits on people. She's to big to jail.

 

[nutzo]

We NEED every single one of these devices to have a randomly generated default password. I'd like them to also be intrinsically locked down from accessing more than a few websites, each of which have to be manually approves by their owner.

Why on earth would my IP cam need unfettered access to the internet?

If you only access your IP cam on your home network, then leave the default gateway blank or put in a fake IP address.
This will stop your IP camera (or any other device like a printer) from being able to access the internet, or being accessed from the internet.

 

[EvilWays]

Maybe we need a simple way to isolate home LANs from the internet. Not just a firewall; something more physical. I have a printer, NAS and security cameras on my LAN. They're behind a firewall, but I'd love to isolate them further. VLAN is the closest thing I could find and that doesn't look ideal. Then again they all need firmware and software updates from time to time. Tough little problem. I guess we just need better firewalls?

It's called a physically separate network. If that network must have internet connectivity, then the port that connects to the internet on the separate LAN side should have to bridge or otherwise route to the LAN with internet connection, then pepper that separate LAN connection with firewall rules to allow only the absolute necessary activities across the two networks, but should otherwise not allow routing to the devices from the outside world to the separate LAN. This would allow you to just unplug a network cable if there are concerns for the separate LAN.

There is a device in the commercial/industrial HVAC world called a JACE that has two Ethernet ports on it, but you cannot route traffic from one port to the other. This forces the tech to pick a port to use for a network connection point for the JACE. The other port ends up being used for a different purpose (typically for an HVAC communication protocol that is passed over Ethernet, or a computer that doesn't require being able to see what is going on over at the other port). A similar trick can apply, but it requires some setup to do.

 

[EvilWays]

We NEED every single one of these devices to have a randomly generated default password. I'd like them to also be intrinsically locked down from accessing more than a few websites, each of which have to be manually approves by their owner.

Why on earth would my IP cam need unfettered access to the internet?

No, we NEED for these companies to force the end user to change the damn password the first time it is powered up.

The reason that IP cam "needs" unfettered access to the internet is because too many people are too lazy to RTFM, then bitch and moan on why it doesn't work out of the box because it's locked out out of the box. Too many lazy people...

 

[dgz]

A friend of mine made a case of how great it is to have an app for their AC unit and make it do stuff when they're not home. I laughed. Probably part of the botnet

 

[AK0tA]

I'm not a programming person but how hard would it be to code these devices to make a user/password change after initial start up. If no change then render them inoperable?

The real question is Why is all this happening? Well your election results were just uploaded to the interwebs and the timer will go off at the appointed time for a win to the highest bidding candidate. America has been held hostage.

 

[M76]

Yeah, I don't want my tax dollars to be going towards housing/food/clothing/education/entertainment/medical, etc for these idiots.

Hang them I say.

I explained this already, but I'll keep doing it until it penetrates everyone's skull no matter how thick it is.

If you make offenses posing minor risk punishable by death, then there is no bigger punishment you can use as a deterrent for more serious violent crimes. If you go WHAM death sentence to everything, then minor offenders will have no problem escalating their crimes to elude capture and avoid the death sentence. They'll have nothing to loose.

 

[Biznatch]

My gawd people still use that archaic system? I guess I should not be surprised if IRC is still around.

Like i said, not in it's original form. It's now no more archaic than torrents, but much much much much much more secure. You grab the NZB file and feed it to your downloader, instead of grabbing a torrent file and feeding it to your torrent client... Plus there is open source software to automate the searching/downloading/tagging. Add items to search for, when it finds them it downloads automatically.

 

[Dullard]

The problem is not that someone get access to your fridge and makes your chicken go bad by adjusting the temperature. The problem is that a lot of iot devices, like ip webcams, fridges, bidets etc. have very bad security (pretty much login is "admin" and password is "admin"). That makes it easy to write a piece of software to randomly try various ip adresses and log in. That in turn allows creation of huge botnets that are hard to fix (anyone running antivirus on your fridge?) and then those botnets can be used to take down services etc.
More info here Extra-Large Denial of Service Attack Uses DVRs, Webcams

I read a piece on this once. All the manufacturers were chomping at the bit to get everything "connected", but with little to no provisions for implementing security. It's not that security would be all that hard to implement, it's that nobody wanted to enter a password to set the thermostat, enter a password to start their car, enter a password to dim the lights, enter a password to check on the baby, enter a password to access any of this not very well thought out technology. And what's happening now is precisely what they said would happen.

It's not so much "educate people that they need to change the default password" as it is "force people to actually USE a password every time they access the device". I don't know about you, but I wouldn't enter a password to dim the lights. I might on a thermostat if it was more sophisticated than the (non-connected) one I have now- but I still manually bump that thing up or down a couple of degrees pretty often even when it's running the program. If I had to enter a password, not sure the juice would be worth the squeeze.

 

[Biznatch]

I read a piece on this once. All the manufacturers were chomping at the bit to get everything "connected", but with little to no provisions for implementing security. It's not that security would be all that hard to implement, it's that nobody wanted to enter a password to set the thermostat, enter a password to start their car, enter a password to dim the lights, enter a password to check on the baby, enter a password to access any of this not very well thought out technology. And what's happening now is precisely what they said would happen.

It's not so much "educate people that they need to change the default password" as it is "force people to actually USE a password every time they access the device". I don't know about you, but I wouldn't enter a password to dim the lights. I might on a thermostat if it was more sophisticated than the (non-connected) one I have now- but I still manually bump that thing up or down a couple of degrees pretty often even when it's running the program. If I had to enter a password, not sure the juice would be worth the squeeze.

So make the password only required for remote access/admin functions. Actual commands done on the physical interface should not need a password. If someone has physical access to the device, security is a moot point anyway for the most part.

 

[Mohonri]

I'm not a programming person but how hard would it be to code these devices to make a user/password change after initial start up. If no change then render them inoperable?

As a programmer, I can answer this one: it's trivial. Seriously.

 

[Exavior]

people are getting bigger and nastier also. wonder if the two are related.

 

[Biznatch]

As a programmer, I can answer this one: it's trivial. Seriously.

Sounds like a developer with no concern over user experience. Finding the middle ground between security/user experience is the the problem, and most companies are sliding all the way to user experience with no security. No one will want to put in a password every time they try and use the input on any of the devices, but a password shouldn't be required with physical access, just remote/admin functions. And it should force changing the default password, or set a unique default password that is on a sticker on the device itself.

 

[Michaelius]

Someone please explain to me why do we need to connect stuff like fridge or kettle to internet ?

 

[stormy1]

Someone please explain to me why do we need to connect stuff like fridge or kettle to internet ?

So the manufacturer can sell the data to google/government/insurance companies.

 

[Exavior]

Someone please explain to me why do we need to connect stuff like fridge or kettle to internet ?

Well, like most things you don't NEED to have them. you also don't need running water, electricity, internet, a car.. Those are all things that you choice to have to be part of the normal civilized world. As for the things you listed in your question. Convenience. By having a fridge connected to the internet you can know if you forget to close the door by having it notify you (I assume they will do that), or see what you have. Sure this seems silly or pointless but I bet if you have ever had to throw out everything in your fridge or freezer because somebody forgot to close a door you would change your mind. A coworker had to toss out a freezer full of 2 deer and 1/2 a cow because one of her kids went to get an ice cream bar one night during the summer and forgot to close the lid on a Friday night. they found it open Sunday morning. I bet you if you gave them the option of having a way to know that the lid was open they would have liked that. The camera feature is also nice if you are at the store and wondering if you need something because you see it on sale or just can't remember if you have any of some special item for a recipe you decided to make while at the store. These are minor things but it still is a nice thing to have in some cases if you can afford them.

For other kitchen appliances they all still have their levels of convenience. For a kettle, you can turn it on or off remotely. I know a person that programed their coffee pot to turn on when they get up and start to move around in the morning. That way when their wife gets out of the shower she was a pot of coffee ready for her. Can do the same with a kettle for tea, or if you are warning water for anything else like that. You can also make sure that you turned that stuff off. Same goes for a stove / oven. you can make sure that you turned it off, or in the case of an oven when you are on your way home from work you could set the oven to start to preheat itself before you get home so that as soon as you get in the door you can toss dinner in and have the oven already be at the correct temp instead of waiting another 10 or so minutes. Which normally isn't going to be that big of a deal but if getting home at 8pm because the kids had a lot going on after school that 10 minutes is 10 minutes faster that you can get them feed and to bed.

Its no different than being able to control anything else in your house. It all comes down to having more convenience, which is the reason you have most stuff in your house. you don't need a fridge to start with. People got away with having ice boxes for a long time. But having a fridge saves you the hassle of having to get a huge block of ice all the time and keep the ice box filled. You can also control the temp a lot better with a fridge than you can with an ice box.

 

[Trimlock]

We NEED every single one of these devices to have a randomly generated default password. I'd like them to also be intrinsically locked down from accessing more than a few websites, each of which have to be manually approves by their owner.

Why on earth would my IP cam need unfettered access to the internet?

We also need better traffic detection for IOT devices instead of treating them all like users.

Things like this happens every time there is a shift in user technology wether it be hardware or software. These aren't common occurrences but they do suck.

 

[Koween]

I read a piece on this once. All the manufacturers were chomping at the bit to get everything "connected", but with little to no provisions for implementing security. It's not that security would be all that hard to implement, it's that nobody wanted to enter a password to set the thermostat, enter a password to start their car, enter a password to dim the lights, enter a password to check on the baby, enter a password to access any of this not very well thought out technology. And what's happening now is precisely what they said would happen.

It's not so much "educate people that they need to change the default password" as it is "force people to actually USE a password every time they access the device". I don't know about you, but I wouldn't enter a password to dim the lights. I might on a thermostat if it was more sophisticated than the (non-connected) one I have now- but I still manually bump that thing up or down a couple of degrees pretty often even when it's running the program. If I had to enter a password, not sure the juice would be worth the squeeze.

It is possible to just log into the app and forget about it, or if you have physical access to the device not to require a password. Or whitelist the device by requiring a password / two factor authentication for the first time. The problem is, that these devices allow acces from any corner of the internet (not even a whitelisted device) to the ROOT of the device (all the adminiatration options that even the regular user would not use) with a default password that is the same not only on the same model of device, but all devices that use the same hardware. It's like having a password on your pc user account, but then the administrator account is "admin" and password is "admin". I don't need to enter a password every time i use the app for my Logitech harmony remote, but it also does not allow anyone to log in from the internet on the telnet port and update the firmware. Manufacturers wanted to get their devices onto the market asap, so here we have the results of cost-cutting. It's the same as all those smart cars (like Jeep) that had barely any security features and allowed quite easy access to the car's hardware that a normal user wouldn't even need.

 

[NeoNemesis]

I still poop manually.

for now....

 

[SARUMAT]

Convenience.

More accurately priorities, in this case convenience in the home took priority over access to the web. I'd forgo more convenience in the home for a better network connection.

 

[Exavior]

More accurately priorities, in this case convenience in the home took priority over access to the web. I'd forgo more convenience in the home for a better network connection.

Sorry could you explain that? How does your coffee pot being wifi enabled effect what type of internet service you get to your home? I think you are trying to argue a different point than what I was replying to.

 

[SARUMAT]

Sorry could you explain that? How does your coffee pot being wifi enabled effect what type of internet service you get to your home?

Well my phrasing about a better network connection wasn't the best, but I was suggesting that wifi coffee pots increase network congestion, both through their normal use and through their compromised use as part of a botnet. I'm willing to poop manually, as they say, to keep my pings low.

 

[Mohonri]

Sounds like a developer with no concern over user experience. Finding the middle ground between security/user experience is the the problem, and most companies are sliding all the way to user experience with no security. No one will want to put in a password every time they try and use the input on any of the devices, but a password shouldn't be required with physical access, just remote/admin functions. And it should force changing the default password, or set a unique default password that is on a sticker on the device itself.

Sorry, I was just answering the question of "how hard would it be to implement." Designing it, on the other hand, could be very tricky. Forcing a password reset on first use is certainly low-hanging fruit. But you don't need to force a login every time the user wants to change something--you can just use a web interface and long-life cookies to store the login.

 

[Biznatch]

Sorry, I was just answering the question of "how hard would it be to implement." Designing it, on the other hand, could be very tricky. Forcing a password reset on first use is certainly low-hanging fruit. But you don't need to force a login every time the user wants to change something--you can just use a web interface and long-life cookies to store the login.

Then you are in the same issue if the computer storing the long-life cookie is compromised and attacker uses that to gain access to the device. I have zero problem forcing a password every time a user logs on a web interface, that's just basic security. But if it's a thermostat or fridge (not that I would want any stupid IOT devices like that) a password shouldn't be required for basic functions when you have physical access.

 

[Exavior]

Then you are in the same issue if the computer storing the long-life cookie is compromised and attacker uses that to gain access to the device. I have zero problem forcing a password every time a user logs on a web interface, that's just basic security. But if it's a thermostat or fridge (not that I would want any stupid IOT devices like that) a password shouldn't be required for basic functions when you have physical access.

Define physical access. Do you mean such as you are setting the temp at the thermostat or do you are logging into the device directly through your laptop by running a cat 5 from the laptop into the fridge and removing it from the network for a moment? Because it sounds like you are trying to argue for both sides. Based on your statement it sounds like you want it so that if I connect my laptop up to my fridge I shouldn't be required to enter a password to access the web interface or SSH interface or whatever it might have. However the laptop shouldn't store a password as that is insecure. But if you don't require a password to start with when connected to it via your laptop you are just as insecure as you have the exact same issue.

 

[Biznatch]

Define physical access. Do you mean such as you are setting the temp at the thermostat or do you are logging into the device directly through your laptop by running a cat 5 from the laptop into the fridge and removing it from the network for a moment? Because it sounds like you are trying to argue for both sides. Based on your statement it sounds like you want it so that if I connect my laptop up to my fridge I shouldn't be required to enter a password to access the web interface or SSH interface or whatever it might have. However the laptop shouldn't store a password as that is insecure. But if you don't require a password to start with when connected to it via your laptop you are just as insecure as you have the exact same issue.

Physical access - I'm physically touching the device, no password required.
WebGUI or any other remote access including SSH - password required every time you connect as this allows config changes/admin functions.

 

[quangngai]

Công ty chúng tôi website >>> https://dulichviet.net.vn/ và website >>> https://internetvietnam.net/ chuyên cung cấp dịch vụ viễn thông và du lịch cho khách hàng.
Đến với chúng tôi, quý kháh sẽ được trải nghiệm những tour du lịch hấp dẫn nhất, cùng lươt web với tốc độ cao, có giá thành rẻ nhất.
Chúng tôi luôn cam kết làm hài lòng quý khách hàng.

 

[Mohonri]

Then you are in the same issue if the computer storing the long-life cookie is compromised and attacker uses that to gain access to the device. I have zero problem forcing a password every time a user logs on a web interface, that's just basic security. But if it's a thermostat or fridge (not that I would want any stupid IOT devices like that) a password shouldn't be required for basic functions when you have physical access.

If the device is compromised, then it doesn't matter whether the cookies are stored or not--the next time the user connects to the IoT device, you're back in the same situation.

As for physical access....there are days when I want to put our (not-internet-connected) thermostat in a lock box.

 

[NoOther]

So, here are a lot of thoughts and responses to this thread:

Home automation is awesome. But who would risk committing a felony just to make my lights turn on and off or changing the temperature in my house? IMO, go at it, but if we catch you, my vote is to throw your ass in jail until you rot as an old man, basically forfeiting the rest of your life.

This was already answered a few different ways. But what the most common and devastating use of these hacks is to turn any ordinary IoT device into another node from which they can launch Bot Nets and DDoS attacks. They are essentially hijacking your device and internet as an extension of their network. At the least they can use the device to flood other systems with requests or responses or just traffic for DoS or DDoS attacks. Or they might be able to load software on the device that can run programs that connect it up to a Bot Net for even more sinister uses. Normally they don't really give two shits about turning your lights on and off other than to test their ability to control the device.

Here is my question, how is it that people find security holes and exploit them? Have no experience on finding way to exploit security holes, but I am curious on what app or software is being employed? Are these custom software developed by hackers or people with deep knowledge on how OS core was developed?

There are many ways people achieve this. Most of this is a layered approach. For many simple devices the first step is simple brute force password attacks using rainbow tables or the like. That at least will get you access into the system. Then the savvy hacker can check usually find out what software version you are using (if they haven't already from other methods). They can then check security bulletins for that software and see if it has any unpatched weaknesses. Then they will exploit those weaknesses to get more access, or carry out whatever schemes they have. It doesn't necessarily require an elite understanding of how OS's or software works, but a good ability to research and find known vulnerabilities and then research how to exploit them.

Maybe we need a simple way to isolate home LANs from the internet. Not just a firewall; something more physical. I have a printer, NAS and security cameras on my LAN. They're behind a firewall, but I'd love to isolate them further. VLAN is the closest thing I could find and that doesn't look ideal. Then again they all need firmware and software updates from time to time. Tough little problem. I guess we just need better firewalls?

Just to reiterate from what some others have suggested, you can put your internal LAN on a physically separate network from your WAN connection. Only connect the WAN when you actually need updates. You can also achieve a similar function via using VLANs and firewalls properly. You can also make rules in regards to MAC connections and when devices can access VLANs etc. There are many ways of achieving a higher level of security and keeping your devices as separate as possible from outside access. One method that used to be pretty popular and is still used in many places is using a proxy where you can download what you need, take if offline, run it through a security checker, and then connect it to your internal network once its been deemed 'safe' to get the updates and information you need on your separate internal network.

International governments are more interested in getting a hold of other governments' secrets. How can they do that if they take the internet down?

Actually there are many reasons international governments would use DDoS attacks, mostly having to do with eliminating security at the network border, and/or utilizing safety processes against themselves to gain access. There are many ways in which you can leverage DoS or DDoS attacks into creating backdoors.

I'm not a programming person but how hard would it be to code these devices to make a user/password change after initial start up. If no change then render them inoperable?

The real question is Why is all this happening? Well your election results were just uploaded to the interwebs and the timer will go off at the appointed time for a win to the highest bidding candidate. America has been held hostage.

To answer the first question, it is not necessarily that hard to program user/password software. The question is, how strong is that going to be, and how much extra time is it going to take you to vet it. There could be many other features/options/security a company could program into their tools, but every extra addition costs time and money, where do you stop? And who would want to have to login to their refrigerator?

As for why this is all happening, there are many reasons, but they are all related to why anything happens. People are trying to find leverage to advance their agendas. Perhaps someone wants to make a political statement, or an ecological statement, or they are just greedy. This is just another tool that gives them a way to try and achieve their ends.

 

[Mohonri]

I have a question: I imagine that most people's webcams, thermostats, fridges, etc are connecting to a wireless router and therefore behind NAT. Given this, how are these devices participating in the DDoS attacks? Is there another device on the network that gets compromised, and the attackers use that device as a way onto the LAN to compromise the rest?

 

[NoOther]

I have a question: I imagine that most people's webcams, thermostats, fridges, etc are connecting to a wireless router and therefore behind NAT. Given this, how are these devices participating in the DDoS attacks? Is there another device on the network that gets compromised, and the attackers use that device as a way onto the LAN to compromise the rest?

NAT does not protect your devices, it only obscures them. Your router processes information and simply forwards it to your device. It isn't really protecting the device at all. The purpose of NAT is to allow a number of devices to use the same gateway to access another network, not really to protect them from another network. When you connect to sites and programs on the internet, you generally have a direct routed connection between your device and the device on the other end.

 

[Mohonri]

NAT does not protect your devices, it only obscures them. Your router processes information and simply forwards it to your device. It isn't really protecting the device at all. The purpose of NAT is to allow a number of devices to use the same gateway to access another network, not really to protect them from another network. When you connect to sites and programs on the internet, you generally have a direct routed connection between your device and the device on the other end.

I get that, and I guess I didn't do a good job of phrasing my question. Let me try again: Given these devices are typically behind NAT, how do they get compromised in the first place?

 

[NoOther]

I get that, and I guess I didn't do a good job of phrasing my question. Let me try again: Given these devices are typically behind NAT, how do they get compromised in the first place?

I just answered that question. Your device communicates through the router. The router passes on your connection request to the outside. Once that connection is established there is a direct link from that device to your device. NAT really only forwards information from one IP to another. Your individual device is the one making the connection. So unless you have other protections such as firewall rules disallowing connections to be made, there is no real protection from NAT.

So for a specific example. The hackers know your home devices need to phone home for updates. The hackers hijack that link, they now have an active link to your device since it called out unwittingly to some type of honeypot. They then use their knowledge of how updates or information gets passed to your home device and reconfigure it to do their dirty deeds. This is but one way they can compromise them. There are other methods of getting through NAT as well.

EDIT: for more information here.

 

[Mohonri]

So for a specific example. The hackers know your home devices need to phone home for updates. The hackers hijack that link, they now have an active link to your device since it called out unwittingly to some type of honeypot. They then use their knowledge of how updates or information gets passed to your home device and reconfigure it to do their dirty deeds. This is but one way they can compromise them. There are other methods of getting through NAT as well.

EDIT: for more information here.

So it relies on a MITM attack?