IANA Security Expert, but simple advice from Krebs:
>Anyone looking for an easy way to tell whether any of network ports may be open and listening for incoming external connections could do worse than to run Steve Gibson‘s “Shields Up” UPnP exposure test.
another thing to remember... ALL IoT devices have admin credentials, its just a matter of whether or not they can be connected to, whether the credentials are compromised, and whether the device is susceptible to brute force.
The main take-aways are: 1) Use a firewall between your Internet connection and your IoT devices, and 2) disable UPnP support on your firewall.
It's disturbing how many devices enable telnet and/or ssh by default, make it difficult or impossible for a user to actually change the default password, and subvert firewalls using P2P protocols. At the end of the day, to secure your network you really do need to run nmap regularly against your subnet checking for devices with open ports, and tcpdump between your gateway and your devices, monitoring what connections they are actually making.
For ordinary users, the situation is truly hopeless. They are pwned by default if they buy into IoT.
"For ordinary users, the situation is truly hopeless. They are pwned by default if they buy into IoT."
when was it ever different? This is just a repeat of the "buy anti-virus" phase of Windows, which wasn't sufficiently hammered home that it basically failed. No doubt there will be some responsible IoT manufacturers that address the vulnerabilities, but IMO, not many, and the market isn't exactly demanding of 'secure amazon buttons' - in fact there will be devastation because the manufacturers won't give a flying fuck about security as they stamp out thousands of pieces a day with default passwords in their factories.
If ever there was a use case for ipv6 then I suggest this is it. Sadly we aren't going to get there in time to stop a new wave of botnets. Who do I blame for the failure to properly roll out ipv6?
> If ever there was a use case for ipv6 then I suggest this is it. Sadly we aren't going to get there in time to stop a new wave of botnets. Who do I blame for the failure to properly roll out ipv6?
I'm not sure I follow - what exactly about IPv6 improves the situation?
In the current IPv4 home network world, devices are all given private IPv4 addresses, and sit behind a NAT overloading gateway, and the only way those hosts can be directly addressed is if ports are specifically forwarded to those hosts, or if the gateway is running some service to automatically forward ports on demand (UPnP).
In IPv6, devices are all given globally routable addresses, and are hopefully sitting behind a gateway with stateful filtering, and the only way these hosts can be directly addressed is if the ports are specifically opened to those hosts, or if the gateway is running some service to automatically open ports on demand (If it doesn't exist already, it will soon enough).
IPv6 is a solution to a limited number space. Last I checked, it doesn't actually solve anything else. If I'm wrong, I would love to know how though, new emerging technologies often have elements of misinformation spreading, so if I'm guilty here, I definitely want to know how and why.
The average user is worried about their laptop. The idea of their laptop being hacked is worrisome because they keep personal information on it and it's a somewhat personal possession. So anti-virus get some play.
The average user doesn't care about their VCR. The average user won't set the time on their VCR much less set a password. In fact, I don't care about my VCR or my light bulbs or whatever dumb thing someone decides should have the capacity to be on the Internet (except I care enough not to knowing buy such things but in the future may unknowingly buy the stuff). If someone manufactures Trojans to put in people's homes and it causes other people problems, it shouldn't be my problem.
Average users have a VCR? How would it work if they don't set the time on it?
You bought (whatever) it (is) - so that becomes your problem. The average user falls for the marketing of "your app controls your fried chicken" bullshit and buys the IoT chicken frier. So you won't buy that frier. Good for you
The manufacturer might be in another country or bankrupt. You should go after the user and then he might go after the manufacturer or his insurance if he wants.
But on more realistic terms, my hope is that if this gets really bad, then a consortium of huge internet firms can start blacklisting bad IPs. If John-Random-Guy can't connect to google/facebook/akamai/etc then for sure he'll at least unplug the device
You could generate a unique default password for each device and then also print the password on a sticker that you put on the device. That's what some high-end routers do for their default wifi PSK and admin password.
Of course that's probably also the most expensive option...
These devices, when taken as a whole, will be largely vulnerable and there will be enough of them to carry-out enormous DDoS attacks. Our toasters are gonna take down the Internet.
This is not the rise of the machines that I think anyone was expecting, although I suspect Futurama gave us a bit of preview. DDOS'ed by a toaster... the future is weird.
I can't be the only person who moaned out loud at that notion, and who also sees no way to stop it. People so often need to be burned to learn about fire, but in this case owning an IoT item is unlikely to burn the owner.
I don't see a good solution to this, that is likely to actually happen, unless as another person said, ISP's just start blacklisting people with compromised IoT devices.
Why can't Google/Apple/FB et al get together and start blacklisting them? if it gets bad enough, that might be the only chance (good luck getting a random Moldovian ISP to blacklist their spammers)
Not until there's a profit motive for them to do so.
What're ISPs more likely to do: Boot off a regular monthly paying customer because they're a "bad network citizen"? Or just charge them for any excess bandwidth they consume each month?
I suspect if some of the big CDNs start blocking ip address ranges that're sending large volumes of forged-source ip packets, ISPs will respond to customer complaints of "I can't load $website because Akamai/Cloudflare/PornHubCDN have blocked you!" (Not that this would have helped the Mirai L7 DDoS agains Krebs...)
It's hard to work out how to fix this, without somehow ending up on the slippery slope of "All ISPs need to to deep packet inspection and traffic analysis of every user's network use, to be able to block suspected-compromised customer devices". (And remember, as soon as we _require_ ISPs to record/store/analyse that, it's going ot get sold on to whoever else thinks they can extract value from it - advertisers, marketers, credit reporting agencies, insurance companies - I;m sure if you put your "evil monetization ideas" hat on you can think of a _big_ list of businesses you'd try to sell access to that data stream to...)
At some point surely the people who are not willing to pay for security, cannot be bothered with security, yet will buy IoT crap have to take some responsibility? After all, they are the market which is being catered to.
At least in the US that's not how any other product category works. People have offloaded all safety and security concerns to the government or the market so that it's just assumed that any mass-produced product is safe enough and customers don't need to worry about it.
A lot of places try to manage that by holding retailers responsible - making it a fine-able offence to sell, for example, RF emitting gear that breaks local regulations. This _kinda_ works where most of the retailers are concerned about their reputation and are in the local jurisdiction, but breaks down _fast_ when thinks like AliExpress are taken into account.
(And it even occasionally fails spectacularly in cases where it _ought_ to have worked OK - people offloading lithium battery charging safety to large locally represented brands like Samsung instead of self-importing Xaiomi or Doogee "brand" phones directly from China...)
IoT is no more of a disaster than the computers we have today. The IoT botnets are a complete joke compared to actually big botnets consisting of desktop computers, they just haven't been used for DDoS attacks.
>Level 3 Threat Research Labs will continue to identify and track developments in these botnets
but not take any action against actual source of the traffic, AS that host BOTs with static IP.
>We will also work with hosting providers and domain registrars to block traffic to these C2s
but again not do anything to close the source of the problem.
L3 admits they have a list of ~500K static IPs with bots behind them, they arent blocking nor reporting those, why? because traffic is traffic and they are in business of selling pipes?
How bad are ubiquity devices, and the state of security and firmware updates for them? I was thinking about switching to a ubiquity amplify home router from tp-link partly out of concern for this, and was hoping that their firmware and security updates would be a little more on-point. But one of their routers are on this list...
>Anyone looking for an easy way to tell whether any of network ports may be open and listening for incoming external connections could do worse than to run Steve Gibson‘s “Shields Up” UPnP exposure test.
https://krebsonsecurity.com/2016/10/who-makes-the-iot-things...
another thing to remember... ALL IoT devices have admin credentials, its just a matter of whether or not they can be connected to, whether the credentials are compromised, and whether the device is susceptible to brute force.