Thursday, December 1, 2016

BITAG on the IoT

The Broadband Internet Technical Advisory Group, an ISP industry group, has published a technical working group report entitled Internet of Things (IoT) Security and Privacy Recommendations. It's a 43-page PDF including a 6-page executive summary. The report makes a set of recommendations for IoT device manufacturers:
In many cases, straightforward changes to device development, distribution, and maintenance processes can prevent the distribution of IoT devices that suffer from significant security and privacy issues. BITAG believes the recommendations outlined in this report may help to dramatically improve the security and privacy of IoT devices and minimize the costs associated with collateral damage. In addition, unless the IoT device sector—the sector of the industry that manufactures and distributes these devices—improves device security and privacy, consumer backlash may impede the growth of the IoT marketplace and ultimately limit the promise that IoT holds.
Although the report is right that following its recommendations would "prevent the distribution of IoT devices that suffer from significant security and privacy issues" there are good reasons why this will not happen, and why even if it did the problem would persist. The Department of Homeland Security has a similar set of suggestions, and so does the Internet Society, both with the same issues. Below the fold I explain, and point out something rather odd about the BITAG report. I start from an excellent recent talk.

I've linked before to the work of Quinn Norton. A Network of Sorrows: Small Adversaries and Small Allies is a must-read talk she gave at last month's hack.lu examining the reasons why the Internet is so insecure. She writes:
The pre­dic­tions for this year from some analy­sis is that we’ll hit seventy-five bil­lion in ran­somware alone by the end of the year. Some esti­mates say that the loss glob­al­ly could be well over a tril­lion this year, but it’s hard to say what a real num­ber is. Because in many ways the­se fig­ures can’t touch the real cost of inse­cu­ri­ty on the Internet. The cost of humil­i­a­tion and iden­ti­ty theft and pri­va­cy trad­ed away. The lost time, the wor­ry. The myr­i­ads of tiny per­son­al tragedies that we’ll nev­er hear about.
These large numbers conflict with estimates from companies as to the cost of insecurity. As I mentioned in You Were Warned, Iain Thomson at The Register reported that:
A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought – typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision.

Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues.
Note, however, that 0.4% of global corporate revenue is still a whole lot of money flowing to the bad guys. The reason for the apparent conflict is that, because companies are able to use Terms of Service to disclaim liability, the costs fall largely on the (powerless) end user. Norton uses an example:
One media report in the US esti­mat­ed 8,500 schools in America have been hit with ran­somware this year. Now, the rea­son why I think it’s real­ly inter­est­ing to point out the American fig­ures here is this is also a nation­al sys­tem where as of last year, half of all stu­dents in US pub­lic schools qual­i­fy for pover­ty assis­tance. Those are the peo­ple pay­ing the­se ran­somwares. And it’s hard to get a real fig­ure because most schools are hid­ing this when it hap­pens.
Her audience was people who can fix the security problems:
most peo­ple who are pulling a pay­check in this field are not inter­act­ing with the pain that most peo­ple are expe­ri­enc­ing from net­work inse­cu­ri­ty. Because you end up work­ing for peo­ple who pay. ... That high school can’t afford any­one in this room. And that means that so much of this pain and inse­cu­ri­ty in the world isn’t read­i­ly vis­i­ble to the peo­ple who work in the field, who are sup­posed to be fix­ing it.
The potential fixers are not putting themselves in the shoes of those suffering the problem:
Because in the end, one of the con­flicts that comes up over this, one of the rea­sons why users are seen as a point of inse­cu­ri­ty, is because get­ting the job done is more impor­tant than get­ting it done secure­ly. And that will always be in con­flict.
This is where Norton's talk connects to the BITAG report. The report's recommendations show no evidence of understanding how things look to either the end users, who are the ISP's customers, or to the manufacturers of IoT devices.

First, the view from the ISP's customers. They see advertising for, webcam baby monitors or internet-enabled door-locks. They think it would be useful to keep an eye on baby or open their front door from wherever they are using their smartphone. They are not seeing:
WARNING: everyone on the Internet can see your baby!
or:
WARNING: this allows the bad guys to open your front door!
They may even know that devices like this have security problems, but they have no way to know whether one device is more secure than another and, lets face it, none of these devices is actually "secure" compared to things people think of as secure, such as conventional door locks. They all have vulnerabilities that, with the passage of time, will be exploited. Even if the vendor followed the BITAG recommendations, there would be windows of time between the bad guys finding the vulnerability and the vendor distributing a patch when the bad guys would be exploiting it.

They are definitely not seeing a warning on the router they got from their ISP saying:
WARNING: this router gives the bad guys the password to your bank account!
After all, they pretty much have to trust their ISP. Nor are they seeing:
WARNING: This device can be used to attack major websites!
Even if the customer did see this warning, the fate of major websites is not the customer's problem.

Customers aren't seeing these warnings because no-one in the IoT device supply chain knows that these risks exist, nor is anyone motivated to find out. Even if they did know they wouldn't be motivated to tell the end user either prior to purchase, because it would discourage the purchase, or after the purchase, because thanks to Terms of Service it is no longer the vendor's problem.

Expecting end users to expend time and effort fixing the security issues of their IoT devices before disaster strikes is unrealistic. As Norton writes:
If you are sit­ting in this room, to some degree peo­ple are pay­ing you to use a long pass­word. People are pay­ing you to wor­ry about key man­age­ment. If you are a trash col­lec­tor or radi­ol­o­gist or a lawyer, this takes away from your work day.
Second, the view from the IoT device manufacturer. In June 2014 my friend Jim Gettys, who gained experience in high-volume low-cost manufacturing through the One Laptop Per Child project and the OpenWrt router software effort, gave a talk at Harvard's Berkman Center entitled (In)Security in Home Embedded Devices. It set out the problems IoT device manufacturers have in maintaining system security. It, or Bruce Schneier's January 2014 article The Internet of Things Is Wildly Insecure — And Often Unpatchable that Jim inspired are must-reads.

The IoT device supply chain starts with high-volume, low-margin chip vendors, who add proprietary "binary blobs" to a version of Linux. Original device manufacturers (ODMs), again a low-margin business, buy the chips and the software and build a board. The brand-name company buys the board, adds a user interface, does some quality assurance, puts it in a box and ships it. Schneier explains:
The problem with this process is that no one entity has any incentive, expertise, or even ability to patch the software once it’s shipped. The chip manufacturer is busy shipping the next version of the chip, and the ODM is busy upgrading its product to work with this next chip. Maintaining the older chips and products just isn’t a priority.
The result is:
the software is old, even when the device is new. For example, one survey of common home routers found that the software components were four to five years older than the device. The minimum age of the Linux operating system was four years. The minimum age of the Samba file system software: six years. They may have had all the security patches applied, but most likely not. No one has that job. Some of the components are so old that they’re no longer being patched.
Because the software is old, many of its vulnerabilities will have been discovered and exploited. No-one in the supply chain has the margins to support life-long software support, quality assurance and distribution. Even it were possible to provide these functions, a competitor providing them would price them selves out of the market. The BITAG recommendations would work in a different world, but in this one the supply chain has no ability nor resources to implement them.

Bruce Schneier recently testified to the House Energy & Commerce Committee, pointing out the reason why, even if the BITAG recommendations were in effect, the problem wouldn't be solved:
These devices are a lower price margin, they’re offshore, there’s no teams. And a lot of them cannot be patched. Those DVRs are going to be vulnerable until someone throws them away. And that takes a while. We get security [for phones] because I get a new one every 18 months. Your DVR lasts for five years, your car for 10, your refrigerator for 25. I’m going to replace my thermostat approximately never. So the market really can’t fix this.
There are already enough insecure IoT devices on the network to bring down the Internet. Millions more are being added every week. And they aren't going away any time soon.

So, to conclude, what is odd about the report? As far as I can see, there is nothing in the report from the Broadband Internet Technical Advisory Group about what the Broadband Internet industry can do to fix the security issues the report raises. It lays the blame for the problem squarely on the IoT device industry. Very convenient, no?

There clearly are things the broadband industry could do to help. Intel's Schrecker has made one proposal, but it is equally impractical:
As for coping with the threat we face now, courtesy of millions of pathetically insecure consumer IoT devices, Schrecker’s proposed solution sounds elegantly simple, in theory at least: “Distribute, for example, gateways. Edge gateways that can contain a DDoS and are smart enough to talk to each other and help contain them that way.”
ISPs haven't deployed even the basic BCP38 filtering, which would ensure that packets had valid source addresses, and thus make DDoS attacks traceable. But they're going to buy and deploy a whole lot of new hardware? Note that the Mirai DDoS botnet technology has recently been upgraded to spoof source addresses:
Propoet also advertised another new feature, which is the ability to bypass some DDoS mitigation systems by spoofing (faking) the bot's IP address. Previous versions of the Mirai malware didn't include this feature.

2sec4u confirmed in a private conversation that some of the newly-spawned Mirai botnets can carry out DDoS attacks by spoofing IP addresses.
The upgraded technology is used in a botnet four times bigger than the one that took out Dyn last month. It rents for $50-60K/month, nothing compared to the damage it can do. Mirai has been updated with some zero-day exploits to which somewhere between 5M and 40M home routers appear to be vulnerable. Estimating 30% utilization of the 5M resource at $50K/month suggests Mirai-based botnets are a $2.2M/year business.

Schrecker is right about the seriousness of the DDoS threat:
If the operators behind these IoT-enabled botnets were to “point them at industry” instead of smaller targets such as individual journalists’ websites, as happened with infosec researcher Brian Krebs, the impact on the world economy could be “devastating”, he added.
ISPs could do more to secure IoT devices, for example by detecting devices with known vulnerabilities and blocking access to and from them. But this would require a much higher level of user support than current ISP business models could support. Again, an ISP that "did the right thing" would price themselves out of the market.

There is plenty of scope for finger-pointing about IoT security. Having industry groups focus on what their own industry could do would be more constructive than dumping responsibility on others whose problems they don't understand. But it appears in all cases that there is are collective action and short-termism problems. Despite the potential long-term benefits, individual companies would have to take actions against their short-term interests, and would be out-competed by free-riders.

61 comments:

David. said...

Even major companies who should know about security risks are completely clueless when it comes to Things in the Internet. Sony's "Professional" CCTV cameras have some vulnerabilities:

"The firmware contains two hardcoded, permanently enabled accounts in the builtin web-based admin console: debug with the password popeyeConnection, and primana with the password primana. The latter, coupled with magic strings in the URL, unlocks telnet access, potentially granting administrative access to the camera via a command line. Later models can open an SSH server, too."

and:

"Sixth-generation cams use the magic string "himitunokagi", which is Japanese for "secret key"."

David. said...

Two pieces at The Register today illustrate the problem.

Richard Chirgwin's Software can be more secure, says NIST, and we think we know how:

"NISTIR 8151, Dramatically Reducing Software Vulnerabilities, first landed as a draft in July, and the final version dropped last week (PDF)."

It contains lots of good advice. But Darren Pauli's Standards body warned SMS 2FA is insecure and nobody listened points out that NIST's good advice about SMS has been pretty much ignored:

"The US National Institute of Standards and Technology's (NIST) advice that SMS is a poor way to deliver two factor authentication is having little impact, according to Duo Security.

Last July NIST declared that sending one-time passwords to mobile phones was insecure.

The organisation wrote in its advisory that the likelihood of interception makes TXT unreliable."

David. said...

Shaun Nichols at The Register shows that even when IoT device vulnerabilities are known they don't get fixed:

"So say researchers with Cybereason, who claim a pair of high-profile vulnerabilities they spotted in surveillance cams two years ago have been completely ignored by vendors – thus leaving the door wide open for miscreants to hijack potentially "hundreds of thousands" of devices and use them for attacks.

Cybereason's Amit Serper says he and fellow researcher Yoav Orot exploited flaws in off-the-shelf internet-connected cameras back in 2014 in an effort to show how poor IoT security was at the time.

Since then, Serper says, the bugs have not only gone unpatched, but the insecure code has popped up in network camera firmware shipped by dozens of manufacturers selling their weak wares on Amazon. The Cybereason pair finger VStarcam as one vendor of vulnerable kit."

Many of the cameras contained 14-year-old web server code and:

"Serper notes that even if the dozens of different camera vendors using this vulnerable software were to deploy the fix, cameras already in use would remain vulnerable, as they lack the ability to properly receive and install software updates.

Thus, the only solution to fully close the flaw is to throw out the cameras and buy units with patched software."

Fork-lift upgrades of the edge of the Internet are very unlikely ever to happen.

Another of today's pieces at The Register is depressingly familiar. John Leyden's Mirai variant turns TalkTalk routers into zombie botnet agents reports:

"Hundreds of Mirai-infected home routers across the UK are currently acting as DDoS bots.

The vast majority (99 per cent) of these 2,398 Mirai-infected devices are TalkTalk routers, according to security researchers at DDoS mitigation firm Imperva Incapsula."

David. said...

Recently, Epson printers using Google Cloud Print all across the Internet stopped working simultaneously. Sean Gallagher at Ars Technica reports that the cause was an API change Google made. Like these printers, many IoT devices depend on third-party services:

"But the Epson problem is also illustrative of the problems inherent in "Internet of Things" (IoT) devices that are dependent on Internet services to operate—services that can cause malfunctions in third-party systems built to use them (as with the Epson printers in this case) or render entire classes of products unusable (as Nest did when it shut down cloud support for the Hub home automation platform). With Google, Amazon, and others pushing new cloud-connected IoT devices for home automation and other tasks, the risks associated with cloud dependencies for everything from printers to home thermostats are sure to increase."

Unlike the printers, these devices are likely to be unpatchable, so can be bricked at will not just by the manufacturer, but also by the third-party service.

David. said...

Via Cory Doctorow at Ars Technica I found Lily Hay Newman's The Botnet That Broke the Internet Isn’t Going Away, a report on the way Mirai is metastasizing:

"These attacks have been enabled both by the massive army of modems and webcams under Mirai’s control, and the fact that a hacker known as “Anna-senpai” elected to open-source its code in September. While there’s nothing particularly novel about Mirai’s software, it has proven itself to be remarkably flexible and adaptable. As a result, hackers can develop different strains of Mirai that can take over new vulnerable IoT devices and increase the population (and compute power) Mirai botnets can draw on."

As usual, there's some magical thinking about fixes:

"Mirai will ultimately be a “transient threat” in the broader landscape of IoT security, as a report published this week by the Institute of Critical Infrastructure Technology notes. Hackers get bored with shiny new toys just like anyone, and eventually the IoT industry will erode Mirai’s vulnerable device population.

That’s not going to happen in the near future, though. Mirai already has enough fodder to sustain it for years—and more susceptible products roll off of assembly lines every day. As the report adds, Mirai “has inspired a renaissance” in IoT vulnerability exploitation. In the meantime, expect more mayhem."

David. said...

Deflect Labs has a fascinating report Botnet attack analysis of Deflect protected website blacklivesmatter.com:

"This report covers attacks between April 29th and October 15th, 2016. Over this seven-month period, we recorded more than a hundred separate denial-of-service incidents against the official Black Lives Matter website. Our analysis shows a variety of technical methods used in attempts to bring down this website and the characterization of these attacks point to a “mob” mentality of malicious actors jumping on board in response to callouts made on social media and covert channels.

David. said...

The Stanford Engineering website has an article asking How do we keep GPS safe from sabotage?. Many of the more lethal Things in the Internet depend on GPS, which is easy to swamp, spoof, of for the military to shut down:

"Threats to autonomous navigation systems come in many forms. Navigation jammers are simple and already commonplace: All they require is a strong radio signal that blocks out the navigation signals from the Global Positioning System and other sources. If there isn’t a human in place to re-take control of a car or aircraft, jammers can have lethal consequences.

Enge sees bigger and more complicated dangers lurking in the form of “spoofers,” systems that send counterfeit navigation signals to intentionally misdirect a vehicle. Imagine, for example, if a future hacker maliciously scrambled all the location signals in a neighborhood full of autonomous cars."

David. said...

In response to attempts by Level 3 and others to shut down its command and control network, Annie or Botnet #14 has followed the example described in Dennis Brown's 2010 Defcon talk and moved its command and control to the Tor network:

"Try to shut down .onion 'domains' over Tor," BestBuy boasted, hinting at the difficult task of finding servers hidden on the Tor network, something that the FBI has had a hard time tracking for years.

Botnet #14 is really, really big:

"the biggest Mirai botnet known to date, which at one point in late November, early December, reached 3.2 million infected bots."

David. said...

Thibaut Rouffineau, evangelist for Ubuntu Core, trails a forthcoming report based on a survey of 2000 consumers that reveals Research: Consumers are terrible at updating their connected devices:

"only 31% of consumers that own connected devices perform updates as soon as they become available. A further 40% of consumers have never consciously performed updates on their devices. ... Of those polled, nearly two thirds felt that it was not their responsibility to keep firmware updated. 22% believed it was the job of software developers, while 18% consider it to be the responsibility of device manufacturers."

David. said...

A second 600+GB/s botnet has appeared:

"In the run-up to Christmas, security firm Imperva managed to fend off a 650 Gbps DDoS attack. But this was nothing to do with Mirai; it is a completely new form of malware, but is described as "just as powerful as the most dangerous one to date".

The initial details are here:

"Attacks that combine the use of small and large payloads have become increasingly common since we first reported them in the last months of 2015. These tactics enable attackers to spread their odds by trying to both clog network pipes and bring down network switches."

David. said...

Today's insecure Things in the Internet are "smart" electricity meters:

"The lack of security in the smart utilities raises the prospect of a single line of malicious code cutting power to a home or even causing a catastrophic overload leading to exploding meters or house fires, according to Netanel Rubin, co-founder of the security firm Vaultra."

David. said...

FTC Commissioner Julie Brill addressed the insecurity of the IoI in her Fall 2015 Plenary, suggesting things the agency might be able to do. Now, the agency has started to do something:

"The FTC, in a complaint filed in the Northern District of California charged that “D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.” ... According to the FTC’s complaint, D-Link promoted the security of its routers on the company’s website, which included materials headlined “Easy to secure” and “Advance network security.” But despite the claims made by D-Link, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws"

David. said...

Further to Quinn Norton's comments on ransomware, schools in the UK are being targeted for ransom:

"Cybercrooks are targeting UK schools, demanding payments of up to £8,000 to unlock data they have encrypted with malware."

And, in a spectacular failure of the important customer service aspect of ransomware, the KillDisk team forgot to keep the encryption keys:

"Attackers are targeting Windows and Linux desktops and servers and demanding a laughable 222 bitcoins (US$247,000) for the data to be returned.

No-one has paid; this is a good thing, even for victims laden with cash, since the attackers cannot decrypt files because encryption keys are not saved locally or transmitted to command and control servers."

David. said...

Today's vulnerable Things in the Internet announcement - the FDA confirmed that, as previously reported, St. Jude's pacemakers are vulnerable:

"The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."

David. said...

In a very long and detailed must-read post, Brian Krebs describes the investigation that led him to the author of Mirai and its roots in the competitive world of hosting Minecraft servers.

David. said...

Even systems such as servers that can be updated, unlike most of the IoT, are still have vulnerabilities from years ago.

David. said...

Botnets can be used for things other than DDoS. Thoms Calburn at The Register reports that 350,000 Twitter bot sleeper cell betrayed by love of Star Wars and Windows Phone:

"Computer boffins Juan Echeverria and Shi Zhou at University College London have chanced across a dormant Twitter botnet made up of more than 350,000 accounts with a fondness for quoting Star Wars novels.

Twitter bots have been accused of warping the tone of the 2016 election. They also can be used for entertainment, marketing, spamming, manipulating Twitter's trending topics list and public opinion, trolling, fake followers, malware distribution, and data set pollution, among other things.

In a recently published research paper, the two computer scientists recount how a random sampling of 1 per cent of English-speaking Twitter accounts – about 6 million accounts – led to their discovery."

The bots were odd:

"The manual examination of data associated with 4,942 accounts resulted in the identification of 3,244 bots with consistent characteristics:

- Tweets only random Star Wars quotes.
- Uses hashtags associated with follower acquisition or prepended to random words.
- Never retweets or mentions other Twitter users.
- Each bot has made only 11 or fewer tweets since its inception.
- Each bot has between 10 and 31 friends.
- The bots choose only "Twitter for Windows Phone" as their source application.
- The bots' user ID numbers fall into a narrow range between 1.5 × 10^9 and 1.6 × 10^9.

Given that set of bots, the researchers created a machine learning classifier to hunt for other accounts with similar characteristics. The algorithm identified 356,957 Star Wars bots."

David. said...

The library system of St. Louis, MO was shut down by ransomware:

"The city's libraries are overwhelmingly used by school children and the city's poorer residents."

David. said...

Cory Doctorow's HP's Nonpology reports that:

" Last March, HP printer owners got an automated "security update." After running this update, HP customers would not have detected any outward changes their printers' behavior. But inside, the affected HP printers were secretly counting down to September, when the printers suddenly began rejecting ink cartridges with third-party "security chips" -- if you had opted to save 90% or more on your printer ink by buying unofficial cartridges, you were left in possession of a bunch of useless plastic and ink. In some cases, HP customers assumed their printers had packed in and threw them away.

After thousands of customers for third-party cartridges complained online, the story began to come into focus, and it became obvious that HP had deliberately installed time-delayed self-destruct code on its customers' property to punish them for failing to order their affairs in the way that was most profitable to HP."

As Doctorow points out this really discourages HP printer owners from keeping their software updated and thus:

"Even if you're not an HP customer, you're affected by this. There are hundreds of millions of HP products in the field, and the owners of those printers have been shown that HP will hide anti-features in their security updates, so running those updates may result in your printer being rendered less useful, or altogether useless. That means that all of us are now more vulnerable, because unpatched devices get hijacked into unimaginably large botnets that can be used to take down websites with the kinds of attacks formerly reserved to major governments."

David. said...

Dan Goodin at Ars Technica reports on how How Google fought back against a crippling IoT-powered botnet and won in the process of defending Krebs on Security from the Mirai botnet's attacks.

David. said...

In 2015 the federal government detected over 77,000 "information security incidents", up from 5,500 a decade earlier. That's more than 1 every 7 minutes, 24*7*365.

Barry Ritholtz posted the graph linked above, extracted from this report but the source is OMB, GAO and CERT.

David. said...

Stackoverflowin just caused about 150K printers with ports open to the net to print out a warning message.

David. said...

In How IoT hackers turned a university's network against itself, Danny Palmer reports that:

"Analysis of the university firewall identified over 5,000 devices making hundreds of Domain Name Service (DNS) look-ups every 15 minutes, slowing the institution's entire network and restricting access to the majority of internet services.

In this instance, all of the DNS requests were attempting to look up seafood restaurants -- and it wasn't because thousands of students all had an overwhelming urge to eat fish -- but because devices on the network had been instructed to repeatedly carry out this request.

"We identified that this was coming from their IoT network, their vending machines and their light sensors were actually looking for seafood domains; 5,000 discreet systems and they were nearly all in the IoT infrastructure," says Laurance Dine, managing principal of investigative response at Verizon."

David. said...

John Leyden at The Register reports that:

"researchers at Russian security software maker Dr Web documented a Windows version of the Mirai bot that scans the 'net for vulnerable IoT devices after infecting a Microsoft-powered host. That means vulnerable gear on a corporate network, hopefully shielded from the open internet by a firewall, can be attacked by adjacent Windows clients and servers if they get infected."

David. said...

Via Trailrunner7 at /., Dennis Fisher's Ransomware Gangs Have Become the High-Seas Pirates of the Internet points out the business opportunity that ransomware provides for insurance companies:

"The ransomware market seems to be headed in the same direction as real-world kidnapping, where high-profile targets take out insurance policies to pay ransoms. Grossman said it probably won’t be long before the insurance companies latch onto the ransomware game, too."

But Casey Sullivan at FindLaw's Corporate Counsel blog asks Will Insurance Cover a Ransomware Attack Against Your Company? and points out many details in the fine print that bear on the question.

David. said...

John Leyden at The Register reports on Akamai's quarterly report on DDOS attacks. Mirai was responsible for most but not all of the big ones:

"Attacks greater than 100Gbps increased 140 per cent in Q4 2016 compared to Q4 2015. The largest DDoS attack in Q4 2016, which peaked at 517Gbps, came from Spike, a non-IoT botnet that has been around for more than two years. Seven of the 12 100Gbps-plus attacks from the end of last year can be directly attributed to Mirai."

David. said...

Sean Gallagher at Ars Technica reports that Kaspersky researchers found lots of vulnerabilities in Android apps for "connected cars", which are among the Things in the Internet that kill people:

"All seven of the applications allowed the user to remotely unlock their vehicle; six made remote engine start possible ... Two of the seven apps used unencrypted user logins and passwords, making theft of credentials much easier. And none of the applications performed any sort of integrity check or detection of root permissions to the app's data and events—making it much easier for someone to create an "evil" version of the app to provide an avenue for attack."

David. said...

And another little problem with connected car apps:

"At the RSA security conference in San Francisco on Friday, Henderson explained how people can still retain control of connected cars even after they resell them.

Manufacturers create apps to control smart cars — you can use your phone to unlock the car, honk the horn and find out the exact location of your vehicle. Henderson removed his personal information from services in the car before selling it back to the dealership, but he was still able to control the car through a mobile app for years."

David. said...

Bruce Schneier nominates Botnets of Things as one of MIT's 10 Breakthrough Technologies.

David. said...

Catalin Cimpanu at Bleeping Computer reports on a botnet an order of magnitude bigger than Mirai:

"Necurs, the world's largest spam botnet with nearly 5 million infected bots, of which one million active each day, has added a new module that can be used for launching DDoS attacks.
...
The sheer size of the Necurs botnet, even in its worst days, dwarfs all of today's IoT botnets. The largest IoT botnet ever observed was Mirai Botnet #14 that managed to rack up around 400,000 bots towards the end of 2016.

On the other hand, Necurs reached these massive numbers by infecting classic desktop computers. The botnet grew so big because it was never used for disruptive DDoS attacks that usually tend to get the attention of law enforcement agencies, who then coordinate takedown attempts."

But:

"Necurs' authors have invested time and money into developing a professional, well-oiled cyber-crime machine. There is no reason to risk their steady revenue stream just for the sake of running a DDoS-for-hire service from which they have only to lose."

The Internet survives because no-one wants to kill the goose that lays the golden egg. Note that Cimpanu also reports that:

"German police announced today that fellow UK police officers have arrested a suspect behind a serious cyber-attack that crippled German ISP Deutsche Telekom at the end of November 2016. ... The attacks were later linked to a cybercrime groups operating a botnet powered by the Mirai malware, known as Botnet #14."

David. said...

Apparently, the Things in Hospitals on the Internet are easy meat for the Medjack malware.

David. said...

Kieren McCarthy at The Register reports that Nest enhances its position as the stand-out IoT vendor security-wise by providing two-factor authentication for its devices.

David. said...

Karl Bode at TechDirt sums up the Wikileaks Vault 7 dump of CIA malware as indicting the IoT:

"most of what's contained in this week's Wikileaks Vault 7 CIA Document Dump isn't all that surprising. It includes stockpiled Android and iOS vulnerabilities, revelations that the US government covertly pays to keep US software unsafe and vulnerable (long suspected, now proven), and the fact that the government routinely exploits weak security in the Internet of Things to spy on targets. That includes turning Samsung "smart" televisions, long in the news for poor security and privacy violations, as an on-demand spying apparatus."

David. said...

Consumer Reports joins the queue of institutions recommending "voluntary standards" for IoT devices.

David. said...

John Leyden at The Register reports that the massive Necurs botnet is not DDOS-ing but is adjusting its business model:

"Security researchers have once again detected an uptick of spam email from the Necurs botnet over recent days. Rather than distributing malware in the form of malicious attachments, it has shifted back to sending high volumes of penny stock pump-and-dump messages."

David. said...

On Incapsula's blog Dima Bekerman reports on a Mirai variant making application- as opposed to network-layer DDoS attacks:

"A few weeks ago, however, what could be another version of Mirai–this one more adept at launching application layer assaults–popped up on our radar.

The attack, which started on February 28 and ran for 54 hours straight, targeted one of our customers, a US college.

The average traffic flow came in at over 30,000 RPS and peaked at around 37,000 RPS—the most we’ve seen out of any Mirai botnet. In total, the attack generated over 2.8 billion requests."

David. said...

One or two people have a great way to fix the IoT botnet problem - use a botnet to brick vulnerable devices.

David. said...

Researchers at Palo Alto Networks' "Unit 42" report Amnesia, a new malware targeting the vulnerability, reported a year ago and still unfixed, in DVRs manufactured by TVT that contributed to Mirai and other botnets:

"we believe the Amnesia malware is the first Linux malware to adopt virtual machine evasion techniques to defeat malware analysis sandboxes. Virtual machine evasion techniques are more commonly associated with Microsoft Windows and Google Android malware. Similar to those, Amnesia tries to detect whether it’s running in a VirtualBox, VMware or QEMU based virtual machine, and if it detects those environments it will wipe the virtualized Linux system by deleting all the files in file system. This affects not only Linux malware analysis sandboxes but also some QEMU based Linux servers on VPS or on public cloud."

David. said...

Paul at the security ledger reports that the FDA's warning letter to St. Jude (see above) is damning:

"The U.S. Food and Drug Administration issued a letter of warning to medical device maker Abbott on Wednesday, slamming the company for what it said was a pattern of overlooking security and reliability problems in its implantable medical devices at its St. Jude Medical division and describing a range of the company’s devices as “adulterated,” in violation of the US Federal Food, Drug and Cosmetic Act.

In a damning report, the FDA said that St. Jude Medical knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or by replacing those devices. The government found that St. Jude Medical, time and again, failed to adhere to internal security and product quality guidelines, a lapse that resulted in at least one patient death."

Flaws included:

"Among the security flaws: a “hardcoded universal unlock code” for the company’s implantable, high voltage devices."

St. Jude has been ignoring security problems revealed in an external review from 2014 and from suppliers. Despite this, it filed:

"a defamation lawsuit ... against the firm MedSec Holdings Ltd over its August, 2016 report that warned of widespread security flaws in St. Jude Medical’s products"

The company's response is a masterpiece of corporate-speak:

"St. Jude Medical’s parent company, Abbott, said that “patient safety comes first” at the company."

David. said...

Back in November 2015 I reported on "white hat" botnets finding vulnerable systems and fixing them, albeit temporarily.

Now, Dan Gooding at Ars Technica reports on HajimeZ, a botnet looking for systems vulnerable to Mirai and fixing them:

"Hajime uses a decentralized peer-to-peer network to issue commands and updates to infected devices. This design makes it more resistant to takedowns by ISPs and Internet backbone providers. Hajime uses the same list of user name and password combinations Mirai uses, with the addition of two more. It also takes steps to conceal its running processes and files, a feature that makes detecting infected systems more difficult. Most interesting of all: Hajime appears to be the brainchild of a grayhat hacker, as evidenced by a cryptographically signed message it displays every 10 minutes or so on terminals."

Goodin thinks (and I agree) that this isn't a good idea:

"Aside from the long-term inefficacy of Hajime, the fact remains that what its designer is doing—surreptitiously installing a backdoor without permission on tens of thousands of devices—is both unethical and illegal in most jurisdictions around the world."

At least the 2015 lfwatch tried to get users to change the default passwords.

David. said...

There are now multiple BrickerBot networks active, with technology improving rapidly:

"Together, the two newly discovered instances have attempted to attack devices in the research honeypot close to 1,400 times in less than 24 hours. Like BrickerBot.1, the newcomer botnets are made up of IoT devices running an outdated version of the Dropbear SSH server with public, geographically dispersed IP addresses. Those two characteristics lead Geenens to suspect the attacking devices are poorly secured IoT devices themselves, which someone has compromised and used to permanently take out similarly unsecured devices. Geenens, of security firm Radware, has more details here.

David. said...

Karl Bode at TechDirt comments on the PDoS (Permanent Denial of Service) attacks:

"The problem (aside from this being illegal and destructive) is that the type of person that's likely to go out and purchase a poorly-secured "gee whiz" IOT device or router without considering security -- is the same type of person that's not going to understand why that device just stopped working for no coherent reason. As a result, they're likely to rush out and buy another, poorly-secured device, bringing the incompetence full circle with a zero net gain."

Aliya Sternstein at Ars Technica reports on a more sensible approach taken by the FBI in using the recent changes to Rule 41 enabling judges to issue global warrants for computer penetration:

"the FBI recently obtained a single warrant in Alaska to hack the computers of thousands of victims in a bid to free them from the global botnet, Kelihos. ... The Electronic Frontier Foundation, for example, commended the feds for asking a judge to review exactly what data the FBI would and would not touch in victimized devices, which were located across the country. It was a "positive step" toward accountability and transparency in FBI computer break-ins, EFF staff attorney Andrew Crocker said.
...
For Kelihos, the feds needed stronger legal standing to free hostage computers because of the peer-to-peer nature of the infection, which demanded more "active measures," says John Bambenek, a manager at Fidelis Cybersecurity who's helping with the botnet cleanup.

The FBI "had to infect machines," convert them into so-called supernodes that distribute connection lists to other victimized computers, and then "poison" all the computers so they would never again try to communicate with hacker-controlled devices, said Bambenek, who also assisted on the 2014 Gameover Zeus cleansing operation."

David. said...

The "grey hat" approach to malware is catching on. Dan Goodin's NSA backdoor detected on >55,000 Windows boxes can now be remotely removed reports that:

"On Tuesday, security firm Countercept released an update to the DoublePulsar detection script it published last week. It now allows people anywhere on the Internet to remotely uninstall the implant from any infected machine. Researcher Kevin Beaumont told Ars that detecting DoublePulsar involves sending a series of SMB—short for server message block—queries to Internet-facing computers. By modifying two bytes of the query, the same person can remove the infection from any computers that test positive."

David. said...

Junade Ali's post on Cloudflare's blog entitled IoT Security Anti-Patterns identifies four ways IoT programmers can contribute to the insecurity of the IoT.

David. said...

That was quick. Instead of guessing passwords, as Mirai does, Persirai exploits a vulnerability in about 185K "security" cameras that was revealed a month ago to build yet another massive botnet.

David. said...

Implanted pacemakers are still vulnerable to a multitude of attacks even though Dick Cheney's was patched in 2013.

David. said...

Dan Goodin at Ars Technica reports that:

"Security cameras manufactured by China-based Foscam are vulnerable to remote take-over hacks that allow attackers to view video feeds, download stored files, and possibly compromise other devices connected to a local network. That's according to a 12-page report released Wednesday by security firm F-Secure."

Among the vulnerabilities are:

"(1) a built-in file transfer protocol server that contains a hard-coded account password (an empty password, by the way) that can't be changed by the user, (2) a hidden and undocumented telnet function that allows attackers to expand the device capabilities, and (3) incorrect permissions assigned to programming scripts that run each time the device starts."

Perhaps Foscom believes this is a good way to allow systems in the field to be remotely patched; they haven't fixed them several months after being notified of the problems. After all, there's no chance the bad guys would guess an empty password for FTP.

David. said...

Alistair Dabbs's Smart burglars will ride the surf of inter-connected hackability is accurate in its description of a robot dustbin and a security camera:

"A nifty burglar will hack into your home security device through a chain of infection, starting from a humble e-cig. Malicious code will then flow though your connected junk of unnecessary gadgetry, via your smart lampshades, robotically enhanced cutlery and intelligent toilet seats, and simply put your security camera in sleep mode.

On the way, it will change the timer on your boiler, unlock your autonomous vehicle and reprogram the skills in Alexa. You’ll come home to find the only warm place in the house is the fridge, your car has driven itself to Devon for the weekend and Amazon has delivered 4,000 bananas."

David. said...

Among the Things in the Internet with IoT-style security are industrial robots:

"industrial robotic control systems lack even the most basic security -- instead of cryptographically hashing passwords, they store them in the clear (with a single, deterministic XOR operation to provide a useless hurdle against hackers); controllers expose an FTP process during bootup that accepts new firmware loads without authentication; network-level commands are not encrypted or signed; controllers use hardcoded usernames and passwords; memory corruption attacks are easy and devastating; the runtimes for the control instructions are poorly isolated from other processes"

and, with a little help from a Raspberry Pi, wind farms:

"wind-turbines are very poorly secured, vulnerable to attacks that can be launched just by plugging a Raspberry Pi into the control-system's Ethernet port."

David. said...

Senators Wyden, Warner, Gardner and Daines have introduced legislation to improve IoT security:

"The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities."

and:

"It would also expand legal protections for cyber researchers working in "good faith" to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws."

David. said...

For a change, today's IoT disaster isn't a vulnerability, it is a screwed-up software update for "smart locks" that are apparently widely used by AirBnB hosts. So even IoT devices that do software updates may not do them properly.

David. said...

Dan Goodin reports that lists of IPs and [username:password] pairs are being posted to obviate the need to search for systems to compromise.

David. said...

The Things in the Internet definitely include phones. Dan Goodin's One of 1st-known Android DDoS malware infects phones in 100 countries reports on apparently the second known botnet implemented as an Android app in the Google Play store:

"The botnet was made up of some 300 apps available in the official Google Play market. Once installed, they surreptitiously conscripted devices into a malicious network that sent junk traffic to certain websites with the goal of causing them to go offline or become unresponsive. At its height, the WireX botnet controlled more than 120,000 IP addresses located in 100 countries. ... The attacks bombarded targets with as many as 20,000 HTTP requests per second in an attempt to exhaust server resources."

David. said...

A DVR with the default password lasts 2 minutes before being compromised, according to SANS Institute testing:

"SANS sees "100,000-150,000 sources participating in telnet scans" so between clueless users and manufacturers who don't implement on-activation password changes, he thinks Mirai-style attacks are here to stay."

David. said...

Not even AT&T can get it right. A whole slew of remote exploits have been reported in nearly 140K Arris modems supplied to AT&T's customers, including that:

"the modems carry hard-coded credentials, serious since a firmware update turned on SSH by default. That would let a remote attacker access the modem's cshell service and take a leisurely walk through most of the devices' controls and levers. ... The cshell runs as root, which means any other possible exploit is also trivial to exploit."

David. said...

Anyone with access to a car's CAN bus can deploy the airbags:

"in unspecified post-2014 passenger car models, the explosive charge that deploys the airbag is controlled by an instruction that is secured by one of only 256 keypairs, and there is no rate-limit on authentication attempts over the CAN bus."

Especially a problem if they're Takata air-bags, like the ones we're still waiting for BMW to replace under recall, that fling metal fragments at you.

David. said...

Wondering why you didn't get any trick-or-treaters? Everyone's Ring doorbell went down for Halloween.

David. said...

Things in the Internet don't get fixed. The Mirai botnet is still around more than a year later:

"From July to September 2017, SecurityScorecard identified 34,062 IPv4 addresses on the public internet that showed symptoms expected from an embedded device infected with the Mirai IoT malware. This contrasts with 184,258 IPv4 addresses of IoT devices infected with Mirai IoT malware from August 1, 2016, to July 31, 2017.

Even though the botnet is smaller and more fragmented, it still poses a threat to internet hygiene.

Other security experts back this assessment. The decline in numbers of the Mirai zombie horde may have nothing to do with improved IoT security, such as users patching the DVR devices and the like that are most susceptible to infection.

Ken Munro, of UK security consultancy Pen Test Partners, said: "We believe the main reason that the botnets are small is that Mirai is not persistent. The infection does not survive a reboot. Mirai attacks XiongMai-based DVRs, which are pretty unstable – indeed, it's trivial to reboot them remotely, unauthenticated.

"As a result, no single botnet herder can create a single large botnet – the DVRs reboot randomly and there's then a race to pwn then again."

Other more recent IoT botnets – most notably Reaper – represent a worse risk to security, according to Munro."

David. said...

"This may be the best news about the IoT ever published." writes Cory Doctorow:

In Deloitte's new 2017 Global Mobile Consumer Survey, the company notes that "connected home systems—a category that includes home security, thermostats, and lighting—continue to lag behind other connected devices such as entertainment systems and connected vehicles," which the report attributes to "concerns about security and privacy."

The survey found "more than 40 percent of respondents agree that smart home technology reveals too much about their personal lives and nearly 40 percent worry that usage can be tracked. In addition, less than one in five consumers believe they are very well informed about the security risks associated with connected home devices; and nearly 40 percent believe they are not properly informed at all."

David. said...

"Fernandez discovered that by accessing the control panel of specific DVRs with a cookie header of "Cookie: uid=admin," the DVR would respond with the device's admin credentials in cleartext. The entire exploit is small enough to fit inside a tweet. ... A screenshot of a Shodan query Fernandez used to identify vulnerable devices showed over 55,000 DVRs readily available online, while another showed 10,000 more."

Catalin Cimpanu reports on the latest IoT disaster, reported a month ago but ignored until now.

David. said...

A 14-year-old is reviving BrickerBot, reports Catalin Cimpanu in New Silex malware is bricking IoT devices, has scary plans:

"A new strain of malware is wiping the firmware of IoT devices in attacks reminiscent of the old BrickerBot malware that destroyed millions of devices back in 2017.

Named Silex, this malware began operating earlier today, about three-four hours before this article's publication.

The malware had bricked around 350 devices when this reporter began investigating its operations, and the number quickly spiked to 2,000 wiped devices by the time we published, an hour later."