Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Who Makes the IoT Things Under Attack?
#1
A depressing article from "Krebs on Security" that make me believe that I will never introduce an IoT device into my home:

https://krebsonsecurity.com/2016/10/who-...er-attack/
Mark Stega
Reply
#2
None of this is new. IoT is made to a price and security suffers.

There should be no IoT device on your main network - they should all be segregated off. Steve Gibson talks about this on his podcast and recommends the use of three dumb routers or a smart router like the Ubiquity edge (5 ports) that allows the unsecure devices to co-exist with the home network.

Manufactures are to blame ultimately - they need to be brought to task over this and it is only going to get worse as more and more people jump on the IoT bandwagon and put them on the internet without the knowledge of how to secure them.

What is an IoT device anyway - If it is anything that can connect to a network then we are all using one (CQC). What about the M1, our DVR's, blue ray players etc.
Mykel Koblenz
Illawarra Smart Home
Reply
#3
I was just reading that a lot of compromised devices were used in a DDOS attack on a key DNS provider today, knocking out DNS access to a number of major sites.
Dean Roddey
Software Geek Extraordinaire
Reply
#4
After reading that it sounds more like uPNP is the devil. Not the devices.
--Kill all the serial ports--
Reply
#5
It's linux based so any device running linux can run the Mirai bot.

<Soapbox>
Things are coming to a head security-wise in the industry. The status quo is that all device are expected to stay updated for security issues within 90 days or so and that is essentially impossible even for a large company. We spend a huge amount of time just updating stuff and money-wise it is a bottomless pit. Consumers aren't even going to bother with it at all and these "IoT" devices run on firmware that isn't always easy to update.

It is also very hard to protect from a DDoS attack. This is a large volume of otherwise legitimate traffic. Some device somewhere has to filter it out. A company can't do it because their INET circuits are already saturated, so they have to rely on their ISP or some 3rd party. And a lot of people do not sign up for those services, they are expensive and cause technical and performance issues. From a consumer standpoint they are getting 100Mbps or 1Gbps internet access circuits now. Most companies are probably only on 1Gbps or 10Gbps.

The summary is we are going to continue to see more of this and it is going to get much worse before it gets better, if it does get better. We can't rely on the endpoints to be secure, or the people making equipment and software can't continue to just roll out anything they want without some sort of certification process. And things like "net neutrality" or at least what most people think that means which is absolute freedom on the internet take the tools away from the ISPs to prevent this kind of stuff.

The internet/software development and computing in general can be the wild wild west or it can be civilized, it can't be both.
</Soapbox>
Wuench
My Home Theater/Automation Website

[THREAD=5957]BlueGlass CQC Config[/THREAD]
[THREAD=10624]Wuench's CQC Drivers[/THREAD]
Reply
#6
We are pretty much screwed. We become more and more dependent on the internet every day, and organizations almost push people to depend on it. I get charged $2 a month to get a paper bank account report every month now, because they want everyone to do it online, which of course means setting up an account which will inevitably get hacked en masse (for those folks who don't get it hacked via individual exploit before that.)

And then there's an enormous incentive for companies to sell internet enabled doo-dads and pretty minimal requirement that they know what they are doing before they do it. So much of the web development out there is trending towards the "just use our magic tool" end of the scale, with people getting automatic inclusion of all kinds of libraries that they know little to nothing about, or maybe even that those libraries are part of their web site content. And we then happily run that stuff on our machines.

There are so many potential entry vectors for the dedicated hacker that it's scary to think about.
Dean Roddey
Software Geek Extraordinaire
Reply
#7
This is why the model of signing up to a service and having your device send the data to the cloud server and then getting it back is a model I despise. (I have extremely limited bandwidth is another reason I hate it).

Any IoT device should have the option of being cut off from the internet - This does not preclude it from the local network where controller like CQC play a major role. They [CQC] can proxy the information to the user on the internet and this would alleviate a significant threat that we are currently seeing.

It was only a matter of time and its not going to get better. We will see some small security offerings but on the whole with everything made to a price, security is always going to be trumped by functionality for a consumer product
Mykel Koblenz
Illawarra Smart Home
Reply
#8
This is the internet, so of course take that into consideration but:

https://www.reddit.com/r/homeautomation/..._of_smart/


Apparently use of a drone to remotely hack a Hue and install malicious software on it. So, in that case, it's not just an issue of home automation hacking, it's using the Hue wireless protocol to go right around all of the outward facing protections you might have set up for your LAN, and putting malicious software inside the perimeter.
Dean Roddey
Software Geek Extraordinaire
Reply
#9
So now I guess we need to arm those home security drones with tiny air to air missiles to protect your home from the hacker drones.
Dean Roddey
Software Geek Extraordinaire
Reply
#10
BTW Qualys has a good website that will scan your internet access for free 10 times.
Wuench
My Home Theater/Automation Website

[THREAD=5957]BlueGlass CQC Config[/THREAD]
[THREAD=10624]Wuench's CQC Drivers[/THREAD]
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  Things not to do Dean Roddey 2 1,041 12-30-2015, 08:32 AM
Last Post: zaccari
  Internet of things Ron Haley 12 2,720 09-23-2015, 04:04 AM
Last Post: znelbok
  Anyone use CBus inputs for other things? willplaice 3 1,092 06-30-2009, 02:32 AM
Last Post: znelbok
  How in the hell do you remove these things Wynn 7 1,542 07-16-2007, 09:44 PM
Last Post: zaccari

Forum Jump:


Users browsing this thread: 1 Guest(s)