Slashdot Mirror
Ask Slashdot: Is My IoT Device Part of a Botnet?
As our DVRs, cameras, and routers join the Internet of Things, long-time Slashdot reader galgon wonders if he's already been compromised:
There has been a number of stories of IoT devices becoming part of botnets and being used in distributed denial of service attacks. If these devices are seemingly working correctly to the user, how would they ever know the device was compromised? Is there anything the average user can do to detect when they have a misbehaving device on their network?
I'm curious how many Slashdot readers are even using IoT devices -- so leave your best answers in the comments. How would you know if your IoT device is part of a botnet?
I'm curious how many Slashdot readers are even using IoT devices -- so leave your best answers in the comments. How would you know if your IoT device is part of a botnet?
If it's connected to the internet directly, and it has no built in security apart from "admin" "password", it's part of a botnet or soon will be.
"Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
The "average" user has no idea and that's why they put IOT shit on their unsecured network in the first place, duh.
There are free tools you can use to monitor a network, but they might not be so easy for the average user. Just googling around, I found this solution that's designed to answer such questions, but note it costs money. I've never seen it in action. One would hope that you get something user-friendly at such a price.
The other guy who said that if you can log in with "admin" as the userid and "password" as the password, or some other default login, that's spot-on. Botnet creators will probe for that, so at the very lease change the userid and password before actually going live... or just do what I do and not have any IoT stuff.
The only way to tell would be if your router ran a sophisticated firmware which allowed for granular user monitoring and management, and ability to add rules.
Frankly if i could create a wifi guest network with no access to the internet, then I would connect IoTs, printer, NAS and CCTVs to it. But then how do I connect to them from non-guest network? Right now, I'm using parental control feature to block internet access to these guys.
I wanted to buy Synology's RT1900ac (~ £100), but the negative side of its reviews talk about poor range, abysmal boot-time and slow client-router handshake. So I am pretty screwed with my shitty TP-Link wireless N. I say shitty because these ch***s never create security firmware updates. You basically run the default firmware until one day (3 years later actually), the thing is dead.
See subject.
If you've got abnormally large internet usage, then it might be.
The short answer is: yes.
Almost all IoT providers don't care about security and you get what you've paid for.
Though it doesn't seem to apply to home networks, how can you be an IT professional of any kind and NOT know what's coming into or going out of your network?
If nothing else, precisely because of things like this where your CCTV NVR or your thermostat could be hacked and doing whatever it likes. In fact, DDoS of someone else is the LEAST of your worries if someone is able to coax your devices into running arbitrary code on your local network.
Sorry, but this kind of thing needs management and there isn't a home router on this planet that does things like send you an email when a "new" device connects, or alerts you to unusual activity from your local network devices.
That's what you get for advertising it on Slashdot, sucker.
If you have to fill out cloudflare captchas when browsing, then maybe.
I do not know what a "average user" is but.... If a person is intelligent enough to perceive the need for a device, obtain the device and install the device then they should be smart enough to look at a log file and see if the device is operating correctly. Almost all routers and modems have logging capabilities, IoT devices should too. (I own no IoT devices)
Is this the long sought after counter-example to Betteridge's Law where the response to a question mark is always "yes" ?
Andy Warhol got it right / Everybody gets the limelight
Andy Warhol got it wrong / Fifteen minutes is too long.
If there's an app for it, you can bet on it being remote controlled.
Probably beyond the abilities of Joe Average, but you could use your router/firewall/whatever to limit the bandwidth of IoT devices on your network.
Most IoT devices seem to use very little bandwidth by design - they just send and receive simple status updates and commands - and they would be of much less value to a botnet operator if they were limited to, say, 5kbps.
I built them myself.
Quite frankly, for nearly everything that is currently offered as a commercial IoT gimmick the answer to "is my IoT device part of a botnet" is "yes, or at least it can easily become soon".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I don't use IoT, and I will never will. No need to share with external world room temperatures, door status or garden humidity. Electromechanical devices are enough for this, they are much cheaper, and are free from the risk of being tampered from an indian hacker.
I still have to understand why people need to control everything from their smartphone, when there are simpler solutions that require much less of your precious free time to be implemented and used.
And its looking a bit like megaman battle network, where everything is networked and have a virus encounter every 10 steps.
No, maybe, yes, depends on network configuration, product dev and luck
The "average" user has no idea and that's why they put IOT shit on their unsecured network in the first place, duh.
The average user has no idea that there is something like "IoT" and that it is in any way different from the rest of "the internet". All they know is that it is "smart" to have an app on your phone that can turn on the heating and tell you the fridge is empty, and a TV that seems to understand what you want to watch, or a smart meter that tells you (and the utility company) how much gas and electricity you use up to the last minute. They won't know or care about the security implications until it goes badly wrong.
You should install a firewall in your router, enable the few ports you want to use from the outside, and log every other connection attempt. That way you'll have an idea how often ports are scanned daily. For me is at least 100 times per hour in a single IP, most of them trying the telnet port, because a lot of surveillance cameras and other I(di)oT stuff still use telnet.
If you have a device connected to the internet, made by some startup or big company, who doesn't care about the security of user data.
What can go wrong will go wrong. Your device and/or data will get hacked.
if you are lucky, it will perhaps not happen to you, but don't count on it, so assume it's compromised, and therefore don't accept devices that are unecessarily connected to the open internet.
So the obvious answer to the question if your connected device is compromised is "YES, it is compromised."
aaaaaaa
That's why I don't do IoT. My cellphone is the closest thing to IoT that I own and the only system that I don't control the software for.
thegodmovie.com - watch it
It's spying on you.
All devices misbehave. See vending machines, printers, phones etc. as examples.
So if they were to be misbehaving maliciously rather than incompetently, how would you know ?
If you are using a real router, you can check the outbound traffic originating from your things.
Maybe you can throttle it: it'd be in the order of a few KBps and it'd be directed only towards a certain server.
Anything else cound be an ongoing DDOS attack.
If all of this doesn't make any sense to you then, I'd suggest you to disconnect those tin cans.
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
Do you really want to know?
Then analyse your LAN traffic. Wireshark and Co. are you friends.
You're welcome. Captain Obvious was glad to help.
We suffer more in our imagination than in reality. - Seneca
If you don't know what you're doing, you might want to stear clear of blackbox devices in your private LAN.
I personally wouldn't trust an IOThingie that I didn't build myself with a Rasberry Pi, Arduino or something.
Oh, and not being able to find out if your device is part of a botnet counts as 'not knowing what you're doing'.
My 2 Eurocents.
We suffer more in our imagination than in reality. - Seneca
From what I've seen all the "internet of things" devices that are being produced have either no security at all or are full of back doors.
So yes, if you have such a device it's going to be part of a botnet. If not now then within a short while.
I've read a few of these stories lately and while personally I run a Mikrotik router with a separate access point I thought the vast majority of shitty consumer routers still had a basic firewall that blocked all incoming connections by default? Plus for those that don't presumably all these IoT device would need NAT on your typical home network to be accessible externally so does anyone know if UPnP is required for these exploits to work? I realize this only applies to external port scans but I'd assume that's how most botnets find target devices rather than because of outgoing connections to the vendor's server that may be compromised.
If it floats, it was posessed. BURN IT!. If it sinks, it was fine, give it a Christian sepulture.
Why do you think it's called Internet of Things? It's their internet. Just leave them alone and stick with the Internet of People. Don't be a helicopter botmom.
Block all IoT devices in the firewall from external communication.
If they don't work you have purchased an insecure device.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Answers for the clueless. Just because the slash audience knows a great deal is no reason to ask inane, easily answered (by google) questions. "I'm curious" doesn't cut it. Editors do better, really.
get a router/wifi AP that can measure the volume of data for each device. unfortunately, current consumer devices are unlikely to have this capability.
Infected devices usually try to spread the infection further and their scanning attempts on the Internet are often observed. There is for instance a dedicated website for IoT devices attacking Telnet ports or some more generic ones, such as the Internet Storm Center. If the IP address of your device is on the list, it is very likely that you have a problem.
It depends on how much efforts you want to put into this. The best way to detect these kind of weird behaviors is using an intrusion detection system/ deep packet inspection at the router level. You can limit the damage they would do with a few firewall rules. As was mentioned, Having an additional layer behind your internet router can slow people down and at least prevent people from harming your local network.
The problem is a lot of these IOT devices, is they can roam freely and some automatically connect to multiple public wifis... so if they are vulnerable they go across networks.
Never antropomorphize computers, they do not like that
Depends, have you plugged it in yet?
No need to turn it on, someone else will do that for you.
Regards, Phil
Egress filtering/alerting.
Activity monitoring(volume or netflow).
Traffic analysis. Who's saying what to whom and when?
It really disappoints me how few people do this anymore. The number of apps and operating systems(not even hijacked devices) that are getting away with activities that people would not be at all comfortable with is frightening, but no one seems to notice or care. Well, reap the consequences that your apathy has sown.
My IoT devices and my son's gaming machine are on three of their own dedicated VLANs. The IoT VLANs are able to talk to only a few designated hosts. I audit their traffic periodically, just to keep them honest. The gaming machine is a cesspool.
I have IoT devices. Are they on any botnets? I don't know, I don't spend any time checking.
You can't however initiate a connection to them from the outside(no port forwarding) and uPnP have been disabled.
Still if the manufacturer have failed somehow, and they have been infected from the factory or when they phone home, they could be running nasty stuff.
While your IoT device may or may not be part of a botnet, the fact that you 'bought into' the nonsense idea that is the "Internet of Things" means that you, as a human, are psychologically part of a commercial-botnet where you can (apparently) be compelled to do dumb things on command.
-Styopa
Or FTPs (FTP over TLS).
What Things need to be connected to the Internet ?
The same way you tell if you have a slowly-leaking toilet in your home: you stop using everything and look at the meter..
Don't give these devices a gateway or DNS and connect to them through a tunnel.
(a) Sniff your network traffic, looking for anything unusual coming from the device.
(b) Don't use IoT stuff.
That is all.
I have often wondered the answer to this question myself: how can I tell if a machine on my network is compromised?
So I set up a Linux box as my primary router, and monitored all the traffic going through the box, and holy crap, there is a lot of stuff.
Every time you hit a facebook web page, the javascript in there directs your browser to hit literally dozens of other web sites, and this is true of EVERY device in your house: your wife's laptop, your son's smartphone, your dog's water bowl. When you watch a video on Netflix video, the video player hits a dozen different servers at once, and those connections come and go constantly, old ones are closed, new ones opened to different servers throughout the world with all kinds of different names. And, of course a modern computer or smartphone uses all kinds of services: time services, location services, software updates, on and on and on.
It would be very difficult for a person to notice a low level bot doing something amiss. I have all the data, and I don't know how to do it.
I have no IoT devices in my home, and I will never have any IoT devices in my home that are allowed unrestricted access to the internet.
If I am forced to have IoT devices and must hook them to the internet, they will only be allowed access via a homebrew firewall. This firewall will sit between IoT and not only the internet, but my own personal network.
I am not a luddite, I am a kissite. Keep it simple stupid. I like devices I can repair, and have plenty of time to get off my ass to answer the door, check the fridge, adjust the thermostat, make toast, and change the laundry.
Do you really need a washer/dryer that will text/email you, or do you need a countdown timer on your phone?
VLANs are suggestions, not security. Devices are free to ignore them and many do.
Wish folks would stop suggesting VLANs like they are any thing more.
He was talking about managed switches, so he probably intended the VLANs to be enforced by the switch (and tagged per port) and not by the shady IoT device. The device is free to ignore them all it wants, but it's not seeing any packets from outside of that VLAN and its packets aren't going anywhere that isn't on the same VLAN.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
That would be because IOT is a marketing term that advertisers don't typically use for set top boxes, smart tvs, and advanced features for vehicles.
IoT or not, odd how you made me wonder if the smoke alarm itself has ever been the source of a fire...
This almost happened to me, so it's a safe bet it's actually happened to someone. I took a smoke detector off to paint the ceiling, and put it down on something (kids toy in a box, iirc). This something had a part that was somewhat conductive and fluffy, and somehow that part managed to hit the contacts on the 9V battery. I came back a bit later, and noticed there was a bit of char and a smoke smell- if there had been anything more flammable there, it probably would have caught fire. Moral- be careful where and how you place electrical devices (which I'm usually pretty good about).
Posting anon for insurance reasons...
n/t
Set up a IDS (intrusion detection system) distro like security onion. Turn off every computer except suspect IOT, capture network traffic, filter and analyze.
I am more concerned about a cheap IoT device shipping with spyware from China pre-installed than I am about someone hacking into my network.
-==- Buy a Mac and leave me alone!
It's not a special case. You gain confidence in IoT "devices" the same way you gain confidence in the IoT device that you call a "desktop." There simply aren't any practical differences.
1) It's for you. You know for sure that no aspect of any software that it's allowed to run, was never intended to serve any other party's interests above yours. That was the first-priority, inviolate requirement for all decisions regarding the unit.
2) You're in control. You chose the software that you're running on it, either through selection or the very act of creation. When you compiled its software in the Arduino IDE, did you think to add botnet capability? If not, then it's probably not there. If you didn't make it, were their complaints from other users that whatever was published on the github page was compromised? You wouldn't install it, if such complaints existed. Or if you have seen such complaints, you have replaced your device's software with a fork which lacks the bug. Being in control was almost certainly the second-priority requirement.
3) If you're uncertain about either of the above two, then you trust but verify. If your device just talks over USB to an MQTT broker, you can look at all the messages it's posting to the MQTT and see if any look suspicious, and see if your email client happens to be strangely subscribed to the broker. If your device has wifi instead, then you've had your router show you all the connections it makes, to verify that it never tries (though you'd have this blocked anyway) to connect to anything other than your control hub. Auditing was almost certainly a fairly high priority requirement, thanks to the above two requirements already guaranteeing you that you would have the ability to audit it.
As you can see, for all these things, it doesn't matter whether you're talking about the machine you use for browsing the web, or for recording temperature logs. You approached the problem the same way in both cases. It had to be yours, you had to be in control, and you keep an eye on it. That's how you accrue confidence that it's not part of a botnet: you did things right, such that no one else was ever in an easy position to deploy their botnet node within your realm of responsibility.
If you ever hear of someone who isn't doing this stuff, then you're talking about someone who doesn't give the slightest fuck about responsibility, so they don't have any means to achieve confidence of being botnet-free, but also: they don't care. This is the kind of person who doesn't care if their grocery cart scratches someone else's car, hurt someone else's feelings with a thoughtless word, accidentally kill people by not following the mine's ventilation procedures, etc. But this isn't you, because if it were, then you wouldn't be asking if you're helping a botnet!
If you're providing public downloads, FTP is the proper tool for the job. Sadly, it's falling by the wayside due to failure to everything's-a-nail syndrome.
HTTP downloads are a "hack", technically. They fit one of three patterns:
1) The user agent (browser) doesn't know how to handle the file type and simply receives the data and saves the body content of the message to disk with the same filename as the originating server
2) The user agent provides a way to request any file type to be received and saved to disk
3) A link provides a MIME "attachment".
So take your pick: a default method of handling unknowns, explicit user request to do something other than the normal handling of a request, and an egregious hack that turns HTTP requests into pseudo-emails. HTTP downloads are a hack.
Or just use anonymous, public FTP like you're supposed to.
I'm in IT as a DBA, but I don't know if any of my devices are infected. Honestly I'm not too concerned, my PC's are locked down.
I'd be surprised if many consumers had ever stopped to wonder whether or not their router had a log file.
It's worse than that. I mentioned the existence of a log file to my neighbor once, and he thought it was a piece of equipment used by lumberjacks.
Go check these guys out, they have an excellent IPS that is designed, not only for the home IoTs but will protect your mobile devices on the move.
http://ipssecurityrules.co.uk/
Regards,
Wes.
Remeber that story about the IoT vibrator? If it was used for a DDoS, would it be a cock blocker?
But you need a switch with port replication or a system with two NIC's and configured to pass data through it. Set up wireshark on a system and set port replication or route traffic through it. Then set filters in wireshark to monitor your IoT devices by IP or MAC. If you see anything funny, yank its wire and set up a honeypot to tear the thing apart, packet by packet.
It sounds like a lot of work, but if you find nothing or something, then you know that it was well worth the labor.
First rule of holes; When in one, stop digging.
... They won't know or care about the security implications until it goes badly wrong.
And that is how it should be. We - the tech creators - need to step it up and get past "it just works" to "it just works, securely."
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
All of my devices are part of the one botnet to rule them all - CowboyNealBot.
All Hail CowboyNealBot!
All Hail CowboyNealBot!
All Hail CowboyNealBot!
I doubt my IoT camera is hacked, although it's odd that the manufacturer programmed it to whistle and say "nice wiener" everytime I walk through the house naked.
"That's the way to do it" - Punch
I have all wireless segregated from the rest of my network. I am a bit more extreme than most, I have the merlin firmware on the wireless router but it is connected directly to an ASA. The ASA is blocking anything that comes from wiresless from hitting the rest of the network. I also have snort, ntop and ossec running to make me feel better. This was the best way to make sure all my IoT devices are left to commit harry carry whenever they choose. I have the wemo lights, outlets and light switches. 3 echo dot's and 1 alexa, Sonos, the ecobee.
As you can see, I don't care if those devices become part of the botnet as long as I control that botnet. ;)
Anyone have idea's on things I should add?!?
I think we will eventually need a better method to track TCP/IP traffic going into our routers and on to the internet. I have a WRT1900 and its default usage graph is pretty lame but I can see who's sucking down bandwidth when my response time dips.
I would love to have a 1Hz usage update log for every device on my router, because I've seen my thermostat thank my network during a software update.
This will be the only way we can tell if our IoT devices are being used as a botnet. The primary gateway for IoT is HTTP(S). I don't see that changing for at least a decade. The edge nodes will always talk to a local web gateway that connects to our routers.
Hence, we need better router statistics and possibly even usage warnings. This will at least detect suspicious behavior.
https://www.accountkiller.com/removal-requested
YES.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
- Starts running with the wrong crowd.
- Has a general "bad attitude".
- Stays out late and when it does come home, smells of cheap beer and cigarettes.
- Hogs bandwidth and picks on his younger brother.
Tough Love is the only way to revert this behavior.
Thank God average users are smarter than the rest of us.
My approach would be to dump IoT devices in their own dedicated subnet and exclude that subnet from forwarding across the router. That reduces the exposure to just the router, and I can monitor the iptables logs for dropped packets to/from that subnet that represent attempts to do something suspicious. Configuration doesn't have to be hard, instead of plugging devices directly into the router's switch you plug devices in to external switches, connect those switches to router ports and set each port to what kind of devices hang off it. That'd control the VLAN setup to give each kind of device (WiFi, LAN, IoT) it's own virtual interface. Configuration for the firewall, DHCP, DNS etc. follows from that (you may not want to allow the IoT subnet access to external DNS, for instance). This takes a bit to set up in the firmware, but the DD-WRT/OpenWRT firmware all the major router manufacturers seem to use for their consumer routers has all the tools and then some and once the user interface is there using the functionality isn't that hard.
Yeah uh . . . there's price and deadlines that have a say in that.
The "average" user has no idea and that's why they put IOT shit on their unsecured network in the first place, duh.
The average user has no idea that there is something like "IoT" and that it is in any way different from the rest of "the internet". All they know is that it is "smart" to have an app on your phone that can turn on the heating and tell you the fridge is empty, and a TV that seems to understand what you want to watch, or a smart meter that tells you (and the utility company) how much gas and electricity you use up to the last minute. They won't know or care about the security implications until it goes badly wrong.
Badly wrong... for them. In other words, just about never.
I have none.
Also, I disable uPnP and its ilk on my firewall. I have a guest wifi router and keep scrubs off my network.
In 802.1q tagging, VLANs are "suggestions". That's also a special case; it's called "trunking".
Normal managed switches will only forward traffic to/from a port on the VLAN(s) to which it is assigned; anything else is ignored. That's not even remotely a "suggestion"; no more than your firewall rules are.
If your managed switch isn't trusted, then you've got the wrong managed switch.
But that costs money, Mr. Chief Tech Creator
CLI paste? paste.pr0.tips!
hi, am Doris, i had my friend help me hack my ex's email, facebook, whatsapp,and his phone cause i suspected he was cheating. all he asked for was a his phone number. he's email is (cyberlord7714@gmail.com)..IF u need help tell him Doris, referred you to him and he'll help. Am sure his going to help you do it, good luck..
Unfortunately FTP is not very NAT-friendly, and support for it on common platforms is often poor.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!