Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Is My IoT Device Part of a Botnet?

Posted by EditorDavid on from the secret-swarm dept.

As our DVRs, cameras, and routers join the Internet of Things, long-time Slashdot reader galgon wonders if he's already been compromised: There has been a number of stories of IoT devices becoming part of botnets and being used in distributed denial of service attacks. If these devices are seemingly working correctly to the user, how would they ever know the device was compromised? Is there anything the average user can do to detect when they have a misbehaving device on their network?
I'm curious how many Slashdot readers are even using IoT devices -- so leave your best answers in the comments. How would you know if your IoT device is part of a botnet?

6 of 279 comments (clear)

  1. Re:Control and management by Zocalo · · Score: 4, Informative

    Pretty much this, and given how bad many IoT devices are, even if you do change the passwords, etc., it's safer to just assume that they already have been compromised, or that they will be. Since we're talking retrospectively here, set up some connection logging on your outbound router. See if there's anything in the logs that's not what you were expecting, bearing in mind that they'll almost certainly be phoning home to "check for updates" and "backup your data to the cloud" (AKA "monetize your data"). Done. A better approach would have been to be more proactive (because the typical SoHo router vendor sure as hell won't be); as a minimum lock down anything you don't need, put all the IoT type devices on a dedicated network away from the stuff that matters, and configure the router to send an alert when anything anomalous happens. Bonus points for things like implementing BCP38 locally so even when you are compromised at least tried to minimise the damage, enabling syslog and actually monitoring the output, and other basic security principles.

    --
    UNIX? They're not even circumcised! Savages!
  2. Errrrm, analyse your traffic? ... Maybe? by Qbertino · · Score: 3, Informative

    Do you really want to know?
    Then analyse your LAN traffic. Wireshark and Co. are you friends.

    You're welcome. Captain Obvious was glad to help.

    --
    We suffer more in our imagination than in reality. - Seneca
  3. Find the device's online trail by beda · · Score: 4, Informative

    Infected devices usually try to spread the infection further and their scanning attempts on the Internet are often observed. There is for instance a dedicated website for IoT devices attacking Telnet ports or some more generic ones, such as the Internet Storm Center. If the IP address of your device is on the list, it is very likely that you have a problem.

  4. Re:How do you know? by Anonymous Coward · · Score: 2, Informative

    If you have an unprotected share and a compromised thermostat you have two problems, not one.

  5. Excellent question with no answer! by Kludge · · Score: 4, Informative

    I have often wondered the answer to this question myself: how can I tell if a machine on my network is compromised?
    So I set up a Linux box as my primary router, and monitored all the traffic going through the box, and holy crap, there is a lot of stuff.
    Every time you hit a facebook web page, the javascript in there directs your browser to hit literally dozens of other web sites, and this is true of EVERY device in your house: your wife's laptop, your son's smartphone, your dog's water bowl. When you watch a video on Netflix video, the video player hits a dozen different servers at once, and those connections come and go constantly, old ones are closed, new ones opened to different servers throughout the world with all kinds of different names. And, of course a modern computer or smartphone uses all kinds of services: time services, location services, software updates, on and on and on.

    It would be very difficult for a person to notice a low level bot doing something amiss. I have all the data, and I don't know how to do it.

  6. Re: How do you know? by jcdr · · Score: 4, Informative

    OpenELEC FAQ disagree:
    http://wiki.openelec.tv/index....

    What is the SSH login?
    Shortcut: #SSH Login
    Currently the login into OpenELEC has fixed settings.
      Login: root
      Password: openelec

    How do I change the SSH password?
    Shortcut: #SSH Password change
    At the moment it's not possible to change the root password as it's held in a read-only filesystem. However, for the really security conscious advanced user, you can change the password if you build OpenELEC from source. Also you can consider logging in with ssh keys and disabling password logins.