Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Is My IoT Device Part of a Botnet?

Posted by EditorDavid on from the secret-swarm dept.

As our DVRs, cameras, and routers join the Internet of Things, long-time Slashdot reader galgon wonders if he's already been compromised: There has been a number of stories of IoT devices becoming part of botnets and being used in distributed denial of service attacks. If these devices are seemingly working correctly to the user, how would they ever know the device was compromised? Is there anything the average user can do to detect when they have a misbehaving device on their network?
I'm curious how many Slashdot readers are even using IoT devices -- so leave your best answers in the comments. How would you know if your IoT device is part of a botnet?

13 of 279 comments (clear)

  1. How do you know? by Pikoro · · Score: 4, Insightful

    If it's connected to the internet directly, and it has no built in security apart from "admin" "password", it's part of a botnet or soon will be.

    --
    "Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
    1. Re:How do you know? by JaredOfEuropa · · Score: 5, Insightful

      Especially if that password
      - Is a default password that is the same for every device sold (these days a lot of equipment ships with unique random passwords)
      - Isn't changed by the user during setup
      - Can't be changed by the user. (What the hell, OpenElec?)

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    2. Re:How do you know? by Z00L00K · · Score: 5, Insightful

      If it needs to connect to a subscription service outside your home it has the potential to become part of a bot net.

      Can you trust your thermostat to not browse your files?

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    3. Re:How do you know? by jeffmeden · · Score: 3, Insightful

      Recommendations? Take the C7 and install OpenWRT on it. Super easy to use, reliable, and capable of any firewalling you can dream up (including on IPv6). Plus then you have a nice graph to tell you how much bandwidth is in use and by which device. If you have a botnet participant in your network it will be obvious.

    4. Re:How do you know? by Shoten · · Score: 5, Insightful

      Openelec's entire file system is read only. Given the difficulty of installing something to the image when you want to, the potential for it to be easily and automatically owned by is very low.

      This is not a real thing...a device whose total storage capacity is read-only. Let's look at why.

      One: if it's all read-only, it can't have a variable password...accounts and passwords need to be hardcoded, because there's no way to store new or changed account information.

      Two: if it's at all configurable, you have the same problem: where do you store the configs?

      Three: guess what else you can't have if your file system is read-only? Software updates.

      Four: let's call a spade a spade here. A more accurate way to make the claim...regardless of how infeasible it would be for any device of significant functionality...is to say this: "Openelec's entire file system is meant to be read only." An innate characteristic of most security flaws is that they permit something that is not intended. It's important to not assume that intended functionality is inevitable and invulnerable. And in this case, that "read only" capability is nothing more than Linux permissions...it's not that the OS invariably is incapable of granting write permissions. In fact, all kinds of things are writing to the file system, I would bet...information about drive mounting, accounts, etc. The file system is not inherently read only.

      Assuming that system behavior when used in its intended fashion is also what happens when someone breaks the rules is the root of most security failures.

      And now, a citation, called "squashfs howto - make changes the read-only filesystem in OpenELEC"

      https://sites.google.com/site/...

      --

      For your security, this post has been encrypted with ROT-13, twice.
  2. The "average" consumer? Of course not. by Anonymous Coward · · Score: 4, Insightful

    The "average" user has no idea and that's why they put IOT shit on their unsecured network in the first place, duh.

  3. Finally a counter example by Enter+the+Shoggoth · · Score: 5, Insightful

    Is this the long sought after counter-example to Betteridge's Law where the response to a question mark is always "yes" ?

    --
    Andy Warhol got it right / Everybody gets the limelight
    Andy Warhol got it wrong / Fifteen minutes is too long.
  4. Limit their bandwidth? by wildstoo · · Score: 3, Insightful

    Probably beyond the abilities of Joe Average, but you could use your router/firewall/whatever to limit the bandwidth of IoT devices on your network.

    Most IoT devices seem to use very little bandwidth by design - they just send and receive simple status updates and commands - and they would be of much less value to a botnet operator if they were limited to, say, 5kbps.

  5. Re:Am A Noob Too by cfalcon · · Score: 5, Insightful

    > Keep routers and access points separate...
    > low power atom device to run something like pfsense
    > cheap managed switch
    > wireless ap as a dumb bridge
    > Create separate VLANs

    Once you're done making this server room you describe, you'll be in the .0000001% of people qualified to run an IoT device, many of which are BORN malicious and sending pictures of your bedroom/front lawn/children to a central server in China, a decent number of which are fundamentally insecure with no possible way to change passwords or a default password they forgot (or "forgot") to strip out that you can't fix, and at least some of which will fail to work on a VLAN that can only see the outside internet (for some goddamned reason, they want to ping a router or something).

    The short version is this: If you want your IoT devices to not be part of a botnet, DO NOT BUY ANY. Once you buy those components, you have to set them up. Then configure them. Then maintain them. And almost no one will jump through any of those hoops.

  6. Re:The "average" consumer? Of course not. by jandersen · · Score: 5, Insightful

    The "average" user has no idea and that's why they put IOT shit on their unsecured network in the first place, duh.

    The average user has no idea that there is something like "IoT" and that it is in any way different from the rest of "the internet". All they know is that it is "smart" to have an app on your phone that can turn on the heating and tell you the fridge is empty, and a TV that seems to understand what you want to watch, or a smart meter that tells you (and the utility company) how much gas and electricity you use up to the last minute. They won't know or care about the security implications until it goes badly wrong.

  7. Re:log files by nukenerd · · Score: 4, Insightful

    If a person is intelligent enough to perceive the need for a device, obtain the device and install the device

    They will perceive the "need" when a salesman or ad persuades them that they need it. They do not even need to be aware that the device will be part of the IoT, only that they "need" a toaster or whatever.

    They will obtain the device by pulling out their wallet. (Soon it will become impossible to obtain anything else.)

    They will install it by plugging it in (have you never installed a toaster before?).

    I don't know where you think intelligence comes into it.

  8. Re:Am A Noob Too by MMC+Monster · · Score: 5, Insightful

    Dude, I'm not a network technician but I've been putting computers together since the late 80s and have been running Linux OSs as my desktop OS for over a decade now...

    And I couldn't set up the network you described without some serious googling.

    How are we supposed to expect normal people to do it? Do routers come with VLAN set up out of the box, jailed so that it doesn't send data out of your network? Somehow I doubt it.

    Normal people are screwed, until routers are set up to manage IoT networks by default.

    And let's be real: Normal people aren't going to buy a separate access point if their router has Wifi built in.

    --
    Help! I'm a slashdot refugee.
  9. Re:Am A Noob Too by vtcodger · · Score: 3, Insightful

    "Think a non-network engineer can do or wants to do any of that stuff?"

    Hell, I don't think most folks who could do that stuff have any desire to actually do it for their household gear ... and then deal with the inevitable breakdowns ... especially if some clownshow in Redmond or Shanghai is perpetually sending out broken automatic "firmware" updates to enhance security or "user experience".

    --
    You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey