Slashdot Mirror
Ask Slashdot: Is My IoT Device Part of a Botnet?
As our DVRs, cameras, and routers join the Internet of Things, long-time Slashdot reader galgon wonders if he's already been compromised:
There has been a number of stories of IoT devices becoming part of botnets and being used in distributed denial of service attacks. If these devices are seemingly working correctly to the user, how would they ever know the device was compromised? Is there anything the average user can do to detect when they have a misbehaving device on their network?
I'm curious how many Slashdot readers are even using IoT devices -- so leave your best answers in the comments. How would you know if your IoT device is part of a botnet?
I'm curious how many Slashdot readers are even using IoT devices -- so leave your best answers in the comments. How would you know if your IoT device is part of a botnet?
If it's connected to the internet directly, and it has no built in security apart from "admin" "password", it's part of a botnet or soon will be.
"Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
The "average" user has no idea and that's why they put IOT shit on their unsecured network in the first place, duh.
There are free tools you can use to monitor a network, but they might not be so easy for the average user. Just googling around, I found this solution that's designed to answer such questions, but note it costs money. I've never seen it in action. One would hope that you get something user-friendly at such a price.
The other guy who said that if you can log in with "admin" as the userid and "password" as the password, or some other default login, that's spot-on. Botnet creators will probe for that, so at the very lease change the userid and password before actually going live... or just do what I do and not have any IoT stuff.
If you've got abnormally large internet usage, then it might be.
The short answer is: yes.
Almost all IoT providers don't care about security and you get what you've paid for.
Though it doesn't seem to apply to home networks, how can you be an IT professional of any kind and NOT know what's coming into or going out of your network?
If nothing else, precisely because of things like this where your CCTV NVR or your thermostat could be hacked and doing whatever it likes. In fact, DDoS of someone else is the LEAST of your worries if someone is able to coax your devices into running arbitrary code on your local network.
Sorry, but this kind of thing needs management and there isn't a home router on this planet that does things like send you an email when a "new" device connects, or alerts you to unusual activity from your local network devices.
That's what you get for advertising it on Slashdot, sucker.
If you have to fill out cloudflare captchas when browsing, then maybe.
I do not know what a "average user" is but.... If a person is intelligent enough to perceive the need for a device, obtain the device and install the device then they should be smart enough to look at a log file and see if the device is operating correctly. Almost all routers and modems have logging capabilities, IoT devices should too. (I own no IoT devices)
Keep routers and access points separate, there's no need for them to be the same device...
Get a low power atom device to run something like pfsense, a cheap managed switch (the hp 1800 series are good and quiet), use any wireless ap as a dumb bridge so it doesnt need any routing capabilities.
Create separate VLANs for guests and other untrusted devices, you can connect to devices here via the firewall but don't allow any outbound connections from the network containing these devices.
Buy new wifi as/when (eg 802.11ac), add multiple access points to cover different areas if necessary (even in a small house, wifi doesn't travel well through floors) and link them together via ethernet. Use ethernet whenever possible, wifi is only for portable devices.
You can also setup a VPN so you can connect to your stuff from outside, having authenticated using both a certificate and a user/pass. Far less chance of compromise than some unknown black box device from china.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Is this the long sought after counter-example to Betteridge's Law where the response to a question mark is always "yes" ?
Andy Warhol got it right / Everybody gets the limelight
Andy Warhol got it wrong / Fifteen minutes is too long.
Probably beyond the abilities of Joe Average, but you could use your router/firewall/whatever to limit the bandwidth of IoT devices on your network.
Most IoT devices seem to use very little bandwidth by design - they just send and receive simple status updates and commands - and they would be of much less value to a botnet operator if they were limited to, say, 5kbps.
I built them myself.
Quite frankly, for nearly everything that is currently offered as a commercial IoT gimmick the answer to "is my IoT device part of a botnet" is "yes, or at least it can easily become soon".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I don't use IoT, and I will never will. No need to share with external world room temperatures, door status or garden humidity. Electromechanical devices are enough for this, they are much cheaper, and are free from the risk of being tampered from an indian hacker.
I still have to understand why people need to control everything from their smartphone, when there are simpler solutions that require much less of your precious free time to be implemented and used.
And its looking a bit like megaman battle network, where everything is networked and have a virus encounter every 10 steps.
Thanks for the info. I've printed it out for my grandmother...
----------------------------------- My Other Sig Is Hilarious -----------------------------------
> Keep routers and access points separate...
> low power atom device to run something like pfsense
> cheap managed switch
> wireless ap as a dumb bridge
> Create separate VLANs
Once you're done making this server room you describe, you'll be in the .0000001% of people qualified to run an IoT device, many of which are BORN malicious and sending pictures of your bedroom/front lawn/children to a central server in China, a decent number of which are fundamentally insecure with no possible way to change passwords or a default password they forgot (or "forgot") to strip out that you can't fix, and at least some of which will fail to work on a VLAN that can only see the outside internet (for some goddamned reason, they want to ping a router or something).
The short version is this: If you want your IoT devices to not be part of a botnet, DO NOT BUY ANY. Once you buy those components, you have to set them up. Then configure them. Then maintain them. And almost no one will jump through any of those hoops.
No, maybe, yes, depends on network configuration, product dev and luck
The "average" user has no idea and that's why they put IOT shit on their unsecured network in the first place, duh.
The average user has no idea that there is something like "IoT" and that it is in any way different from the rest of "the internet". All they know is that it is "smart" to have an app on your phone that can turn on the heating and tell you the fridge is empty, and a TV that seems to understand what you want to watch, or a smart meter that tells you (and the utility company) how much gas and electricity you use up to the last minute. They won't know or care about the security implications until it goes badly wrong.
You should install a firewall in your router, enable the few ports you want to use from the outside, and log every other connection attempt. That way you'll have an idea how often ports are scanned daily. For me is at least 100 times per hour in a single IP, most of them trying the telnet port, because a lot of surveillance cameras and other I(di)oT stuff still use telnet.
If you have a device connected to the internet, made by some startup or big company, who doesn't care about the security of user data.
What can go wrong will go wrong. Your device and/or data will get hacked.
if you are lucky, it will perhaps not happen to you, but don't count on it, so assume it's compromised, and therefore don't accept devices that are unecessarily connected to the open internet.
So the obvious answer to the question if your connected device is compromised is "YES, it is compromised."
aaaaaaa
That's why I don't do IoT. My cellphone is the closest thing to IoT that I own and the only system that I don't control the software for.
thegodmovie.com - watch it
If you are using a real router, you can check the outbound traffic originating from your things.
Maybe you can throttle it: it'd be in the order of a few KBps and it'd be directed only towards a certain server.
Anything else cound be an ongoing DDOS attack.
If all of this doesn't make any sense to you then, I'd suggest you to disconnect those tin cans.
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
Do you really want to know?
Then analyse your LAN traffic. Wireshark and Co. are you friends.
You're welcome. Captain Obvious was glad to help.
We suffer more in our imagination than in reality. - Seneca
If you don't know what you're doing, you might want to stear clear of blackbox devices in your private LAN.
I personally wouldn't trust an IOThingie that I didn't build myself with a Rasberry Pi, Arduino or something.
Oh, and not being able to find out if your device is part of a botnet counts as 'not knowing what you're doing'.
My 2 Eurocents.
We suffer more in our imagination than in reality. - Seneca
I've read a few of these stories lately and while personally I run a Mikrotik router with a separate access point I thought the vast majority of shitty consumer routers still had a basic firewall that blocked all incoming connections by default? Plus for those that don't presumably all these IoT device would need NAT on your typical home network to be accessible externally so does anyone know if UPnP is required for these exploits to work? I realize this only applies to external port scans but I'd assume that's how most botnets find target devices rather than because of outgoing connections to the vendor's server that may be compromised.
Dude, I'm not a network technician but I've been putting computers together since the late 80s and have been running Linux OSs as my desktop OS for over a decade now...
And I couldn't set up the network you described without some serious googling.
How are we supposed to expect normal people to do it? Do routers come with VLAN set up out of the box, jailed so that it doesn't send data out of your network? Somehow I doubt it.
Normal people are screwed, until routers are set up to manage IoT networks by default.
And let's be real: Normal people aren't going to buy a separate access point if their router has Wifi built in.
Help! I'm a slashdot refugee.
"Think a non-network engineer can do or wants to do any of that stuff?"
Hell, I don't think most folks who could do that stuff have any desire to actually do it for their household gear ... and then deal with the inevitable breakdowns ... especially if some clownshow in Redmond or Shanghai is perpetually sending out broken automatic "firmware" updates to enhance security or "user experience".
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
I connect from the outside via VPN to my home. It is just that inside my router/modem it is called telnet. And I never went to China. I bought it from a nice young man at BestBuy. He told me it was what I needed.
Don't fight for your country, if your country does not fight for you.
Automatic configuration buttons are part of the issue with IoT and are not really going to be a solution. Education seems to be the only way we're going to get any traction on securing those device, people need to understand what their devices are doing, with whom they are communicating, and what the risks are. It will take a lot more incidents before the general public is willing to invest any interest in the security or their connected devices.
"He is so stupid. And now back to the wall!" Moe Szyslak
IoT is still in its infancy. Forget dodgy equipment from random Chinese companies, even so called reputable vendors still do not get security right. I do a lot of home automation stuff, but I prefer Z-wave / Zigbee devices over all this WiFi crap that the likes of Google and Apple seem to prefer. Often those devices are easier to set up and troubleshoot as well... in terms of reliability, WiFi sucks.
Where I do use IP devices (cameras, Philips Hue, etc), they go on a separate subnet that can talk to the home automation hub only. And I never use devices that require outside access.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Block all IoT devices in the firewall from external communication.
If they don't work you have purchased an insecure device.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Infected devices usually try to spread the infection further and their scanning attempts on the Internet are often observed. There is for instance a dedicated website for IoT devices attacking Telnet ports or some more generic ones, such as the Internet Storm Center. If the IP address of your device is on the list, it is very likely that you have a problem.
It depends on how much efforts you want to put into this. The best way to detect these kind of weird behaviors is using an intrusion detection system/ deep packet inspection at the router level. You can limit the damage they would do with a few firewall rules. As was mentioned, Having an additional layer behind your internet router can slow people down and at least prevent people from harming your local network.
The problem is a lot of these IOT devices, is they can roam freely and some automatically connect to multiple public wifis... so if they are vulnerable they go across networks.
Never antropomorphize computers, they do not like that
Depends, have you plugged it in yet?
No need to turn it on, someone else will do that for you.
Regards, Phil
Egress filtering/alerting.
Activity monitoring(volume or netflow).
Traffic analysis. Who's saying what to whom and when?
It really disappoints me how few people do this anymore. The number of apps and operating systems(not even hijacked devices) that are getting away with activities that people would not be at all comfortable with is frightening, but no one seems to notice or care. Well, reap the consequences that your apathy has sown.
My IoT devices and my son's gaming machine are on three of their own dedicated VLANs. The IoT VLANs are able to talk to only a few designated hosts. I audit their traffic periodically, just to keep them honest. The gaming machine is a cesspool.
I have IoT devices. Are they on any botnets? I don't know, I don't spend any time checking.
You can't however initiate a connection to them from the outside(no port forwarding) and uPnP have been disabled.
Still if the manufacturer have failed somehow, and they have been infected from the factory or when they phone home, they could be running nasty stuff.
While your IoT device may or may not be part of a botnet, the fact that you 'bought into' the nonsense idea that is the "Internet of Things" means that you, as a human, are psychologically part of a commercial-botnet where you can (apparently) be compelled to do dumb things on command.
-Styopa
This is on par with the time the guy in the mall electronics store told me that one TV was better than another because it had more channels in the tube. (My wife heard me say "Oh! Tell me more!", knew I smelled blood, and dragged me out before it got too weird... or ugly.)
CUR ALLOC 20195.....5804M
You're right that very very few people go to that effort but thats not because of any intense expertise or expense. I have a similar setup with OpenWRT routers and APs (multiple devices in different locations with different specialties) a managed switch, VLANs, etc. Its all (except the distributed APs) on a wire shelf in my basement next to my electrical panel. Super easy.
What Things need to be connected to the Internet ?
Dude, I'm not a network technician but I've been putting computers together since the late 80s and have been running Linux OSs as my desktop OS for over a decade now...
And I couldn't set up the network you described without some serious googling.
How are we supposed to expect normal people to do it? Do routers come with VLAN set up out of the box, jailed so that it doesn't send data out of your network?
No, but most routers these days come with a configuration that allows you to define a DMZ segment, which would likely be even easier for the "average" consumer to at least try and learn how to set up.
Really, this is what is the crux of IoT security; simply firewall it off from your normal internal network where your other computing devices live. Doing this one step does mitigate quite a bit of risk to your other home devices, since there's probably not much you're going to be able to do to convince the manufacturer of the IoT device that their default security sucks ass.
The same way you tell if you have a slowly-leaking toilet in your home: you stop using everything and look at the meter..
I gave up trying to find a program to run on my PC (wired to router) that would let me see what is connected to my router. It better not be anything other than my phone, tablet, or PC. But I don't know.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
The short version is this: If you want your IoT devices to not be part of a botnet, DO NOT BUY ANY.
Bullshit. You need to explicitly DMZ your IoT device for it to be remotely Pwn4ble, That's not to say that your neighbor can't hack it, he absolutely can. But some random D-bag in Israel cannot (unless you live in Israel and are neighbor to a D-bag).
(a) Sniff your network traffic, looking for anything unusual coming from the device.
(b) Don't use IoT stuff.
That is all.
Telling people to put their baby monitor in the DMZ is not going to solve any of their concerns and is also not going to keep them from being part of a botnet.
Most of the devices in their normal network aren't going to be quite so shittily secured by design. You want to protect your internal network from IoT devices, sure, but you really want to protect those IoT devices from the internet at large.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
I have often wondered the answer to this question myself: how can I tell if a machine on my network is compromised?
So I set up a Linux box as my primary router, and monitored all the traffic going through the box, and holy crap, there is a lot of stuff.
Every time you hit a facebook web page, the javascript in there directs your browser to hit literally dozens of other web sites, and this is true of EVERY device in your house: your wife's laptop, your son's smartphone, your dog's water bowl. When you watch a video on Netflix video, the video player hits a dozen different servers at once, and those connections come and go constantly, old ones are closed, new ones opened to different servers throughout the world with all kinds of different names. And, of course a modern computer or smartphone uses all kinds of services: time services, location services, software updates, on and on and on.
It would be very difficult for a person to notice a low level bot doing something amiss. I have all the data, and I don't know how to do it.
VLANs are suggestions, not security. Devices are free to ignore them and many do.
Wish folks would stop suggesting VLANs like they are any thing more.
He was talking about managed switches, so he probably intended the VLANs to be enforced by the switch (and tagged per port) and not by the shady IoT device. The device is free to ignore them all it wants, but it's not seeing any packets from outside of that VLAN and its packets aren't going anywhere that isn't on the same VLAN.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
Every router I've ever set up with VLAN tagging provided a handy checkbox in the web interface to turn it on, and a handy CRUD-list screen to manage the LANs.
So far, that number is only "3", but they've been consistent, even from different manufacturers. This is pretty much what defines a "SOHO" router.
Quit buying cheap Trendnet/Asus/whatever shitboxes, even if you're just going to load FOSS firmware onto it. A Ubiquiti EdgeRouter 3 is only $100-ish, and provides all of the features you would ever dream of needing for a home connection, all wrapped up in a decent UI that any moderately-techie person (e.g. someone that knows the term "VLAN") could figure out within minutes. I also recommend Ubiquiti's access points. Get a 3-pack and call it a day. For switches, a decent Netgear ProSafe-line managed switch shouldn't run more than a couple hundred bucks and will provide way more control than you'll ever need. Yes, this setup costs a few hundred dollars. But it won't randomly release all of its magic smoke from everyday power-line noise, it won't fall over and stop working for no particular reason twice a day, and it won't be as susceptible to attack like the cheap consumer-grade garbage. If you set this up, in 10 years, you'll maybe think about upgrading it. You won't need to bother with much maintenance in the meantime.
I am more concerned about a cheap IoT device shipping with spyware from China pre-installed than I am about someone hacking into my network.
-==- Buy a Mac and leave me alone!
Telling people to put their baby monitor in the DMZ is not going to solve any of their concerns and is also not going to keep them from being part of a botnet.
Most of the devices in their normal network aren't going to be quite so shittily secured by design. You want to protect your internal network from IoT devices, sure, but you really want to protect those IoT devices from the internet at large.
I'm not quite sure when or where you've figured out how to actually secure an IoT device well enough to prevent it from being used as an attack vector without essentially breaking it's functionality, but my entire point regarding DMZ was to address another risk with potentially open file shares on a network.
And do I really want to protect these devices from the internet at large? What exactly is MY direct level of personal responsibility to secure what is essentially being sold to us as a black box piece of hardware that's supposed to be "plug and play"? You know what, how about fuck that shit. I say let the damn things run rampant on a botnet somewhere until it becomes obvious who the culprit hardware and vendor is. Only when manufacturers suffer rather massive public embarrassments that affect thousands of their customers will they actually even remotely try and address the issue. Remember the problem has to be large enough for a manufacturer to actually give a shit (legally, morally, and ethically, which you should already know will take a LOT of financial impact.)
TL; DR - Fuck helping secure black box consumerware. That's the vendors job, not mine.
I'd be surprised if many consumers had ever stopped to wonder whether or not their router had a log file.
It's worse than that. I mentioned the existence of a log file to my neighbor once, and he thought it was a piece of equipment used by lumberjacks.
But you need a switch with port replication or a system with two NIC's and configured to pass data through it. Set up wireshark on a system and set port replication or route traffic through it. Then set filters in wireshark to monitor your IoT devices by IP or MAC. If you see anything funny, yank its wire and set up a honeypot to tear the thing apart, packet by packet.
It sounds like a lot of work, but if you find nothing or something, then you know that it was well worth the labor.
First rule of holes; When in one, stop digging.
... They won't know or care about the security implications until it goes badly wrong.
And that is how it should be. We - the tech creators - need to step it up and get past "it just works" to "it just works, securely."
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
You then connect to your devices via static routes provided by an isolated router which has visibility on both (V)LANs. This config can also be automated slightly by adding the static route lists to the DHCP response messages.
I doubt my IoT camera is hacked, although it's odd that the manufacturer programmed it to whistle and say "nice wiener" everytime I walk through the house naked.
"That's the way to do it" - Punch
Well, I had good intentions. I'm a network engineer, and I planned out my multi-segmented network so that my home IT (servers/computers) stuff was separated from my home infrastructure (security devices, smoke detectors, etc) and that the latter were walled off from the Internet. And I *plan* to make it all work correctly someday. But in the meantime... All I have implemented so far is separate SSIDs for kids and adults so that the kids are blocked from 24-hour/day Internet time wasting, and some firewall block rules to keep my home security infrastructure from being able to communicate to the Internet, mostly triggered by the Nest Protect's incessant need to upload its motion detection data to the mothership.
In the meantime, I generally avoid buying things for the home network that aren't "self-contained" (i.e., I don't buy the things that need to communicate with the "cloud" in order to work. This is for practical reasons (I don't want my stuff to stop working just because a vendor goes out of business, or simply stops supporting an old product line, or my Internet connection is on the fritz) as well as privacy reasons (I don't need to have any more data on my habits and choices being uploaded to the cloud than is already there from my using Amazon, credit cards, Hulu Plus, Redox, and the library).
I *hope* more vendors get off of the "connect it to the cloud" bandwagon and that IoT devices are mostly self-contained, but don't see much chance of it happening unless either there is a huge blowup with legal liability that causes companies to go that way, or legislation requires/encourages it. Too many folks want to be able to view the inside of their home from their smartphone while on vacation, without realizing that what works for them can very well be subverted to working for others...
I think we will eventually need a better method to track TCP/IP traffic going into our routers and on to the internet. I have a WRT1900 and its default usage graph is pretty lame but I can see who's sucking down bandwidth when my response time dips.
I would love to have a 1Hz usage update log for every device on my router, because I've seen my thermostat thank my network during a software update.
This will be the only way we can tell if our IoT devices are being used as a botnet. The primary gateway for IoT is HTTP(S). I don't see that changing for at least a decade. The edge nodes will always talk to a local web gateway that connects to our routers.
Hence, we need better router statistics and possibly even usage warnings. This will at least detect suspicious behavior.
https://www.accountkiller.com/removal-requested
I *hope* more vendors get off of the "connect it to the cloud" bandwagon
Never. For one, most people don't have or want a home automation server. And #2 the makers want to keep that function so they can monetize it. And as you say, users want features that require weak security practices.
Learn to love Alaska
YES.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
My approach would be to dump IoT devices in their own dedicated subnet and exclude that subnet from forwarding across the router. That reduces the exposure to just the router, and I can monitor the iptables logs for dropped packets to/from that subnet that represent attempts to do something suspicious. Configuration doesn't have to be hard, instead of plugging devices directly into the router's switch you plug devices in to external switches, connect those switches to router ports and set each port to what kind of devices hang off it. That'd control the VLAN setup to give each kind of device (WiFi, LAN, IoT) it's own virtual interface. Configuration for the firewall, DHCP, DNS etc. follows from that (you may not want to allow the IoT subnet access to external DNS, for instance). This takes a bit to set up in the firmware, but the DD-WRT/OpenWRT firmware all the major router manufacturers seem to use for their consumer routers has all the tools and then some and once the user interface is there using the functionality isn't that hard.
Why there? You aren't been racist with that?
Yeah uh . . . there's price and deadlines that have a say in that.
I have none.
Also, I disable uPnP and its ilk on my firewall. I have a guest wifi router and keep scrubs off my network.
But that costs money, Mr. Chief Tech Creator
CLI paste? paste.pr0.tips!
Unfortunately FTP is not very NAT-friendly, and support for it on common platforms is often poor.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!