Slashdot Mirror
Ask Slashdot: Is My IoT Device Part of a Botnet?
As our DVRs, cameras, and routers join the Internet of Things, long-time Slashdot reader galgon wonders if he's already been compromised:
There has been a number of stories of IoT devices becoming part of botnets and being used in distributed denial of service attacks. If these devices are seemingly working correctly to the user, how would they ever know the device was compromised? Is there anything the average user can do to detect when they have a misbehaving device on their network?
I'm curious how many Slashdot readers are even using IoT devices -- so leave your best answers in the comments. How would you know if your IoT device is part of a botnet?
I'm curious how many Slashdot readers are even using IoT devices -- so leave your best answers in the comments. How would you know if your IoT device is part of a botnet?
If it's connected to the internet directly, and it has no built in security apart from "admin" "password", it's part of a botnet or soon will be.
"Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
The "average" user has no idea and that's why they put IOT shit on their unsecured network in the first place, duh.
Keep routers and access points separate, there's no need for them to be the same device...
Get a low power atom device to run something like pfsense, a cheap managed switch (the hp 1800 series are good and quiet), use any wireless ap as a dumb bridge so it doesnt need any routing capabilities.
Create separate VLANs for guests and other untrusted devices, you can connect to devices here via the firewall but don't allow any outbound connections from the network containing these devices.
Buy new wifi as/when (eg 802.11ac), add multiple access points to cover different areas if necessary (even in a small house, wifi doesn't travel well through floors) and link them together via ethernet. Use ethernet whenever possible, wifi is only for portable devices.
You can also setup a VPN so you can connect to your stuff from outside, having authenticated using both a certificate and a user/pass. Far less chance of compromise than some unknown black box device from china.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Is this the long sought after counter-example to Betteridge's Law where the response to a question mark is always "yes" ?
Andy Warhol got it right / Everybody gets the limelight
Andy Warhol got it wrong / Fifteen minutes is too long.
Pretty much this, and given how bad many IoT devices are, even if you do change the passwords, etc., it's safer to just assume that they already have been compromised, or that they will be. Since we're talking retrospectively here, set up some connection logging on your outbound router. See if there's anything in the logs that's not what you were expecting, bearing in mind that they'll almost certainly be phoning home to "check for updates" and "backup your data to the cloud" (AKA "monetize your data"). Done. A better approach would have been to be more proactive (because the typical SoHo router vendor sure as hell won't be); as a minimum lock down anything you don't need, put all the IoT type devices on a dedicated network away from the stuff that matters, and configure the router to send an alert when anything anomalous happens. Bonus points for things like implementing BCP38 locally so even when you are compromised at least tried to minimise the damage, enabling syslog and actually monitoring the output, and other basic security principles.
UNIX? They're not even circumcised! Savages!
Thanks for the info. I've printed it out for my grandmother...
----------------------------------- My Other Sig Is Hilarious -----------------------------------
> Keep routers and access points separate...
> low power atom device to run something like pfsense
> cheap managed switch
> wireless ap as a dumb bridge
> Create separate VLANs
Once you're done making this server room you describe, you'll be in the .0000001% of people qualified to run an IoT device, many of which are BORN malicious and sending pictures of your bedroom/front lawn/children to a central server in China, a decent number of which are fundamentally insecure with no possible way to change passwords or a default password they forgot (or "forgot") to strip out that you can't fix, and at least some of which will fail to work on a VLAN that can only see the outside internet (for some goddamned reason, they want to ping a router or something).
The short version is this: If you want your IoT devices to not be part of a botnet, DO NOT BUY ANY. Once you buy those components, you have to set them up. Then configure them. Then maintain them. And almost no one will jump through any of those hoops.
The "average" user has no idea and that's why they put IOT shit on their unsecured network in the first place, duh.
The average user has no idea that there is something like "IoT" and that it is in any way different from the rest of "the internet". All they know is that it is "smart" to have an app on your phone that can turn on the heating and tell you the fridge is empty, and a TV that seems to understand what you want to watch, or a smart meter that tells you (and the utility company) how much gas and electricity you use up to the last minute. They won't know or care about the security implications until it goes badly wrong.
If a person is intelligent enough to perceive the need for a device, obtain the device and install the device
They will perceive the "need" when a salesman or ad persuades them that they need it. They do not even need to be aware that the device will be part of the IoT, only that they "need" a toaster or whatever.
They will obtain the device by pulling out their wallet. (Soon it will become impossible to obtain anything else.)
They will install it by plugging it in (have you never installed a toaster before?).
I don't know where you think intelligence comes into it.
Dude, I'm not a network technician but I've been putting computers together since the late 80s and have been running Linux OSs as my desktop OS for over a decade now...
And I couldn't set up the network you described without some serious googling.
How are we supposed to expect normal people to do it? Do routers come with VLAN set up out of the box, jailed so that it doesn't send data out of your network? Somehow I doubt it.
Normal people are screwed, until routers are set up to manage IoT networks by default.
And let's be real: Normal people aren't going to buy a separate access point if their router has Wifi built in.
Help! I'm a slashdot refugee.
Infected devices usually try to spread the infection further and their scanning attempts on the Internet are often observed. There is for instance a dedicated website for IoT devices attacking Telnet ports or some more generic ones, such as the Internet Storm Center. If the IP address of your device is on the list, it is very likely that you have a problem.
I have often wondered the answer to this question myself: how can I tell if a machine on my network is compromised?
So I set up a Linux box as my primary router, and monitored all the traffic going through the box, and holy crap, there is a lot of stuff.
Every time you hit a facebook web page, the javascript in there directs your browser to hit literally dozens of other web sites, and this is true of EVERY device in your house: your wife's laptop, your son's smartphone, your dog's water bowl. When you watch a video on Netflix video, the video player hits a dozen different servers at once, and those connections come and go constantly, old ones are closed, new ones opened to different servers throughout the world with all kinds of different names. And, of course a modern computer or smartphone uses all kinds of services: time services, location services, software updates, on and on and on.
It would be very difficult for a person to notice a low level bot doing something amiss. I have all the data, and I don't know how to do it.