Slashdot Mirror
IoT Security Flaw Leaves 496 Million Devices Vulnerable At Businesses, Report Says (crn.com)
Nearly a half-billion Internet of Things devices are vulnerable to cyberattacks at businesses worldwide because of a 10-year-old security flaw, according to a new report from a security software vendor. From a report: The report was published Friday by Armis, a provider of Internet of Things security software for enterprises that focuses on detecting threats in IoT devices at workplaces. The Palo Alto, Calif.-based company has previously made security disclosures, including the BlueBorne malware attack that impacted 5 billion IoT devices.
If you let your appliances communicate with anybody but you, you deserve what you get.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
But I was president of my HOA for 12 years back when I was much younger and naive. Get 3 bids for something. Toss out the lower one if it's too much lower than the other 2. Make a choice on the other 2.
Stuff goes wrong, doesn't it always? Sue the contractor's company.
The contractor's company goes out of business with no assets left, while the contractor has another business he's running under.
I'm guessing vendors of these IoT PoS run under the same rules. You can sue the fuck out of them, win, and get some dust bunnies and used condoms nobody on the cleaning crew wanted to touch.
Here's the basic idea of the attack they are talking about.
An IoT thermostat can be controlled by your smartphone or computer, via a web service it exposes. Your smartphone might send data to a script at http://192.168.1.4/temp.pyc
An attacker is able to put malicious JavaScript on a web page which changes the temperature. The attack manages to get around the same-origin policy. The bad guy has their web page, titled "NEST Troubleshooting", on nesttb.com. It loads a script from scripts.nesttb.com. Your browser does a DNS request to get the IP of scripts.nedttb.com and it comes back with 77.77.77.77 and a ttl (cache time) of 1 second. The script then calls http://scripts.nesttb.com/temp.... It's been more than 1 second, so the browser does another DNS request for scripts.nesttb.com. The DNS server gives the IP as 192.168.1.34. The attacker can now change your thermostat setting.
Prevention:
The device manufacturer should require authentication in order to change the setting. This should involve a TLS certificate for the client, bit at least use a username and password which is generated for each device separately.
The customer can mitigate the risk by using a local network other than 192.168.1.1/24. Try perhaps 192.168.106.1/24
The customer also prevent the attack completely by not buying a super expensive toy, and instead buying a normal programmable thermostat.
says these devices have security flaws.
wait, whut? no fucking way. really?
Rule 1. IOT devices are insecure
Rule 2. In the event someone has a secure IOT device read Rule 1.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Put all the IoT behind a strong new firewall.
Have a modern OS be the only way back to the internet/cell phone for the IoT.
Firewalls and OS always stay updated and work on the internet?
Nothing on the internet can see the IoT. the IoT can only see the OS and firewall.
The OS takes what the IoT wants to communicate and makes such data secure, sending it in a modern way out to the user.
The user can interact with their IoT but the internet only detects a firewall.
Domestic spying is now "Benign Information Gathering"
I work in the microcontroller industry and somehow became the security 'expert' for my group. I don't trust IoT for many reasons, the biggest is that not many people has a clue on how to do security right, and those that do cost an arm and a leg and most manufacturers producing IoT devices can't afford them.
With various upgrades to my house (mostly solar), I've had to accept some IoT devices. So I've segmented my wireless network. There's an open wifi (secured by a passkey, I still consider this open), and there's a second wifi that needs 802.1X authentication. The IoT devices go to the open wifi, which is on its own subnet and vlan, and only has access through the firewall with QoS tuned down to 1 Mbps. The second wifi has its own vlan, and is routed to the internal wired network. But if I find that's been compromised its easy to shut it down. I have yet to come upon a consumer IoT devices that can work with WPA2-Enterprise & 802.1X, but my sample size is small.
Of course most people don't run Linux firewalls with 3 Ethernet cards, and level 2 managed switches at home. Prosumer tip: watch the switch manufacturer End-of-Life notices and pick up the switches at fire sale prices as everyone tries to dump their supply, don't buy off of EBay or refurbished, you never know what's one there.
"One service Black Lake provides for customers is an IoT assessment that gives businesses a true look at all the connected devices on their network."
" The report was published Friday by Armis, a provider of Internet of Things security software for enterprises that focuses on detecting threats in IoT devices at workplaces"
I understand now.
As bad as home IoT seems to be, many major business IoT sensors, remote relays, etc don't even use HTTPS so can't do proper authentication. I'm thinking of most devices made by ControlbyWeb which are used in factories around the world and their competitors are just as bad!
This is a bullshit attack. If they've already gotten to the embedded web server then they don't need you to change your thermostat.
I expect devices to be upgradable at best.
Pull em out and return them on statutory warranty grounds.
And if the dumb manufacturer built then flawed - wear the cost.
I know the rich physically unplug hotel tv sets because the crap firmware is done by the lowest bidder, and miles behind open source routers.
This exploit is a timing attack - kinda novel, and there will be more. Whitelisting IP addresses
to build a newer list is the way to go. Meanwile burglars and theives can scope your house out, knowing it is safe to rob.
I got a ransom email telling me my password is XXXXXXXX and I used it to sign up to porn sites, that were hacked and a webcam of me pleasuring myself will be released unless I send money to a bit coin address.
Nah, I don't have a webcam, nobody signs up for porn accounts, and I don't use messenger, have social network accounts, or webmail, but the password does have my 'tell' in it, I use unique passwords for everything and change them often, I can always spot one of my passwords and the password is real.
It's for LinkedIn. I HAVE NOT USED LINKED IN FOR 8 YEARS AND 2 COMPUTERS AGO. So they did not obtain it from a local keylogger. LinkedIn must have been hacked.
So Linkedin *itself* has been hacked and someone is using their passwords for an email scam.
"Let me tell you, I actually setup a malware on the X vids (sex sites) website and you know what, you visited this web site to have fun (you know what I mean). When you were watching videos, your web browser initiated operating as a RDP having a key logger which gave me accessibility to your display as well as cam. Just after that, my software program obtained all of your contacts from your Messenger, social networks, as well as emailaccount. And then I made a video. First part shows the video you were watching (you've got a nice taste ; )), and second part shows the view of your web cam, yeah it is u. "
You will have a pair of possibilities. We should explore these types of options in particulars:
1st choice is to dismiss this email. As a consequence, I most certainly will send your recorded material to every bit of your contacts and consider regarding the shame you can get. Not to forget should you be in a relationship, exactly how it can affect?
2nd choice will be to give me $1000. Let us name it as a donation. Then, I will asap remove your video footage. You could keep on going everyday life like this never happened and you will never hear back again from me.
You'll make the payment through Bitcoin (if you don't know this, search "how to buy bitcoin" in Google).
BTC Address: 1LLXM3HmVgp5tDzFBZeTUt3CwPziGezmdS
[case-sensitive copy & paste it]
All IOT devices should automatically cease functioning after 1 year without a firmware update. It should be the default deadpans switch to assume they are security compromised unless someone actively is maintained by them. Routers could be set up so protocol identities are increments every year and anything with an out of date protocol could be restricted in what it can do on the network.
USPS?
All mail is photographed when sent, so they would trace it. This is a bulk scam, millions of these are emailed out, none are personalized beyond LinkedIn information, so this is scatter gun mail. And it certainly is mail fraud if it ever was sent USPS.
It would cost a lot of money to send millions of these out via USPS.
Bulk mail rates would not be possible, and anyone bringing in thousands of letters to be mailed would be flagged immediately.
So I am suspicious of your claim. Can you back it up?
It's almost like they want to claim that companies who have no experience with networked devices because so far their main experience lies in a totally different segment of electronics where the "networked" part is only tacked on as an afterthought don't spend time and resources making a feature secure they mainly have as a sales gimmick.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This can also be prevented by simply using a decent router that doesn't allow local IP replies from a public DNS.
Load up pfsense and you are protected from this. Even with default settings.
Anyone else remember when it was the Right that was this raving mad? "Obama is treasonous, he sides with putin and betrays america, bla bla bla."
Did you have a stroke in 2015, and lose all your memory?
The attack is carried out from their own web server.
They set up nest-troubleshooting.com on their own hosting account. A script on nest-troubleshooting.com accesses scripts.nest-troubleshooting.com.
scripts.nest-troubleshooting.com (sometimes) has the IP address 192.168.1.4, which is the same IP as your thermostat.
> Nothing on the internet can see the IoT. the IoT can only see the OS and firewall.
That's all good, but doesn't solve this issue. This vulnerability requires that:
Your computer or phone can see the web.
Your computer or phone can see the IoT.
Most home / small office routers by default assign themselves 192.168.1.1 and hand out IPv4 IPs starting at 192.168.1.2, handing them out in order. Therefore pretty . Uch every device in everyone's house will have one of 11 IPs 192.168.1.2 - 192.168.1.12. The attacker simply tries each in turn.
This attack can't be done with IPv6. You don't have everyone using the same default IPs with IPv6, and IPs aren't normally assigned in order.
Precisely wrong. First you are right that no one would buy an nonmaintaiable IOT device but they would buy ones that the manufacturers promised to keep updated. You could do that now of course but people complain about the Apple tax or similar. But Apple routers and Apple TV are trivial to update because they do it via the attached computer. So do things like chrome computers and fire sticks.
Or you could contract with a third party if you dare.
The key point is that once someone is paying for it then it gets done.
Some drink at the fountain of knowledge. Others just gargle.
If you read the story it should become evident that this is is just masked marketing for one of Armis' products. Essentially, the accusation is that if you have a device that is accessible by a Web interface on your computer, and someone gets access to your computer/browser, well lo and behold, they can get access to the devices. Newsflash: billions of cars are vulnerable to attack -- if someone steals your keys. This is just marketing to sell people crap to make up for the crap (IoT) they bought without understanding what it did or how to secure it.
Generally, the first device connected is assigned .2, the next .3, etc. So it would be rare to find any device in a house with an IP higher than about .12
A much more appropriate acronym.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user