IoT Security Flaw Leaves 496 Million Devices Vulnerable At Businesses, Report Says (crn.com)

← Back to Stories (view on slashdot.org)

IoT Security Flaw Leaves 496 Million Devices Vulnerable At Businesses, Report Says (crn.com)

Posted by msmash on Sunday July 22, 2018 @01:10PM from the security-woes dept.

Nearly a half-billion Internet of Things devices are vulnerable to cyberattacks at businesses worldwide because of a 10-year-old security flaw, according to a new report from a security software vendor. From a report: The report was published Friday by Armis, a provider of Internet of Things security software for enterprises that focuses on detecting threats in IoT devices at workplaces. The Palo Alto, Calif.-based company has previously made security disclosures, including the BlueBorne malware attack that impacted 5 billion IoT devices.

26 of 108 comments (clear)

Min score:

Reason:

Sort:

Just desserts by hyades1 · 2018-07-22 13:27 · Score: 4, Informative

If you let your appliances communicate with anybody but you, you deserve what you get.

--
I've calculated my velocity with such exquisite precision that I have no idea where I am.
1. Re:Just desserts by Ol+Olsoc · 2018-07-22 13:40 · Score: 5, Insightful
  
  If you let your appliances communicate with anybody but you, you deserve what you get.
  If for some incredibly stupid reason you need the company toilets and cameras and other crap connected toa network, build a separate network for them that never connects to teh intertoobz.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
2. Re: Just desserts by Anonymous Coward · 2018-07-22 13:41 · Score: 3, Funny
  
  I laughed, she laughed, the toaster laughed, I shot the toaster; it was a good time. -PCP
3. Re: Just desserts by Anonymous Coward · 2018-07-22 14:48 · Score: 3, Funny
  
  You should probably connect the toilet to the tubes unless you want to deal with a very unpleasant mess
4. Re: Just desserts by Ol+Olsoc · 2018-07-22 14:51 · Score: 3, Funny
  
  You should probably connect the toilet to the tubes unless you want to deal with a very unpleasant mess
  So your saying your instinks are telling you they could become outstinks?
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
5. Re:Just desserts by JaredOfEuropa · 2018-07-22 17:58 · Score: 5, Interesting
  
  IoT should stand for Intranet of Things. A separate intranet for IoT, with no access to the Internet and very limited access to the LAN (to connect to an IoT hub for instance, or a smart phone). And do not buy devices that “require” internet in order to function.
  
  --
  If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
6. Re: Just desserts by Opportunist · 2018-07-22 19:45 · Score: 2
  
  But you didn't shoot the camera.
  That was your mistake.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
7. Re:Just desserts by locofungus · 2018-07-22 21:23 · Score: 4, Interesting
  
  One of the most frustrating things about these IOT things is that they won't work properly unless they have an internet connection and are registered.
  I don't actually own any IOT things but kindle - AFAICT you cannot have a 'collection' until it can talk to the internet.
  Kindlefire, connect to a private network with no (non proxy) internet connectivity and it will refuse to automatically use the connection - even if there are no other connections available.
  I'd guess things like nest are the same. The crazy thing is that I do have a way onto my internal network from outside - a VPN - I don't need each and every device trying to find its own way to punch holes through my firewall. I shouldn't have to have firewall rules to catch outgoing traffic and send it to an internal server so devices work. I shouldn't have to have special DNS zones to redirect traffic.
  These devices even try to use their own hardcoded DNS servers and bypass the ones supplied by dhcp/radvd so more firewall rules to send that traffic to the only reachable dns servers.
  
  --
  God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
8. Re:Just desserts by AmiMoJo · 2018-07-22 23:31 · Score: 2
  
  A dedicated firewall box for IoT is a good idea. You can just block everything except the few IP addresses they need to contact. Hard coded DNS can be fixed by simply re-routing those IP addresses to your own server.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I'd like to say "sue them silly" by Snotnose · 2018-07-22 13:32 · Score: 5, Informative

But I was president of my HOA for 12 years back when I was much younger and naive. Get 3 bids for something. Toss out the lower one if it's too much lower than the other 2. Make a choice on the other 2.

Stuff goes wrong, doesn't it always? Sue the contractor's company.

The contractor's company goes out of business with no assets left, while the contractor has another business he's running under.

I'm guessing vendors of these IoT PoS run under the same rules. You can sue the fuck out of them, win, and get some dust bunnies and used condoms nobody on the cleaning crew wanted to touch.
The attack: DNS rebinding by raymorris · 2018-07-22 13:34 · Score: 5, Informative

Here's the basic idea of the attack they are talking about.
An IoT thermostat can be controlled by your smartphone or computer, via a web service it exposes. Your smartphone might send data to a script at http://192.168.1.4/temp.pyc
An attacker is able to put malicious JavaScript on a web page which changes the temperature. The attack manages to get around the same-origin policy. The bad guy has their web page, titled "NEST Troubleshooting", on nesttb.com. It loads a script from scripts.nesttb.com. Your browser does a DNS request to get the IP of scripts.nedttb.com and it comes back with 77.77.77.77 and a ttl (cache time) of 1 second. The script then calls http://scripts.nesttb.com/temp.... It's been more than 1 second, so the browser does another DNS request for scripts.nesttb.com. The DNS server gives the IP as 192.168.1.34. The attacker can now change your thermostat setting.
Prevention:
The device manufacturer should require authentication in order to change the setting. This should involve a TLS certificate for the client, bit at least use a username and password which is generated for each device separately.
The customer can mitigate the risk by using a local network other than 192.168.1.1/24. Try perhaps 192.168.106.1/24
The customer also prevent the attack completely by not buying a super expensive toy, and instead buying a normal programmable thermostat.
1. Re:The attack: DNS rebinding by weilawei · 2018-07-22 13:40 · Score: 3
  
  This is the Slashdot I remember. :)
2. Re: The attack: DNS rebinding by Miamicanes · 2018-07-22 16:39 · Score: 4, Interesting
  
  If you REALLY want to be a rebel & be safe(r), pick a network between 172.16.x.x and 172.31.x.x
  99.994% of people have *no* idea that range of private IP addresses exists. Everyone knows about 192.168.x.x, and almost everyone knows about 10.x.x.x, but I have yet to meet anyone who uses 172.16.x.x-172.31.x.x for their home network.
a provider of Internet of Things security software by Anonymous Coward · 2018-07-22 13:37 · Score: 3, Insightful

says these devices have security flaws.
wait, whut? no fucking way. really?
They won't learn by Ol+Olsoc · 2018-07-22 13:38 · Score: 4, Informative

Olsoc's rules of IOT
Rule 1. IOT devices are insecure
Rule 2. In the event someone has a secure IOT device read Rule 1.

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
1. Re:They won't learn by LordWabbit2 · 2018-07-22 20:15 · Score: 3, Insightful
  
  Everything could be made secure. But it isn't and it's not going to happen anytime soon either. Not until people start dropping dead, and by then there will be so many insecure devices that instead of fixing the problem it's cheaper to make a Draconian example of the "hacker". This is already happening, the horse has bolted from the stables, and we CAN'T close the door, so now we crucify the person who finds the horse.
  
  --
  There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
Buy a new firewall by AHuxley · 2018-07-22 13:44 · Score: 2

Put all the IoT behind a strong new firewall.
Have a modern OS be the only way back to the internet/cell phone for the IoT.
Firewalls and OS always stay updated and work on the internet?
Nothing on the internet can see the IoT. the IoT can only see the OS and firewall.
The OS takes what the IoT wants to communicate and makes such data secure, sending it in a modern way out to the user.
The user can interact with their IoT but the internet only detects a firewall.

--
Domestic spying is now "Benign Information Gathering"
1. Re:Buy a new firewall by aaarrrgggh · 2018-07-22 16:20 · Score: 3, Interesting
  
  What exactly is this magical firewall you speak of? Most are simply stateful and port blocking, which means internally started communication is fine. When the device phones home (in what ever innocuous way, even with a hard-coded NTP request), they have full access. You can’t proxy the https traffic, so you really don’t have any of the easy means of control. You can try a few other tricks— but it gets to diminishing returns quickly.
2. Re:Buy a new firewall by AmiMoJo · 2018-07-22 23:35 · Score: 2
  
  Someone should build a Raspberry Pi firewall for IoT devices. It would basically block everything by default, and then have simple check boxes for different IoT devices that open up access to the necessary IPs/domains. Settings contributed by the community, similar to ad-blockers.
  Throw in a bit of rate limiting. Second ethernet port can be a cheap USB thing, doesn't need to be fast. Build in WiFi so it can act as an AP. Could be a popular project, like the PiHole.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
This is why I don't trust IoT by Anonymous Coward · 2018-07-22 14:05 · Score: 5, Interesting

I work in the microcontroller industry and somehow became the security 'expert' for my group. I don't trust IoT for many reasons, the biggest is that not many people has a clue on how to do security right, and those that do cost an arm and a leg and most manufacturers producing IoT devices can't afford them.

With various upgrades to my house (mostly solar), I've had to accept some IoT devices. So I've segmented my wireless network. There's an open wifi (secured by a passkey, I still consider this open), and there's a second wifi that needs 802.1X authentication. The IoT devices go to the open wifi, which is on its own subnet and vlan, and only has access through the firewall with QoS tuned down to 1 Mbps. The second wifi has its own vlan, and is routed to the internal wired network. But if I find that's been compromised its easy to shut it down. I have yet to come upon a consumer IoT devices that can work with WPA2-Enterprise & 802.1X, but my sample size is small.

Of course most people don't run Linux firewalls with 3 Ethernet cards, and level 2 managed switches at home. Prosumer tip: watch the switch manufacturer End-of-Life notices and pick up the switches at fire sale prices as everyone tries to dump their supply, don't buy off of EBay or refurbished, you never know what's one there.
1. Re:This is why I don't trust IoT by Opportunist · 2018-07-22 19:57 · Score: 3, Insightful
  
  The problem with microcontrollers and security is that security consumes a fair lot of processing power if done right. And while this is really no concern these days for a desktop or even a mobile computer (including smartphones), it still is a concern for lower end IoT devices powered by microcontrollers that can barely accomplish what their function is with the computing power they have.
  And try to justify the 2.50 bucks for the extra IC (or the next powerful IC) to implement sensible security. Not to mention the hundreds of hours.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Suspicious by 110010001000 · 2018-07-22 14:13 · Score: 2

"One service Black Lake provides for customers is an IoT assessment that gives businesses a true look at all the connected devices on their network."

" The report was published Friday by Armis, a provider of Internet of Things security software for enterprises that focuses on detecting threats in IoT devices at workplaces"

I understand now.
Bullshit attack by mveloso · 2018-07-22 14:39 · Score: 3, Insightful

This is a bullshit attack. If they've already gotten to the embedded web server then they don't need you to change your thermostat.
Automatic expiration by Anonymous Coward · 2018-07-22 17:15 · Score: 5, Interesting

All IOT devices should automatically cease functioning after 1 year without a firmware update. It should be the default deadpans switch to assume they are security compromised unless someone actively is maintained by them. Routers could be set up so protocol identities are increments every year and anything with an out of date protocol could be restricted in what it can do on the network.
Re:Linked In's been hacked by ewhac · 2018-07-22 21:24 · Score: 2

It's for LinkedIn. I HAVE NOT USED LINKED IN FOR 8 YEARS AND 2 COMPUTERS AGO. So they did not obtain it from a local keylogger. LinkedIn must have been hacked.
Uh, yeah, it was. Big news at the time. This was a short while before they were acquired by Microsoft.

--
Editor, A1-AAA AmeriCaptions
or use a decent router by fuzzyf · 2018-07-22 22:25 · Score: 2

This can also be prevented by simply using a decent router that doesn't allow local IP replies from a public DNS.
Load up pfsense and you are protected from this. Even with default settings.