IoT Security Flaw Leaves 496 Million Devices Vulnerable At Businesses, Report Says

Nearly a half-billion Internet of Things devices are vulnerable to cyberattacks at businesses worldwide because of a 10-year-old security flaw, according to a new report from a security software vendor. From a report: The report was published Friday by Armis, a provider of Internet of Things security software for enterprises that focuses on detecting threats in IoT devices at workplaces. The Palo Alto, Calif.-based company has previously made security disclosures, including the BlueBorne malware attack that impacted 5 billion IoT devices.

I'd like to say "sue them silly"

[Snotnose]

But I was president of my HOA for 12 years back when I was much younger and naive. Get 3 bids for something. Toss out the lower one if it's too much lower than the other 2. Make a choice on the other 2.

Stuff goes wrong, doesn't it always? Sue the contractor's company.

The contractor's company goes out of business with no assets left, while the contractor has another business he's running under.

I'm guessing vendors of these IoT PoS run under the same rules. You can sue the fuck out of them, win, and get some dust bunnies and used condoms nobody on the cleaning crew wanted to touch.

The attack: DNS rebinding

[raymorris]

Here's the basic idea of the attack they are talking about.
An IoT thermostat can be controlled by your smartphone or computer, via a web service it exposes. Your smartphone might send data to a script at http://192.168.1.4/temp.pyc

An attacker is able to put malicious JavaScript on a web page which changes the temperature. The attack manages to get around the same-origin policy. The bad guy has their web page, titled "NEST Troubleshooting", on nesttb.com. It loads a script from scripts.nesttb.com. Your browser does a DNS request to get the IP of scripts.nedttb.com and it comes back with 77.77.77.77 and a ttl (cache time) of 1 second. The script then calls http://scripts.nesttb.com/temp.... It's been more than 1 second, so the browser does another DNS request for scripts.nesttb.com. The DNS server gives the IP as 192.168.1.34. The attacker can now change your thermostat setting.

Prevention:
The device manufacturer should require authentication in order to change the setting. This should involve a TLS certificate for the client, bit at least use a username and password which is generated for each device separately.

The customer can mitigate the risk by using a local network other than 192.168.1.1/24. Try perhaps 192.168.106.1/24

The customer also prevent the attack completely by not buying a super expensive toy, and instead buying a normal programmable thermostat.

Re:Just desserts

[Ol+Olsoc]

If you let your appliances communicate with anybody but you, you deserve what you get.

If for some incredibly stupid reason you need the company toilets and cameras and other crap connected toa network, build a separate network for them that never connects to teh intertoobz.

This is why I don't trust IoT

I work in the microcontroller industry and somehow became the security 'expert' for my group. I don't trust IoT for many reasons, the biggest is that not many people has a clue on how to do security right, and those that do cost an arm and a leg and most manufacturers producing IoT devices can't afford them.

With various upgrades to my house (mostly solar), I've had to accept some IoT devices. So I've segmented my wireless network. There's an open wifi (secured by a passkey, I still consider this open), and there's a second wifi that needs 802.1X authentication. The IoT devices go to the open wifi, which is on its own subnet and vlan, and only has access through the firewall with QoS tuned down to 1 Mbps. The second wifi has its own vlan, and is routed to the internal wired network. But if I find that's been compromised its easy to shut it down. I have yet to come upon a consumer IoT devices that can work with WPA2-Enterprise & 802.1X, but my sample size is small.

Of course most people don't run Linux firewalls with 3 Ethernet cards, and level 2 managed switches at home. Prosumer tip: watch the switch manufacturer End-of-Life notices and pick up the switches at fire sale prices as everyone tries to dump their supply, don't buy off of EBay or refurbished, you never know what's one there.

Automatic expiration

All IOT devices should automatically cease functioning after 1 year without a firmware update. It should be the default deadpans switch to assume they are security compromised unless someone actively is maintained by them. Routers could be set up so protocol identities are increments every year and anything with an out of date protocol could be restricted in what it can do on the network.

Re:Just desserts

[JaredOfEuropa]

IoT should stand for Intranet of Things. A separate intranet for IoT, with no access to the Internet and very limited access to the LAN (to connect to an IoT hub for instance, or a smart phone). And do not buy devices that “require” internet in order to function.