Skip to content

Instantly share code, notes, and snippets.

@ghstwhl
Created October 25, 2016 05:57
Show Gist options
  • Save ghstwhl/9bd0daeaaeb5efd25767dc6f775cb368 to your computer and use it in GitHub Desktop.
Save ghstwhl/9bd0daeaaeb5efd25767dc6f775cb368 to your computer and use it in GitHub Desktop.

IoT Botnets

  • What are they, and how did they take down half the internet?
  • Why can’t we fix it?
  • How do you protect yourself?

IoT- What is it?

Internet of Things is the marketing buzzword for the trend of giving every home appliance a connection to the internet, whether it was a smart idea or not. It was bad before smart phones, but now everyone expects their appliances to have an app, because who can live with a regular coffee maker that won't let them start their coffee from bed?


What happened?

  • Hackers leveraged a popular firmware for web cams that opened a firewall hole using UPnP, and scanned for cameras that still had the default admin password*.

  • They used these cameras to flood specific internet servers with traffic. These servers just happened to be the DNS servers for a large commercial DNS provider. No DNS, no internet.

  • *Default passwords are easy to find: https://cirt.net/passwords


How did we get here?

  • Developers are rushed, and buggy code gets shipped.

  • Developers put in hard-coded back doors that can’t be disabled by the purchaser.

  • Product life cycles often mean updates will never get written, as the developers are already on new projects.

  • Same botnet as a few weeks ago. Why didn’t we fix it?

    • When patches do exist, auto-update is not viable and notifying users is near impossible when many don’t register their products.
    • Many cheaply built devices lack the capability to apply an update if one existed.
  • But worse than all that… UPnP combined with people not changing the default passwords!


Nobody cares about my devices, right?


Protect yourself


Addendum

While this presentation was inspired by the recent IoT enabled botnet DDoS attack, the primary purpose is to raise awareness of the risk inherent in connecting millions of semi-smart devices to the internet. Sooner or later, the results could be fatal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment