- What are they, and how did they take down half the internet?
- Why can’t we fix it?
- How do you protect yourself?
Internet of Things is the marketing buzzword for the trend of giving every home appliance a connection to the internet, whether it was a smart idea or not. It was bad before smart phones, but now everyone expects their appliances to have an app, because who can live with a regular coffee maker that won't let them start their coffee from bed?
-
Hackers leveraged a popular firmware for web cams that opened a firewall hole using UPnP, and scanned for cameras that still had the default admin password*.
-
They used these cameras to flood specific internet servers with traffic. These servers just happened to be the DNS servers for a large commercial DNS provider. No DNS, no internet.
-
*Default passwords are easy to find: https://cirt.net/passwords
-
Developers are rushed, and buggy code gets shipped.
-
Developers put in hard-coded back doors that can’t be disabled by the purchaser.
-
Product life cycles often mean updates will never get written, as the developers are already on new projects.
-
Same botnet as a few weeks ago. Why didn’t we fix it?
- When patches do exist, auto-update is not viable and notifying users is near impossible when many don’t register their products.
- Many cheaply built devices lack the capability to apply an update if one existed.
-
But worse than all that… UPnP combined with people not changing the default passwords!
-
Do scary Shodan searches here…
-
Internet vigilantes: Fixed It For You
- ALWAYS set new passwords on anything you buy that has a login.
- Disable UPnP if your router supports it.
- Register products, and sign up for email notifications of updates if possible.
- Scan your external IPs: https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap
- Google for backdoors for your devices.
- When shopping for new appliances, ask yourself whether your toaster really needs to be IoT Connected!
While this presentation was inspired by the recent IoT enabled botnet DDoS attack, the primary purpose is to raise awareness of the risk inherent in connecting millions of semi-smart devices to the internet. Sooner or later, the results could be fatal.