Web hosting company OVH said it had been attacked by a botnet (zombie army) of hacked devices such as webcams.
It's scary to think about the potential for leveraging IoT devices for DDoS attacks. Your dishwasher, fridge, thermostat, mattress, chairs could all be partipants without you even knowing.
Its even scarier when someone takes one of your IoT devices and intends to harm you. Like making your fridge's ice maker flood your house. They talked about this at Defcon 24.
It's because advertisers have armies of psychologists and mountains of data they can use to pull your ear and put it right up against a loudspeaker telling you to purchase stupid stuff.
It's an arms race, and we measly individual consumers with real life concerns that don't center around defending our psyche from nonstop sensory ambush stand a very poor chance.
But it will tell you when it is done, same for a connected washer/dryer. Or a connected refrigerator that tells you when the filters are low or when you need to buy more eggs.
I think it is silly. You think it is silly, but people will buy this crap. They think apps will solve their problems.
They said we'd buy 3DTVs and such too, we didn't. The age of obsessing over appliance technology is over. They meet our basic needs and until they can save us massive amounts of time with more improvement the minimalist trend will continue and these will primarily be bought as designer item.
People with money to spend are choosing design, real estate (location over structure), experiences and food.
Yeah, but a lot of that stuff is already doable. It's just not telling you remotely. For instance, the filter light is on when you walk by the refrigerator or the dishwasher beeps and shows an indicator when it's done.
It's really more than sufficient to me. In fact, with everything else I have going on, I don't need my refrigerator texting me whenever it thinks it deserves my attention. That would actually be inconvenient.
Then, there's this hidden cost of the purported "convenience". More stuff updating, hacked etc. And, with the thousand other devices, now I have to spend time configuring what I want to manage, etc.
Reminds me of something I read years ago about the hidden costs of some tech. In one anecdote, subway riders were excited when A/C was installed on the train. Now, they could ride in comfort. What they didn't realize was the A/C exhaust heated the platform another 10 degrees or so, and they were actually less comfortable while waiting.
With an internet connected thermostat, someone could turn off your heat while you are away during the winter, causing your pipes to burst and flooding your home.
Alternatively, in the summertime they could crank up your heat and potentially kill any pets you have at home.
I think that there has been a report of an IOT running machine being hacked and the settings suddenly being changed to max speed - causing the user to be thrown off the back of it.
There was a talk at DEF CON where they ransomwared a thermostat. Example, it could turn the temp in your house up to 105F and demand 1 BTC from you to work normal again.
I'm quite interested in what will happen when a significant proportion of people have internet-connected thermostats, and malware of some kind makes them all turn the heating to full power at the same time. I think it would be interesting to see what happens to utility distribution grids in that case.
My main concern is these devices causing bodily harm. The dishwasher spraying hot water at me is pretty scary. A flooded house isn't nearly as bad as being disfigured.
A flooded house is effectively extorting you with threat of bodily harm, because it costs money to dry it, and if you don't dry it promptly then mold will grow, which will cause health problems.
What I find even scarier is that, with computers and mobile devices, at least someone might notice when they're running slower than usual or consuming more data than usual. Most people have at least heard of computer viruses, and antivirus vendors have been trying pretty hard to get their crap on Android phones as well.
But would you notice if your thermostat was running a little slower than usual? Would it even occur to anyone that their dishwasher might have caught a virus? These things could participate in DDoS attacks all year long and nobody would suspect a thing. And even if someone did, fixing them would be much more difficult than taking your laptop to the nearest Best Buy (or even impossible, thanks to DRM).
I can also imagine that the microchips and their connected components wear out faster because they are under high load and therefore become hotter than usual. So after a few months your fridge is mysteriously dead just because of malware and you won't even know about it.
Are there consumer routers (that are relatively easy to use) that can alert you or shut down a device, when all of a sudden your thermostat is making tons of network requests?
There are routers that can control how much data a given downstream device can transfer in a given time, shut them down entirely during certain times of day, etc.
But then I'd guess the crooks will just compromise the router itself.
Just last week i heard a talk at a conference about this very topic because many of these smart IoT devices have horrible software and shoddy security practices and are basically never checked by their owners, while having quite powerful socs nowadays.
In 99% of cases these devices are exploited using vulnerabilities in the software or configuration added by the vendor (such as telnet access with root:root), not bugs in Linux.
>open source
How exactly would a permissively licensed kernel get vendors to disclose the source code?
Creating a framework where my ISP is legally required to perform deep packet inspection on my traffic seems like the wrong way to handle this for a whole pile of reasons.
I won't be surprised if we see, before the end of the year, news along the lines of "Toaster catches virus, leaves owner with $5K data bill." Why bear any costs when you can pass them on to your captive customers?
If the network starts to serve an increasingly disproportionate amount of illegitimate traffic for n customers, then the ISP will have to increase throughput (and costs) to continue serving n customers.
It's tempting to argue that they could just pass the extra costs on to customers, but that obviously makes them less competitive, especially vs an ISP that better manages costs.
Many ISPs have basically no real competition. Don't like your cable company? Your alternative is <5Mbps DSL with a tiny amount of upload, high-latency and low data caps on satellite, and if you're lucky, a wireless connection that's even worse than DSL.
Maybe in some places. But, that says they could raise prices now. And, to the extent that this is true (or not), they are still better off with reduced costs.
Most home/consumer routers lack the capability to throttle a specific device, and most consumers wouldn't think to configure this if the capability was there.
There's a good argument to say that they should be throttled by their own software, but the basic premise of the issue is that IoT software is badly designed, badly programmed, and badly maintained, so I wouldn't hold out much hope of throttling in the device itself.
What I find most astonishing is that OVH can handle the attack. The one on Krebs was a success for the attackers, this one apparently not.
Botnets are run for business and will attract well-paying customers if they can demonstrate that they can disable (nearly) any target. The fact that any client of a hosting company such as OVH is very bad news for the attackers and excellent advertisment for OVH.
It's an astonishing ad for OVH if they can handle that with no problems. If they were able to measure the size, they didn't nullroute the target, which is something to be proud of.
This is obviously horribly illegal and unethical, but it does sort of appeal to that same small part of my brain that longs for things like violent proletariat revolution. Imagine if some greyhat security outfit intentionally bricked tens of thousands of these devices. Buyers would be pissed, go to the manufacturer for recompense, possibly to the level of bankruptcy, and there would finally be some incentive for taking IoT security seriously.
I'm not saying someone should do it... but I'm not saying someone shouldn't do it.
These attacks are showing that's it's trivial to achieve remote-code-execution on many of these devices. So in a way, yes, they do have self-destruct built in.
Simple connect to one, and then overwrite the boot partition. Or rm -rf /. Or even just use the firewall to block all inbound and outbound connections (an IP camera isn't very useful if you can't view the feed).
The scarier thought to me is that this many cameras installed in houses, businesses, bedrooms, etc. are being commandeered. That's a huge problem for privacy, let alone being used as botnets on the side.
You are correct. I know there are sites out there that even aggregate camera feeds, although the more ethical ones remove any feeds where there may be privacy concerns.
Frankly, I would NEVER install such a device in my house. The engineering on many is (almost?) criminally flawed.
I don't think there is a self-destruct command ever from what I've heard. There are plenty of chips with undefined behavior that can be exploited to essentially act as a self-destruct. Failing that I assume there are ways to kill it by overrunning the device's normal mechanisms.
Could it be deemed an act of self defense if done in the middle of such an attack? We have all these laws where we are allowed (in the US) to shoot somebody and kill them if they invade our home or business. If I am a business owner, why could I not then "kill" the device that is attacking me? Is it any different than killing an attacking dog that belongs to someone else? Interesting thought experiment in the very least...
This is something that has occurred to me too. It would also -hopefully- result in large, class action lawsuits against the manufacturers for producing products so insecure that they got mass bricked.
I would be all for such... preventative action... if it wouldn't also hurt the consumers. Unfortunately it is the end users that would lose.
Thanks for the link, it makes more sense than BBC article. This is NOT a single DDOS attack but a series of large (independent? time-separated?) attacks.
Please excuse my potential naivete on the subject, as I don't work in the hardware space, but I asked this in the dupe yesterday and didn't get a follow up.
I don't understand why most IoT devices require an Internet connection to work, for anything other than phoning home (data collection by the device provider). Of course, a Television is different than a Refrigerator here.
Unless you live in a mansion where the distance from devices becomes significant, couldn't your "Home PC/Tablet/phone" connect to your IoT device via bluetooth or on the subnet? Exploits are still possible, but the majority of them would be localized. The cost of slightly lower ease-of-use (which can be mitigated by good OS support) would appear to have numerous security benefits.
One of the more obvious use cases is remote control of devices – say you want to turn the heating on remotely, then at some point it's going to have to communicate outside the network. Or if you have a remotely-accessible camera. Or an alarm system that notifies you when it goes off. Or a locking system, and so on.
I'm not arguing that this is a good thing, but it does explain why the devices want remote access. In an ideal world, this would function through some kind of home hub device – a single point of communication between "outside" and "inside", which has many clear benefits. In practice, it's going to be difficult to do this; devices don't use any kind of shared protocol or system that would enable this.
I am currently working on an 'IoT' project, and it also connects to a central server, directly, over wifi, for exactly these reasons. It's hard to see what other approaches are possible at this stage, until there is some kind of industry-wide standard that's actually used by manufacturers.
> In an ideal world, this would function through some kind of home hub device – a single point of communication between "outside" and "inside", which has many clear benefits
This is exactly what I was suggesting, and thanks for your input!
I believe this is a space where Raspberry Pi has some potential - as there are some open sourced projects that handle some of these functions.
Personal anecdote: I recently bought a PiNoIR module and plan on building a (relatively primitive) apartment security system in which the machine the camera-pi "phones home" to can send my phone Twilio SMS if any motion is detected.
Problems I foresee is if the home computer is pwned, both devices can be exploited for the same nefarious task.
:EDIT: Granted, most consumers don't want to "DIY" as much as I do.
For the most part they don't. I think it's mostly groupthink and data that's driving it. No one thinks outside the loop of gather data, send home, analyse and sell, app talks to web
Case in point, Musicbee - the excellent music player, has a little Android remote control app. It just operates via the local net behind the firewall. It's reliable and a well designed Android app.
If Samsung, Apple, or any startup were providing this it would send all your data to the website and the app would operate via the website too.
You'd gain the "convenience" of being able to change track and volume when out of earshot, and a web portal with adverts targeted on your listening and a pretty graph or two.
There's no need for my toaster, dishwasher to be web aware. Living on the local net would be enough for any of the features they give.
> Unless you live in a mansion where the distance from devices becomes significant
How do I check my cameras from work? When I realize I didn't remember to record my favorite program once I reach work, how do I fix that?
> couldn't your "Home PC/Tablet/phone" connect to your IoT device via bluetooth or on the subnet?
Not every customer has a NAT router setup at home.
> The cost of slightly lower ease-of-use (which can be mitigated by good OS support)
Lower hanging fruit would be not leaving a telnet server open on the box in the first place, which is apparently already more work than some of these companies are willing to invest. And I'm not sure how good OS support is supposed to make up for the lack of a NAT router, or how you're supposed to limit things to your home network when you want to access them from work - or how those two fundamentally incompatible goals are supposed to be made compatible by "good OS support".
In just a few years we may be dealing with tens of Tbps DDoS attacks thanks to the "explosion of IoT", unless IoT manufacturers get their shit together (perhaps also encouraged by aggressive government actions and fines against those who don't follow some set best practices on security).
Do we blame the ice maker manufacturer when poisoned water flows from the city water pipes? Do ice machines have viral and chemical threat detection? Wouldn't the ISP be a better place to assign liability? Or, perhaps, just maybe, the actual user of a device? It's not Lenovo's fault when a user gets a virus.
I agree device security ought to be better, but the free market can solve that. If a particular brand of toaster is constantly being hacked, the market would respond. I wouldn't expect an ice maker manufacturer to be held liable for poisoned water supplies.
It's a tough issue, but 'more government' isn't the answer. The government can barely keep their own data safe let alone be trusted to enforce how others ought to keep their's safe.
The FDA is supposed to keep medicines safe yet it has become a monster that adds billions to the costs of drug development. I am not saying to ditch the FDA, but I would be fearful of releasing a new IOT device required FDA-level approval. Your connected toaster would cost $9000.
If a particular brand of toaster is constantly being hacked, the market would respond
That depends whether "the market" is directly affected.
If my toaster is hacked and starts getting used in a DDOS botnet - but still makes toast as expected - would I even know?
The way to ensure market forces influence this is to ensure that the market is negatively affected: whether that's their ISP disconnecting their internet, their device stopping working, etc.
> If my toaster is hacked and starts getting used in a DDOS botnet - but still makes toast as expected - would I even know?
How is the toaster connected to the Internet? If through wireless, a DDOS could easily use too much airtime, making every other wireless device in the same channel slower.
You wouldn't notice the toaster misbehaving, but you would notice everything else not working as well.
you would notice everything else not working as well
Assuming that my toaster didn't get owned on day 1, even as a tech-minded person, if my wifi suddenly started slowing down, I'd be considering a number of other alternatives before wondering whether my toaster had been hacked.
Let's assume a little bit of packet-sniffing would uncover the cause, that's still only a very small minority of people with the skills and tools to go through that process.
And most people will troubleshoot this problem by restarting their router. And when that doesn't solve the problem, complain about cosmic rays, or humid weather.
Do I have google fiber with one of those fancy 37 antenna routers? I could easily be blasting 100mbs upstream without noticing because nearly all the traffic I care about is downstream.
ISPs should implement BCP38 (prevention of spoofed traffic originating from their networks, in short) but when a device is compromised, it doesn't necessarily have to spoof traffic at all.
ISPs have thin margins, and get paid to push bits. DDoS mitigation services are extremely expensive not because they are complex or novel but because they require significant resources (both in hardware and in software expertise).
If manufacturers are going to sling "shit" and we can't hold them accountable; consumers are going to buy the polished turds and we can't prevent them plugging it into their networks; and ISPs have little to zero incentive or ability to "filter out the bad traffic" then we're basically looking at a 5-10 year span of increasingly detrimental, expensive, and effective denial of service attacks.
Why aren't the major backhaul providers like L3 forcing this as part of their pass through agreements? If the ISP cannot invest enough to follow the simplest of best practices then why do they allow them to connect? Seem dangerous for the backbone people.
because none of them can and none of them have a financial interest to do so.
Default free providers such at NTT, GTT, Zayo/AboveNet, Level3/Global Crossing, ATT, CenturyLink/Qwest, Deutsche Telekom, Vodafone/Cable & Wireless, and others commonly (but incorrectly) known as Tier 1/"backbone" providers peer with other networks in a settlement free (no money is exchanged, or, on an accounting basis, everything zeros out) fashion because they are "peers" in the strictest sense: same size, same reach, same markets (mostly...)
How are these devices being accessed despite most houses having a router with a firewall? I thought IPv4, being so limited in possible IPs, pretty much forced everyone to use a router for NAT? So would mean unless these people who have these devices did something really dumb, they should be behind a firewll, no?
Why are these devices being exposed to the internet?
Intentional holes in the NAT so they can review them remotely. Then there are security nightmares like UPNP where it automatically opens a hole in the firewall.
Lastly, even if you're behind a firewall you're still not safe. For example DNS rebinding attacks. The least secure device on your network gets hacked, the attackers then use it to scan and exploit devices on the LAN. In the enterprise I avoid this by putting different classes of devices on different VLANs, but this comes with the side effect of being very expensive hardware wise and not easy for the average user to manage.
Many home routers are horrifically insecure with numerous remote vulnerabilities. Many IoT devices have vulnerable and accessible interfaces locally and externally.
I didn't mean to imply that a NAT was a firewall. Most home routers, which are for NAT (mostly) come with a firewall. Albeit a basic one, it still comes with one.
Whatever benefit link local addresses offer can be realized today by not assigning a gateway. I think it's a long shot to hope that future devices will deliberately try to not be globally connected.
IoT security is still so nascent that most vendors in it arent really spending much time architecting a secure layer. Frankly they don't really care if their products get co-opted for a DDOS attack. There's no harm to their customer. This will be a huge problem as time goes on.
"Please don't roll your own security" isn't much of an option when many of these things are running on custom stuff from the ground up. But, I doubt many will pay for a secure foundation to run on... Makes me wonder if the windows for IoT has any promise.
I guess my uninformed concern is… if I write an app that has an interface that manages a device that is suddenly embroiled in a class-action lawsuit, what are the chances that I'd be sucked into that lawsuit?
It's scary to think about the potential for leveraging IoT devices for DDoS attacks. Your dishwasher, fridge, thermostat, mattress, chairs could all be partipants without you even knowing.