'Dumb' devices exploited in global cyber attack

[Cyclone Boom 16,938]

Not so smart technology. 

Why must everyday household items be connected? People saw it coming, and these types of exploits are becoming all the more common. The hackers say this was a 'test', which has undoubtedly confirmed there's a major and dangerous loophole in the system.

No device is immune, but not even having a basic layer of security is just asking for trouble. The focus is too much on ease-of-use, and unfortunately, this makes it easier for the attackers on an increasingly global scale. The internet is too powerful for this casual, flawed approach by manufacturers. People connect such devices because they expect them to work. For the most part they do, and here lies the heart of the problem. Consumers are unaware or simply don't see the need for security on their fridge or toaster.

As evidenced by this latest attack, the real concerns are clear for all to see. It's an issue that needs to be smartly addressed.

And if you need an automated breakfast, the best solution has already been invented...

[Fantozzi 4,067]

To my knowledge the topology of the internet was thought of by army to decentralise IT to make it less vulnerable - so if one computer is hit by the enemy another can take his place.

Another aspect of this attack is - that this early idear of the net became a little forgotten. With copyright and ownership the idear of having controll over data physically came back to the net and therefore the wish to keep data in an centralized place. There have been so many strategic errors in the near past.

Did you f.e. know that all five public backbones linking german servers with america were sold during the last 15 years (=privatisized) with only one remaining at the end in Frankfurt. They created an aim for attacks.

Profit made attacking the internet easy. Made forget about the basic idear of decentarlized data and operating infrastructure.

[catty-cb 4,402]

I was one of the sites effected, doubt they were trying to get me , but guessing as I'm on shared server I was just collateral damage, luckily I'd got the site in maintenance mode as I'm in the middle of updating the site software ... first I knew about it was when I got dropped out of my site and couldn't get back again ... did manage to get in at one point and set the site firewall to auto IP ban anything it didn't like the look of ... so if anyone can't get in once the upgrade is finished let me know and we will sort it out.

Attaching a couple of pictures from my site firewall, the first one shows just how quicker it happened and the second one just where the attackers were coming from

 

[Fantozzi 4,067]

@catty-cb

Interesting stuff - but sorry - I'm not shure how to read the map. This means - from where the attacks came or which countries were attacked? Attacks blocked - china all white, does this mean no attacks to china?

[Turjan 1,048]

I would assume that is where the attacks originated from. Or better, countries in which devices were susceptible to being abused. I was not aware that Russia had so many "smart" devices, but I think also routers counted in that group. Unsecured routers may make up the lion's share in Russia, but who knows.

The widespread reach of the attack was due to one of the major companies that provides DNS servers being one of the targets. Without DNS resolution, the internet doesn't work anymore.

Actually, I'm thinking whether I may be part of the problem.  I have a few Logitech music devices that are basically connected to the net, and I don't think they are terribly safe. My washing machine only uses sound to connect, so that one should be okay. No idea about my router.

[catty-cb 4,402]

1 hour ago, Fantozzi said:

@catty-cb

Interesting stuff - but sorry - I'm not shure how to read the map. This means - from where the attacks came or which countries were attacked? Attacks blocked - china all white, does this mean no attacks to china?

The firewall was reporting who was attacking my website and from what country they came from and how many from each country ... so the scarlet red is really bad

[MushyMushy 3,618]

I knew something like this was coming.  All of these devices that have no reason to be connected to the internet are security holes. Computers are (usually) so much safer because (some) people put various layers of security on them and whatnot. Does a fridge have a firewall? Probably not. I don't take a second glance at appliances that are connected to the internet because I see zero benefit from it. Not only will they be susceptible to cyber attacks like this, but devices with no firewall blocking incoming/outgoing data can let the company collect data from the device to whatever extent the device allows.

Still, appliances aside, my greatest fear with this kind of stuff is cars. Why are we connecting cars to the internet? Not only are internet-connected cars a literal treasure trove of information for companies, they've already been shown to be relatively easy to hack. Once we get self-driving cars and trucks, someone could hack a fleet of trucks (since they'd all be the same design) and steal the cargo or just cause mayhem for their amusement. People's cars could be hacked and have some sort of bitcoin ransom put on the ignition. Horrible, horrible, horrible idea. There's a reason why I drive a car from the 90s and do not look forward to advent of self-driving autos.

[Fantozzi 4,067]

12 minutes ago, MushyMushy said:

I knew something like this was coming.

Really: recently I thought of a thriller plot where terrorists hijack self-driving cars to use them as 'wheeled drones' or reprogramming them to become some kind of 'suicide cars'.

[Cyclone Boom 16,938]

What we've seen here are devices compromised because of virtually zero security. Even though they appear shiny and smart on the outside, in terms of security, they’re vastly outdated. Most computers from the past decade would have stronger protection measures! A default password is useless, and is more likely to fool the user than the hacker.

That's what happened here. A selection of devices were targeted and used as a botnet to overload the chosen network. The major issue is these devices, and many others are the weakest link. Most don’t have any basic firewall at all, and unlike a PC, simply have no capacity to even contain one. In some cases, there is no way to change the default password, essentially making these devices a free-for-all.

With vehicles, this is one of my fears as well. Networked home appliances are dangerous on the larger scale. Although if hacked, a single autonomous car has the potential to cause absolute chaos. It only takes one -- not only to endanger the passengers, but any other people on the road. This could also be extended to other types of transport. Would you fly a plane with no pilot in control? Security aside, we've already seen this driverless tech isn't completely reliable, or without logical design flaws.

Even though it has its uses, contrary to popular belief, the internet is not the solution to everything. But if used in such ways, at least appropriate measures must be put in place. Maybe even segment both critical and non-essential systems, so a hacker could only gain limited control. Otherwise without question, it’s a recipe for disaster.

[Odainsaker 2,135]

Sadly, I don't think a cheap toaster manufacturer in Guangdong cares if their slapped-together and dump-exported appliance gets hijacked by a Russian government-backed botnet to disrupt American social websites.  As long as it sold and the dollars came in, what are those unaware Western suburbanite victims really going to be able to do?  They can't even read the name of the address from where it was shipped!

 

[Fantozzi 4,067]

13 minutes ago, Odainsaker said:

As long as it sold and the dollars came in, what are those victims really going to be able to do?

Well, I'm not shure if it's to blame the manufacturers or the users. Me, a poor little guy, has collected three computers during the years, each one serving a purpose. One of my pcs I never connect to the net and there I keep the nasty stuff.

To make a basic DNS server vulnerable by a security cam - it needs also some dullness on part of the user - as there is no need - at least I can't imagine one - to make them an entrance to the heart of a company. I don't think it would cause issues to run 'dumb' devices in separated environments, maybe even on local machines - but not to have them attached to the same intranet with the main business, the DNS-servers, in this case. That they could be used as a backdoor to the core of business - IMHO that's a failure of the user.

[Cyclone Boom 16,938]

27 minutes ago, Fantozzi said:

Well, I'm not shure if it's to blame the manufacturers or the users.

By failing to provide adequate security, I believe they are selling an inferior product. Like if a vehicle isn't roadworthy, these devices aren't internet-worthy. As with all technology, the user does hold responsibly to use the products sensibly. But the thing is, they are using them as designed. If the tools aren't provided and people aren't adequately informed of the risks, I'm not sure the user is to blame.

Some manufacturers aren't willing to invest in security, or don't realise the extent of the problem. All these products are being shipped around the world, just waiting to be used as the scapegoat of an attack. Really, there needs to be a new set of standards that all IoT devices must comply with.

[Fantozzi 4,067]

Reminds me somewhat of the ISIS attacks on paris. They used gaming consoles to communicate and therefore intelligence services missed it. 

12 minutes ago, Cyclone Boom said:

. Like if a vehicle isn't roadworthy

Not shure if this comparison fits. Regarding internet this would mean; don't drive if it isn't 100% secure - so practically you'll never drive. You can abuse a kitchen knife to kill somebody - so is the solution to built into kitchen knifes a 'human flesh recognizer' which raises the prices to a level only few people can efford? Wouldn't it be much simpler to keep them out of reach?

IMHO - as you can't avoid abuse of technology, the only thing you can do is to limit the consequences of it. And so - everything you attach to the internet is like opens up a gate - like in the TV-show 'Stargate'. To open and close this gate - it's your decission. But you can't blame the gate when you open it and the orcs come in.

 

 

[Cyclone Boom 16,938]

14 minutes ago, Fantozzi said:

Regarding internet this would mean; don't drive if it isn't 100% secure - so practically you'll never drive.

Sure there will always be risks, it's just a case of taking appropriate measures to reduce them.

As much as nothing is foolproof, nothing is ever 100% secure. It can't be guaranteed, and is only relative to the most vulnerable point in the system.

[SecretMbr_735754 2,157]

This is just a heads up on this important topic.   If you have signed up in any of the social media sites that were recently attacked, you may now be at risk of receiving emails from the malicious operatives.  I have just studied one of their little masterpieces of malignant communication and it is particularly ugly and nasty.   These vile specimens of lower parasitic bacteria are somewhat more sophisticated than usual attempting to represent legal authority and attacking high level representatives of social responsibility.   So be wise and stay vigilant and study carefully each and every suspicious internet activity. 

[APSMS 1,892]

On 10/22/2016 at 7:03 PM, Cyclone Boom said:

And if you need an automated breakfast, the best solution has already been invented...

I thought you were referring to this machine instead, but Wallace and Gromit is neat too. Hadn't seen that bit before.

 

I agree that the IoT is a pretty neat concept, but not particularly useful in execution, especially if there's this kind of vulnerability that goes along with it.

  Edited October 24, 2016 by APSMS  
Duplicate post.

[T Wrecks 10,209]

Ah, yes... if only these attacks hit the IoT evangelists themselves, then I could really ROFLMAO. Seeing how these idiots contribute to putting sites such as catty's at risk, it's not quite as funny.

I'd never buy such a connected device. The actual use is extremely limited, and even then it is further restricted by its reliance on patterns: Milk empty => Fridge orders more milk. What if I know that I'm going to go away for a while and won't need milk anytime soon? Yeah, let me guess... tell my fridge what I don't need or drown in unnecessary stuff. What an advantage over ordering what I need, when I need it! Another risk that people don't even look at: When my fridge orders stuff over the Internet, I guess I can safely assume that basically half the world has an easy way of knowing what I eat and drink, what brand I prefer, how much I eat and drink, and so forth... a marketer's wet dream come true.

People went crazy over Google Streetview, fearing the images - static images several years old! - would benefit criminals and help them break into your flat. And yet, these days I read of concepts such as smart light bulbs and thermostats whose usage/consumption patterns can be shared online and that communicate with their manufacturer via the Internet - hack into them, and you know when I'm at home and when not - all nice and comfy without getting out of your desk chair. Now that could actually be useful for criminals, unlike the StreetView images.

Seems like some people are so high on technical feasibility that they have forgotten about common sense, good measure and the inherent security of truly dumb devices. A toaster whose one and only function is toasting cannot and will not be turned into a cyber weapon - not now, not tomorrow, never. Give it an online connection, and there you go. And what benefit do you get in exchange? "ZOMG, I can totally put in some slices of bread in the morning and remote-start my toaster on my way back from work so the toast has cooled down when I walk into the kitchen, isn't that, like, the best thing ever? I can even regulate the degree of toastiness on my smartphone while I wait at the traffic light! Wait, I can even pair my smartphone with the in-car system, make a hands-free call to my toaster and SPEAK the toasting instructions while I drive! How could I ever have lived without these blessings of modern technology? Never mind the risks, this is what technical progress is made for!"

What's more, many of the appliances in question used to be very simple devices where there's not that much that can break - add a few chips, and you have more components that can fail and ruin an otherwise intact device.

Sometimes something as simple as a plain mechanical button, crank, or lever can make all the difference in terms of security - and not some overloaded firmware with pass codes. Your internet connection cannot turn a manually used, mechanical key in a mechanical lock.

Manufacturers of course claim that customers are at least partly to be blamed as well. Are they right? Yes and no. Yes, because if you don't change a factory default password, it's not a wonder you get hacked. You were negligent. However, the manufacturers have been even more negligent. Consumers are simply not used to having to protect these kinds of appliances because it wasn't necessary in the past. They still think of the legacy appliance when they think of protection requirements. Why were antivirus programs so late in appearing on mobile phones, and why are they still not as widespread there as on your average desktop PC? After all, your smartphone is basically a mobile computer. Well, it's because the image of the good old, carefree dialy thing with the cord and the receiver persisted. Same with all appliances these days.

We're going to see more of this junk. It will be interesting to see how the entire IoT fad will fare.

[catty-cb 4,402]

1 hour ago, T Wrecks said:

Ah, yes... if only these attacks hit the IoT evangelists themselves, then I could really ROFLMAO. Seeing how these idiots contribute to putting sites such as catty's at risk, it's not quite as funny....

I was lucky in that I was updating the site software at the time so only myself and the other CB administrator had site access (update is going well and we were back in public view for a couple of hours last night while I checked out some stuff) ...

The thing is what happened is going to effect other people, I've always had a firewall on the site, but because there never was much risk ... the odd spammer or false positive I had the firewall set to stop access but not to ban anyone, I'd go thru the list of IP addresses it didn't like and decide yes that's bad ban it, or no I think that's a site user leave it alone, now of course I've got the firewall set to auto IP ban everything it doesn't like and that unfortunately means its going to be effecting site users once we are back "on air" and I can't see any way around it, the one time I got back into the site at the height of the attack the firewall was reporting literally hundreds of IP addresses a second there is no way a person can re-act to that kind of thing and accorded to the logs the firewall was struggling to cope and given it could happen again I can't in good conscience switch off the auto IP ban.

And that's just my site where to be honest if someone lost access to it it would be mildly inconvenient to them if that, but if the major sites start adding more security to stop it happening to them again, then Internet access starts becoming a privilege rather than the open community it is at the moment.

-catty

[Cyclone Boom 16,938]

Chinese manufacturer recalls webcams.

It's a start, but ultimately this isn't going to be resolved in the immediate short term. There are countless other devices containing flaws. These are hardcoded, and don't even have the capability to be updated. All of them are sitting targets.

Unfortunately, whether we like it or not, the "Internet of Things" is here to stay. Advertising is so powerful, and has created an artificial desire. Eventually, much like with PCs, people will slowly begin to realise the dangers. Once manufacturers stop cutting corners, and begin to up their game, we'll hopefully see a more prudent approach. Because right now, these exploits are indeed a result of negligence. Companies or individuals are receiving the brute force of such attacks (DDoS), through little fault of their own.

Then again, equally as efforts are made to improve IoT security, hackers will try new ways to manipulate it. Technology is always an ongoing cycle. It's about keeping one step ahead, and considering the wider implications at each stage.

[Ocram's Razr 964]

I know for a fact I predicted this when Internet-connected devices were first released. I compared the future to an episode of Rockman.EXE (Meganan NT Warrior) where refrigerators were all hacked to be warm enough each night to spoil milk and ovens crank up to maximum, creating flames enough to strain the fire department.

[TekindusT 3,809]

My stance on IoT and connected devices is quite summed up by this Twitter account [link]. An account that makes you laugh and, at the same time, make you think if we really need/want to live in a connected world.

[SecretMbr_735754 2,157]

This important discussion so far has addressed commercial and private products and personal use of computer-related goods, but the 'Internet of Things' today is even bigger.   As far as I know all civil engineering, emergency systems, utilities, defense systems everywhere in the world today are computer network connected.  We can no longer deny that we do now live in a fully operational global civilization integrated by the use of electric power and computer networks, and it becomes critical that people everywhere disallow network issues to become political or cultural issues.   If the power grid goes down, never-mind your fridge and toaster, you won't be able to flush the toilet or get a glass of water or call an ambulance.   Is the United Nations going to help?  I doubt it.  This world is now in the hands of the people of the world themselves.

[Fantozzi 4,067]

On 25.10.2016 at 10:59 PM, RandyE said:

but the 'Internet of Things' today is even bigger.

What makes me worry - one day I wake up and me, myself, is a part of it. My smartphone ate me. Me - I became a thing of this internet of things too, something plugged into the net. And no matter how hard I try - I can't cut those connection without becoming very, very lonely, isolated. And slowly my batteries run dry. I get tired and fall asleep.

And the next morning I wake up ...

...

...

 

[SecretMbr_735754 2,157]

46 minutes ago, Fantozzi said:

And the next morning I wake up ...

There's a lot of interesting science in computers and physics these days, so maybe not so bad waking up in some mathematical dimension beyond this world, and I'm not talking about the flakey science.  One major award (I forget the name) was given to a good theory of a 5th state of matter a couple years ago.    Major investments being made in quantum computing and fusion research too.   The future seems to be coming fast now.