weap

Blog: Internet Of Things

Too little, too late. IoT vendors wake up and smell the coffee. …and the lawsuits

consultant-placeholder10 Ken Munro 27 Oct 2016

weapemThe Dyn DNS DDoS outage created some pretty serious issues for the internet on Friday last week. I even lost access to Twitter for a while. Shock, horror!

We’re increasingly putting important (fortunately perhaps not critical) consumer systems on to the internet and relying on web access to control it. That’s one matter if it’s a coffee machine or a home appliance, perhaps another if it’s your burglar alarm or smart thermostat.

One of the most read blogs on our web site this year was our exposé around MV Power IP DVRs and IP CCTV cameras. Trivial remote code execution and you’ve got a bot net of 50,000 devices, ready to join Mirai.

Mirai itself started by using default creds to Dahua IP CCTV cameras. telnet was exposed on the internet, so all you need are a few sets of default creds and you have your bot net. By complete coincidence, one of our team reverse engineered the unusual creds, prepended with a string.

After adding some more devices to Mirai, extending to SSH after telnet, it’s believed there are approaching 1M devices in the bot net. That’s quite a meaty weapon, ready to soften up smaller countries pre-invasion perhaps…

Band-Aid fixes

So long as Mirai doesn’t grow further, the DDoS soaking providers have a chance of blocking bad traffic as devices participate in the bot net. Preventing further growth is the key; one robust solution might be to block TCP port 23 across the internet. Brave perhaps, but who is legitimately using this plain text protocol? If they are, they’re frankly pretty foolish and possibly even participating unwittingly in a bot net.

SSH will be a LOT harder to block as that’s the secure alternative to telnet. Have fun defending that one.

But the above are temporary solutions. My view is that the operators of Mirai will simply move on to a protocol that is as easy to attack and almost impossible to defend: HTTP.

We’ve blogged about numerous devices that feature remote code execution over port 80. Nicely exposed to the internet via UPnP through customer home routers, ready to attack.

Blocking telnet is one thing. Blocking HTTP might cause a few issues…

Fixing it properly

The only way to resolve this issue properly is for the manufacturers to produce secure IoT devices. There is progress in this arena and plenty of guidance e.g. HERE but the existing installed base of IoT devices is ripe for exploitation.

In the meantime we have a huge set of vulnerable IoT devices ready to join Mirai, either through telnet, SSH, HTTP or other protocols.

A large proportion of these can’t even be updated remotely. The manufacturer of the Dahua CCTV cameras has announced a recall.

And here’s where it gets scary and quite serious for the IoT vendors

By announcing the recall, they’ve accepted that their devices are part of the problem.

That acceptance, depending on legislation in the country where they’re installed, may constitute liability.

A liability for what though?

  • Taking out some DNS?
  • Taking out some major social networks?
  • Taking out important components of the internet for a while?
  • Stopping a stock market trading?
  • Taking down the internet connectivity of a small country?

I’ve written about cyber liability insurance, particularly around losses incurred through thefts and attacks against a business, which can be insured against.

Product liability insurers need to have a very careful look at their policy wording, as the claims relating to IoT and DDoS could be far beyond the capacity of many underwriters. Perhaps even beyond the capacity of entire insurance markets.

The internet of things has been an interesting area for new markets and fast growth. The disregard for IoT security is now starting to have some very serious repercussions; for consumers, for the internet, for businesses, for power supplies, for countries.