On Wed, Sep 28, 2016 at 10:43 AM, Steve Kinney <admin@pilobilus.net> wrote:
On 09/28/2016 01:31 PM, Sean Lynch wrote:
> On Tue, Sep 27, 2016 at 8:50 PM, Steve Kinney <admin@pilobilus.net
> <mailto:admin@pilobilus.net>> wrote:

> "Physical access is game over" so it may turn out that whoever owns
> the most Things wins after all.
>
>
> Ownership of Things is not permanent, though. Maintaining a botnet
> is a neverending battle.

I need to understand Things better.  It makes sense to me that one can
buy or borrow a Thing, disassemble it in the hardware then the
firmware sense, and options for taking over that whole family or
series of Things should present themselves - hard coded back doors for
vendor configuration updates or etc. should be quite common.  What I
don't understand is how one would go about identifying the right
addresses to send bogus vendor patches or other exploit code to,
without access to the vendor's own database of incoming pings from
Things.  MITM the vendor's connection and collect them as they pass?
Send connection requests to Things at whole IP address ranges and see
who answers?

It's a good question. So far it's been low-hanging fruit: devices people have intentionally or unintentionally opened to the Internet in order to make use of them. In this case, webcams, which people open to the Internet in order to be able to watch their dogs/fish/stepdaughter from the office. People think their IP is unguessable, or that because there's a password, it's "secure" even though it's the same password everyone else uses. I don't know what the vulnerability is in this case, but IoT vulnerabilities have often been generic vulnerabilities in a widely used piece of open source software.

Of course, IoT devices (really, any consumer device, versus application software) are "special" in that the code is often written by outside contracting houses and security just isn't on the list of requirements. I recall seeing right in the HTML of a bunch of different consumer wireless routers a comment saying "Reference code. Do not use in production." It's quite possible the code HAD been fixed and the Chinese developers just hadn't realized they should strip out the comment, but with that little attention to detail, it's not much of a stretch to imagine there were probably plenty of security holes there.

An APT can certainly MITM update checks. We've already seen it happen with Windows Update, and it's likely most IoT devices use a far less secure update mechanism. SSL at best, probably with a default set of trusted certificates. No bank robbery attack even needed; just find one of the dumber CAs and convince them to issue you a certificate. Then it's just a DNS spoofing problem.