DDoS Of Things -

Sean Lynch seanl at literati.org
Wed Sep 28 11:09:28 PDT 2016


On Wed, Sep 28, 2016 at 10:43 AM, Steve Kinney <admin at pilobilus.net> wrote:

> On 09/28/2016 01:31 PM, Sean Lynch wrote:
> > On Tue, Sep 27, 2016 at 8:50 PM, Steve Kinney <admin at pilobilus.net
> > <mailto:admin at pilobilus.net>> wrote:
>
> > "Physical access is game over" so it may turn out that whoever owns
> > the most Things wins after all.
> >
> >
> > Ownership of Things is not permanent, though. Maintaining a botnet
> > is a neverending battle.
>
> I need to understand Things better.  It makes sense to me that one can
> buy or borrow a Thing, disassemble it in the hardware then the
> firmware sense, and options for taking over that whole family or
> series of Things should present themselves - hard coded back doors for
> vendor configuration updates or etc. should be quite common.  What I
> don't understand is how one would go about identifying the right
> addresses to send bogus vendor patches or other exploit code to,
> without access to the vendor's own database of incoming pings from
> Things.  MITM the vendor's connection and collect them as they pass?
> Send connection requests to Things at whole IP address ranges and see
> who answers?


It's a good question. So far it's been low-hanging fruit: devices people
have intentionally or unintentionally opened to the Internet in order to
make use of them. In this case, webcams, which people open to the Internet
in order to be able to watch their dogs/fish/stepdaughter from the office.
People think their IP is unguessable, or that because there's a password,
it's "secure" even though it's the same password everyone else uses. I
don't know what the vulnerability is in this case, but IoT vulnerabilities
have often been generic vulnerabilities in a widely used piece of open
source software.

Of course, IoT devices (really, any consumer device, versus application
software) are "special" in that the code is often written by outside
contracting houses and security just isn't on the list of requirements. I
recall seeing right in the HTML of a bunch of different consumer wireless
routers a comment saying "Reference code. Do not use in production." It's
quite possible the code HAD been fixed and the Chinese developers just
hadn't realized they should strip out the comment, but with that little
attention to detail, it's not much of a stretch to imagine there were
probably plenty of security holes there.

An APT can certainly MITM update checks. We've already seen it happen with
Windows Update, and it's likely most IoT devices use a far less secure
update mechanism. SSL at best, probably with a default set of trusted
certificates. No bank robbery attack even needed; just find one of the
dumber CAs and convince them to issue you a certificate. Then it's just a
DNS spoofing problem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3441 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20160928/b32dd84f/attachment.txt>


More information about the cypherpunks mailing list