DDoS Of Things -

[xorcist at sigaint.org]

> What bothers me is not this particular instance, but the proof of
> concept it represents, in a world where everything from refrigerators to
> night lights phones home.  Things present a very diffuse and low-reward
> attack surface individually, but as reflectors they provide a potential
> solar-furnace-like effect in the hands of a sophisticated attacker.
>
> "Physical access is game over" so it may turn out that whoever owns the
> most Things wins after all.

Interesting points.

I would take a small amount of exception to the idea that such Things are
low-reward though. I mean, I guess it really depends on what you're
looking for.

0wning a fat database server or web head farm is great, except its real
public. People are going to be getting in there, doing upgrades, analyzing
performance, and so on. There is always the outstanding chance that you'll
get expunged, either because you get found, or because they upgrade
hardware and/or software, and redeploy their work. Either way, its just a
matter of time before you lose access.

On the other hand, getting a set-top box, or some other embedded platform
is a different story. No one is looking at those things. They are
more-or-less completely off the radar. Root one, and you have it until the
device goes offline. Set it up to listen on a Tor hidden service on
startup, and you'll probably have access even if it hits the used market
and switches physical owners.

That may change some as IoT gets more attention, but for the near-to-mid
future, this problem is only going to get worse.