Web hosting company OVH said it had been attacked by a botnet (zombie army) of hacked devices such as webcams.
It's scary to think about the potential for leveraging IoT devices for DDoS attacks. Your dishwasher, fridge, thermostat, mattress, chairs could all be partipants without you even knowing.
Its even scarier when someone takes one of your IoT devices and intends to harm you. Like making your fridge's ice maker flood your house. They talked about this at Defcon 24.
What I find even scarier is that, with computers and mobile devices, at least someone might notice when they're running slower than usual or consuming more data than usual. Most people have at least heard of computer viruses, and antivirus vendors have been trying pretty hard to get their crap on Android phones as well.
But would you notice if your thermostat was running a little slower than usual? Would it even occur to anyone that their dishwasher might have caught a virus? These things could participate in DDoS attacks all year long and nobody would suspect a thing. And even if someone did, fixing them would be much more difficult than taking your laptop to the nearest Best Buy (or even impossible, thanks to DRM).
Just last week i heard a talk at a conference about this very topic because many of these smart IoT devices have horrible software and shoddy security practices and are basically never checked by their owners, while having quite powerful socs nowadays.
What I find most astonishing is that OVH can handle the attack. The one on Krebs was a success for the attackers, this one apparently not.
Botnets are run for business and will attract well-paying customers if they can demonstrate that they can disable (nearly) any target. The fact that any client of a hosting company such as OVH is very bad news for the attackers and excellent advertisment for OVH.
It's an astonishing ad for OVH if they can handle that with no problems. If they were able to measure the size, they didn't nullroute the target, which is something to be proud of.
This is obviously horribly illegal and unethical, but it does sort of appeal to that same small part of my brain that longs for things like violent proletariat revolution. Imagine if some greyhat security outfit intentionally bricked tens of thousands of these devices. Buyers would be pissed, go to the manufacturer for recompense, possibly to the level of bankruptcy, and there would finally be some incentive for taking IoT security seriously.
I'm not saying someone should do it... but I'm not saying someone shouldn't do it.
Could it be deemed an act of self defense if done in the middle of such an attack? We have all these laws where we are allowed (in the US) to shoot somebody and kill them if they invade our home or business. If I am a business owner, why could I not then "kill" the device that is attacking me? Is it any different than killing an attacking dog that belongs to someone else? Interesting thought experiment in the very least...
This is something that has occurred to me too. It would also -hopefully- result in large, class action lawsuits against the manufacturers for producing products so insecure that they got mass bricked.
I would be all for such... preventative action... if it wouldn't also hurt the consumers. Unfortunately it is the end users that would lose.
Thanks for the link, it makes more sense than BBC article. This is NOT a single DDOS attack but a series of large (independent? time-separated?) attacks.
Please excuse my potential naivete on the subject, as I don't work in the hardware space, but I asked this in the dupe yesterday and didn't get a follow up.
I don't understand why most IoT devices require an Internet connection to work, for anything other than phoning home (data collection by the device provider). Of course, a Television is different than a Refrigerator here.
Unless you live in a mansion where the distance from devices becomes significant, couldn't your "Home PC/Tablet/phone" connect to your IoT device via bluetooth or on the subnet? Exploits are still possible, but the majority of them would be localized. The cost of slightly lower ease-of-use (which can be mitigated by good OS support) would appear to have numerous security benefits.
One of the more obvious use cases is remote control of devices – say you want to turn the heating on remotely, then at some point it's going to have to communicate outside the network. Or if you have a remotely-accessible camera. Or an alarm system that notifies you when it goes off. Or a locking system, and so on.
I'm not arguing that this is a good thing, but it does explain why the devices want remote access. In an ideal world, this would function through some kind of home hub device – a single point of communication between "outside" and "inside", which has many clear benefits. In practice, it's going to be difficult to do this; devices don't use any kind of shared protocol or system that would enable this.
I am currently working on an 'IoT' project, and it also connects to a central server, directly, over wifi, for exactly these reasons. It's hard to see what other approaches are possible at this stage, until there is some kind of industry-wide standard that's actually used by manufacturers.
For the most part they don't. I think it's mostly groupthink and data that's driving it. No one thinks outside the loop of gather data, send home, analyse and sell, app talks to web
Case in point, Musicbee - the excellent music player, has a little Android remote control app. It just operates via the local net behind the firewall. It's reliable and a well designed Android app.
If Samsung, Apple, or any startup were providing this it would send all your data to the website and the app would operate via the website too.
You'd gain the "convenience" of being able to change track and volume when out of earshot, and a web portal with adverts targeted on your listening and a pretty graph or two.
There's no need for my toaster, dishwasher to be web aware. Living on the local net would be enough for any of the features they give.
> Unless you live in a mansion where the distance from devices becomes significant
How do I check my cameras from work? When I realize I didn't remember to record my favorite program once I reach work, how do I fix that?
> couldn't your "Home PC/Tablet/phone" connect to your IoT device via bluetooth or on the subnet?
Not every customer has a NAT router setup at home.
> The cost of slightly lower ease-of-use (which can be mitigated by good OS support)
Lower hanging fruit would be not leaving a telnet server open on the box in the first place, which is apparently already more work than some of these companies are willing to invest. And I'm not sure how good OS support is supposed to make up for the lack of a NAT router, or how you're supposed to limit things to your home network when you want to access them from work - or how those two fundamentally incompatible goals are supposed to be made compatible by "good OS support".
In just a few years we may be dealing with tens of Tbps DDoS attacks thanks to the "explosion of IoT", unless IoT manufacturers get their shit together (perhaps also encouraged by aggressive government actions and fines against those who don't follow some set best practices on security).
Do we blame the ice maker manufacturer when poisoned water flows from the city water pipes? Do ice machines have viral and chemical threat detection? Wouldn't the ISP be a better place to assign liability? Or, perhaps, just maybe, the actual user of a device? It's not Lenovo's fault when a user gets a virus.
I agree device security ought to be better, but the free market can solve that. If a particular brand of toaster is constantly being hacked, the market would respond. I wouldn't expect an ice maker manufacturer to be held liable for poisoned water supplies.
It's a tough issue, but 'more government' isn't the answer. The government can barely keep their own data safe let alone be trusted to enforce how others ought to keep their's safe.
The FDA is supposed to keep medicines safe yet it has become a monster that adds billions to the costs of drug development. I am not saying to ditch the FDA, but I would be fearful of releasing a new IOT device required FDA-level approval. Your connected toaster would cost $9000.
How are these devices being accessed despite most houses having a router with a firewall? I thought IPv4, being so limited in possible IPs, pretty much forced everyone to use a router for NAT? So would mean unless these people who have these devices did something really dumb, they should be behind a firewll, no?
Why are these devices being exposed to the internet?
IoT security is still so nascent that most vendors in it arent really spending much time architecting a secure layer. Frankly they don't really care if their products get co-opted for a DDOS attack. There's no harm to their customer. This will be a huge problem as time goes on.
"Please don't roll your own security" isn't much of an option when many of these things are running on custom stuff from the ground up. But, I doubt many will pay for a secure foundation to run on... Makes me wonder if the windows for IoT has any promise.
[+] [-] smaili|9 years ago|reply
It's scary to think about the potential for leveraging IoT devices for DDoS attacks. Your dishwasher, fridge, thermostat, mattress, chairs could all be partipants without you even knowing.
[+] [-] zitterbewegung|9 years ago|reply
[+] [-] kijin|9 years ago|reply
But would you notice if your thermostat was running a little slower than usual? Would it even occur to anyone that their dishwasher might have caught a virus? These things could participate in DDoS attacks all year long and nobody would suspect a thing. And even if someone did, fixing them would be much more difficult than taking your laptop to the nearest Best Buy (or even impossible, thanks to DRM).
[+] [-] kayoone|9 years ago|reply
[+] [-] unclebucknasty|9 years ago|reply
But, it seems that ISPs could play a more pivotal role in combating this, and that they'd have financial incentive to do so.
For instance, what if we built more security/detection into routers/gateways (especially those that ISPs push)?
What if we combined this with mandates for ISPs to better monitor their traffic and established minimum standards for doing so?
[+] [-] vesinisa|9 years ago|reply
[+] [-] whatwasmypwd|9 years ago|reply
[+] [-] dx034|9 years ago|reply
Botnets are run for business and will attract well-paying customers if they can demonstrate that they can disable (nearly) any target. The fact that any client of a hosting company such as OVH is very bad news for the attackers and excellent advertisment for OVH.
[+] [-] Shank|9 years ago|reply
[+] [-] cek|9 years ago|reply
[+] [-] Analemma_|9 years ago|reply
I'm not saying someone should do it... but I'm not saying someone shouldn't do it.
[+] [-] bkmartin|9 years ago|reply
[+] [-] i_are_smart|9 years ago|reply
I would be all for such... preventative action... if it wouldn't also hurt the consumers. Unfortunately it is the end users that would lose.
[+] [-] valarauca1|9 years ago|reply
[+] [-] lsh123|9 years ago|reply
[+] [-] FilterSweep|9 years ago|reply
I don't understand why most IoT devices require an Internet connection to work, for anything other than phoning home (data collection by the device provider). Of course, a Television is different than a Refrigerator here.
Unless you live in a mansion where the distance from devices becomes significant, couldn't your "Home PC/Tablet/phone" connect to your IoT device via bluetooth or on the subnet? Exploits are still possible, but the majority of them would be localized. The cost of slightly lower ease-of-use (which can be mitigated by good OS support) would appear to have numerous security benefits.
[+] [-] matthewmacleod|9 years ago|reply
I'm not arguing that this is a good thing, but it does explain why the devices want remote access. In an ideal world, this would function through some kind of home hub device – a single point of communication between "outside" and "inside", which has many clear benefits. In practice, it's going to be difficult to do this; devices don't use any kind of shared protocol or system that would enable this.
I am currently working on an 'IoT' project, and it also connects to a central server, directly, over wifi, for exactly these reasons. It's hard to see what other approaches are possible at this stage, until there is some kind of industry-wide standard that's actually used by manufacturers.
[+] [-] anexprogrammer|9 years ago|reply
Case in point, Musicbee - the excellent music player, has a little Android remote control app. It just operates via the local net behind the firewall. It's reliable and a well designed Android app.
If Samsung, Apple, or any startup were providing this it would send all your data to the website and the app would operate via the website too.
You'd gain the "convenience" of being able to change track and volume when out of earshot, and a web portal with adverts targeted on your listening and a pretty graph or two.
There's no need for my toaster, dishwasher to be web aware. Living on the local net would be enough for any of the features they give.
[+] [-] MaulingMonkey|9 years ago|reply
How do I check my cameras from work? When I realize I didn't remember to record my favorite program once I reach work, how do I fix that?
> couldn't your "Home PC/Tablet/phone" connect to your IoT device via bluetooth or on the subnet?
Not every customer has a NAT router setup at home.
> The cost of slightly lower ease-of-use (which can be mitigated by good OS support)
Lower hanging fruit would be not leaving a telnet server open on the box in the first place, which is apparently already more work than some of these companies are willing to invest. And I'm not sure how good OS support is supposed to make up for the lack of a NAT router, or how you're supposed to limit things to your home network when you want to access them from work - or how those two fundamentally incompatible goals are supposed to be made compatible by "good OS support".
[+] [-] mtgx|9 years ago|reply
http://www.nbcnews.com/tech/security/kaspersky-smart-fridges...
In just a few years we may be dealing with tens of Tbps DDoS attacks thanks to the "explosion of IoT", unless IoT manufacturers get their shit together (perhaps also encouraged by aggressive government actions and fines against those who don't follow some set best practices on security).
[+] [-] briandear|9 years ago|reply
I agree device security ought to be better, but the free market can solve that. If a particular brand of toaster is constantly being hacked, the market would respond. I wouldn't expect an ice maker manufacturer to be held liable for poisoned water supplies.
It's a tough issue, but 'more government' isn't the answer. The government can barely keep their own data safe let alone be trusted to enforce how others ought to keep their's safe.
The FDA is supposed to keep medicines safe yet it has become a monster that adds billions to the costs of drug development. I am not saying to ditch the FDA, but I would be fearful of releasing a new IOT device required FDA-level approval. Your connected toaster would cost $9000.
[+] [-] unclebucknasty|9 years ago|reply
>encouraged by aggressive government actions and fines...
Funny, I just replied to another comment that it seems near hopeless to expect this of manufacturers.
Seems that ISPs, on the other hand, might be able to play a more pivotal role.
[+] [-] betaby|9 years ago|reply
[+] [-] kminehart|9 years ago|reply
Why are these devices being exposed to the internet?
[+] [-] tedunangst|9 years ago|reply
[+] [-] wayneotau|9 years ago|reply
[+] [-] gardano|9 years ago|reply
I have no idea of the liability of developers in this space, but the fact that the question even comes up in my mind certainly gives me pause.
[+] [-] cordite|9 years ago|reply
[+] [-] doctorshady|9 years ago|reply
I can't see this ending well.
[+] [-] ayyn0n0n0|9 years ago|reply
[+] [-] kkirsche|9 years ago|reply