Tag Archives: Internet Of Things

The Global Shipping Industry is a Shipwreck

Maybe we should call it a dumpster fire, but whether we call it a shipwreck or a dumpster fire, it is a mess.

According to pen testers, shipping industry security is where mainstream IT was years ago.

The pen  testers say that the attacks are TRIVIAL to execute an easy to mitigate against.

These ships are connected via satellite and are always on the Internet, like most businesses.  Just with crappy, insecure software.

The pen testers created proof of concept attacks were they took ships off course.  A bad guy could cause ships to crash into each other at night or in fog.

The flaws that they revealed are just the tip of the iceberg, the pen testers say.

They say that this is definitely a matter of when a big attack happens and not if.

One attack targeted the electronic chart display and information system (ECDIS).    Hack the charts and young sailors who believe computers instead of “looking out the window” will be easily fooled.  They tested 20 different ECDIS systems and they were all easy to hack.  If the ship is in autopilot mode tied to ECDIS and ECDIS is hacked, then the hackers can make the ship go anywhere they want it to go.  That is just one attack.

OK, so what does this mean to you and me?

Since most of us are not a captain of a tanker or container ship, it is not about that.  But,  if you are, take note!

These shipboard systems are just sophisticated IoT systems and like most IoT systems, the security is horrible.

While you may not captain a ship, your car likely has hundreds of computers in it and we have seen them hacked in the news from time to time.  When you buy a car, do you ask about the security of it?  If you do, the salesperson is probably clueless and has no idea about the answer.  Most people just believe whatever babble the salesperson provides.

Whether it is a car, TV, refrigerator or factory floor machine, ask questions, educate yourself and don’t believe the first answer you get.

Once you buy it, you likely own the problem.  The problem has to get massively large before anyone is really going to help you.

You are, pretty much, on your own.  Understand that and make sure that you are OK with that.

Information for this post came from Threatpost.

You Own Your Car, But Do You Control It?

Smart cars are very in these days.  You can start it remotely, lock or unlock the doors, even find out where the  car is.  We also saw a smart car get taken over – turning the steering wheel 90 degrees while the car was going 60 MPH and controlling the gas and brakes.  But what happens when you sell it?  Conversely, what happens when you buy it?

In many cases, smart cars allow you to control the car from an app on your phone.  While you can’t slam on the brakes from your phone – the researchers had to do quite a bit of work to accomplish that, you can do other things – whether you own the car or not.

A researcher at IBM’s X-Force Red gave a presentation on the subject of dumb Internet of Things devices.  Not only could you control your car remotely – or more nerve wracking, someone else’s car – but recently we heard of a person who returned a web cab after setting it up to talk to his phone and a few weeks later got a message saying there was activity on the web cam – he was able to watch the new owners on his old camera.

In the case of the car, you can do a factory recent and/or delete your data, but neither of these will remove the app’s ability to control your car.  Only the dealer can, apparently.  Likely, this is dependent on the car model and whether the equipment is original or add-on.

In addition, the data that has been collected over the years lives in the cloud and doing a reset on the car will not wipe the data out of the cloud.

For the most part, when people are done with an Internet of Things device, they kind of forget about it.  We are beginning to get trained about data on cell phones, but not used web cams, cars or refrigerators.  With many of these devices having cameras, the original owner could get some “interesting” pictures.

My recommendation is that before you sell or dispose of an IoT devices other than by crushing it to bits, you need to find out what it takes to disconnect from it.

On the other side, if you are buying an used IoT device (such as a used car), you need to make sure that you understand who has control of it.

In many cases, the seller or the middle man who is acting as the seller’s agent has no clue how to remove access or maybe, whether anyone has access.  All they want to do is get their money, so they will likely blow you off or belittle the problem. You are going to need to take the bull by the horns and likely not trust the first answer that you get.

This is a bit of the wild west.  Time to get that lasso out and wrestle that security steer to the ground.  But just like in the Old West, wrestling that steer to the ground may  not be easy.

Information for this post came from Naked Security.



The Internet of In-secure Things

Hackers are combining the Internet of Things with a 12 year old open source software bug and creating a potential mess.

Last week tens of thousands of hacked Internet of (in-secure) Things devices created a 600 gigabit per second attack against a security blogger’s web site and just after that, these devices created a  terabit per second DDoS attack against a French web hosting site, OVH.

Many of these devices have either bad default passwords (userid=admin, password=admin, for example) or hard coded – meaning unchangeable – passwords, making it very easy for hackers.

The source code for these two hacks, called Mirai, is available on the Internet and researchers say they are already seeing other hackers toying with it to create a new attack tool.

Combine this with a TWELVE YEAR OLD bug in the very popular OPEN SOURCE software tool call OpenSSH that hackers are using to exploit these Internet of (unpatchable) Things devices and we may have a large mess.

The attackers are not using the flaw in OpenSSH to break into sites, but rather to aim huge amounts of traffic at sites under attack.

So if we look at one Internet of (in-secure) Things device – Avtech DVRs for Internet cameras, researchers have found 130,000 of these devices, which, the researchers say, have 14 exploitable bugs.  If an attacker decides to use these 130,000 devices in combination with the OpenSSH attack vector, they would have a pretty decent army that would likely take down all but the biggest web sites.

So we really have two issues here.

#1 is the fact that open source software is not a panacea. Open source advocates say that open source is better because people can look at the source code for bugs.  Well, that is true.  They can.  But almost no one does.  And, if you don’t take the actual source code that you personally looked at and compile it yourself and then install that actual piece of compiled software, you really don’t know what you are running, so the story doesn’t hold water.

Add to that the fact that even though OpenSSH is EXTREMELY popular, this bug managed to stick around for 12 years.

So open source is not a silver bullet.  I agree that you can use it as people suggest, but almost no one will.

#2  is the Internet of Things, or as some people are calling it, the Internet of In-Secure Things or the Internet of Unpatchable Things, both of which seem to be true.

Until we get our hands around this problem, these billions of devices that we are adding to the Internet will be a huge problem.  They will be able to attack other web sites and even attack the owner’s own home and business networks.  It is going to be a mess for the foreseeable future.

Until manufacturers either get the message that they have to patch IoT things AND users get the message that they have to patch their refrigerators and security cameras every month or are forced to issue patches under penalty of being sued successfully, things are unlikely to get better.  You could disconnect your own IoT devices, but you will still need to deal with those people who do not disconnect their devices.

Unfortunately, I don’t have a good answer.  One thing that will help, if manufacturers sign on for this, is for devices to automatically look for and install patches.  That means that the manufacturers need to become serious about creating patches and then automating the installation of them.  People are just not going to patch their refrigerators on a regular basis.

If you consider cell phones the ultimate IoT device, even for them we are not seeing all manufacturers being serious about patching them.

You definitely need to isolate any IoT devices on their own network so that, at least, when your IoT devices are under attack, the attackers cannot use that attack to get into the rest of your network.

Information for this post came from Computerworld.

Internet of Things – The New Hacker Attack Vector

Recently, Brian Krebs (KrebsOnSecurity.com) was hit with a massive denial of service attack.  The site went down – hard – and was down for days.  His Internet Service Provider kicked him off, permanently.  The attack threw over 600 gigabits per second of traffic at the site.  There are very few web sites that could withstand such an attack.

The week after that, there was another denial of service attack – this time against French web hosting provider OVH – that was over 1 terabit per second.  Apparently, OVH was able to deal with it, but these two attacks should be a warning to everyone.

These attacks were both executed using the Mirai botnet.  Mirai used hundreds of thousands to millions of Internet of Things devices to launch this attack.    The originator released the source code to this attack because, he says, that he wants to get out of the business.

While Mirai used to control around 380,000 devices every day, some ISPs have started to take action and the number is now down to about 300,000 a day.

There are a couple of reasons why the Internet of Things presents a new problem.

The first problem is patching.  When was the last time that you patched your refrigerator?  Or TV?  I thought so!  After 10 years of berating users, desktops and laptops are being patched regularly. Phones are being patched less regularly.  Internet of Things devices are patched almost never.

The second problem is numbers.  Depending who you believe, there will be billions of new IoT devices brought online over the next few years.  These range from light bulbs to baby monitors to refrigerators.  The manufacturers are in such a hurry to get products to market and since there is almost no liability for crappy security, the manufacturers are not motivated to worry about security.

Brian Krebs, in a recent post, examined the Mirai malware and identified 68 usernames and passwords hardcoded into this “first generation” IoT malware.  For about 30 of them, he has tied the credentials to specific manufacturers.

This means that with a handful of hardcoded userids and passwords, Mirai was able to control at least hundreds of thousands of IoT devices.

How many IoT devices could a second- or third- generation version of that malware control?

The third problem is the magnitude of these attacks.  While DDoS attack prevention services like Cloudflare and Akamai have been able to handle attacks in the 500 gigabit per second range, if the growth of DDoS attacks continues and we are talking about multi-terabit attacks, how much bandwidth will these providers need to purchase to keep up with the DDoS arms race.  While the cost of bandwidth is coming down, the size of attacks may be going up faster.

Lastly, ISPs – the Internet providers that enable the Internet connection to your home or office are not stepping up to the plate quickly enough to stomp out these attacks.

The ISPs may become more motivated as soon as these rogue IoT devices that are sending out DDoS traffic force the ISPs to buy more bandwidth to keep their customers happy.

Of course, like Brian Krebs, if your company winds up being the target of one of these attacks, your ISP is likely to drop you like a hot potato.  And equally likely, they will not let you back on after the attack is over.

If being able to be connected to the Internet is important to your business – and it is for most companies – you should  have a disaster plan.

The good news is that if your servers are running out of a data center, that data center probably has a number of Internet Service Providers available and you should be able to buy services from a different provider in the same data center within a few days to a week.  Of course, your servers will be dark – down – offline – in the mean time.  Think about what that means to your business.

For your office, things are a lot more dicey.  Many office buildings only have a single service provider – often the local phone company.  Some also have cable TV providers in the building and some of those offer Internet services, but my experience says that switching to a new Internet provider in your office could take several weeks and that may be optimistic.

Having a good, tested, disaster recovery plan in place sounds like a really good idea just about now.


Information for this post came from PC World.

The Brian Krebs post can be heard here.

Internet of Things Devices Used For Massive DDoS Attacks

Flickr-Lizard-Marc Dalmulder-CC Lic-large

Lizard Stresser, the “service” that came to fame on Christmas Day 2014 when it knocked Sony’s Playstation and Microsoft’s xBox web sites off line, has never gone away.  Now it has a new claim to fame.

The claimed purpose of the software was to allow web site owners to stress test their web sites under load, but suffice it to say, people found “other uses” for it – like taking Sony and Microsoft down on Christmas.

Some of the people who ran the original Lizard Stresser were arrested, but they had already open sourced the software, allowing for lots of copycats.

According to the security company Arbor Networks, which has been watching Lizard Stresser, there are now about 125 separate groups hosting a Lizard Stresser command and control server.  My guess is that 124 or more of them are run by hackers.

Which brings us to today.

Some of these “hosts” have discovered that the Internet of Things is a great place to run the Lizard Stresser client – the part that loads down your web site, if it wants to or if someone pays them to.

The code for the client is very simple and has been compiled for a variety of computers such as ARM, MIPS and X86 – in other words, your home computer or your baby monitor.

Or most any other Internet of Things device including your phone or tablet – where you pay for the bandwidth that you use.

Why use IoT devices?  It is pretty simple.

An IoT device is a general purpose computer – really no different than your phone, laptop or tablet – usually running some variant of Linux – hence a well known operating system and has access to all of your bandwidth.  The operating is completely stripped down to run on the small processor with little memory and probably no disk, so it has no security features. And, likely, no one is looking at it.

Who installs anti-malware software on their baby monitor (NOTE:  Replace baby monitor with ANY IoT device)?  Who regularly logs in to (as opposed to just looking at your baby) their baby monitor to see what processes are running?  Who manages the bandwidth being used by that baby monitor?  Who locks it down to talking to two IP addresses (like your phone and your partner’s phone)?

If the attacker is careful, they can keep the CPU utilization below a threshold that would stop the IoT device from working and not completely clog up your entire bandwidth – hence likely run completely undetected for a very long time.

Likely it is attacking something on the other side of the world.  When it is the middle of the night where the IoT device is, it is the middle of the day where the site that you want to take down is. And vice versa.  Middle of the night equals no one may care if the IoT device is sluggish.

Right now the version of Stresser that Arbor is looking at tries default userids (like ROOT, ADMIN, USER, LOGIN and GUEST) and default passwords (like ROOT, ADMIN, 1234, 123456 and PASSWORD).

These userids and passwords are compiled into the program, so if you want to change that list, get out an editor, change it and recompile.  This is no problem for anyone other than the most basic hacker kid in his or her parent’s basement.

Right now the code that Arbor is looking at uses just a handful of attack methods and they have seen attacks that generate close to 400 gigabits of traffic per second.  But they do dynamically switch from method to method quickly.

Depending on the pricing model of the attackers – or if they are using it themselves to extort money  – it could run for hours or days, taking your website offline for that long.

What is the impact of your web site being down for a day or a couple of days?  The impact on Sony and Microsoft was pretty large.  What about your web site?

The scary part is that Stresser CURRENTLY does not use any amplification attacks (see here for definition of amplification attack).  Amplification attacks are really scary because they might use 1 megabit of a IoT device’s bandwidth and create 100 megabits of traffic for the site that they are attacking.

So if you think that 400 gigabits of attack would take down any web site other than the very largest ones, what happens if Stresser is modified and it can now generate 4,000 gigabits or 4 terabits – what does that mean for your web site?  What if it can generate 40 terabits and the traffic is coming from all over the Internet?

You get the idea.

Until the Internet of Things vendors decide that they need to spend money fixing their security – which likely will require bad publicity or large legal judgments or bo th, they have no incentive to fix it.

And this is merely the tip of the iceberg.  Give the hackers a couple of years.  They are just getting started.  And THAT is really scary.



Image of lizard used under Creative Commons license  from Flickr by Marc Dalmulder.

Information for this post came from Arbor Networks.

Internet Of Things – The Good and the Bad

As more of us start using Internet of Things devices, researchers uncover the good and the bad.

First the good.  The Ring Doorbell is a WiFi controlled doorbell that allows you to see video, record and talk to anyone at your door.  The doorbell has a video camera and microphone in it and Ring provides a smart phone app that makes this all possible.

The doorbell connects to the Internet and your app via your home WiFi.

However, if you take the doorbell off the wall and push the button on the back, you can connect to the doorbell with, say, a laptop, and look at the config file – which contains the password to your WiFi, among other information – all unencrypted.

After being notified, Ring made changes to get the password out of the unencrypted config file and automatically pushed the new firmware to every single doorbell that is online – all within two weeks of being notified.

On the other side we have D-Link that makes a low cost web cam.  Researchers extracted the firmware from the camera and discovered how the camera updates its firmware.  They were then able to trick the camera into downloading new, infected malware because D-Link does not have any mechanism in place to make sure that rogue firmware does not get loaded.   If you can find the camera on the Internet, you can trick it into loading any firmware that you desire. There is no fix for this yet.

Why compromising these devices is a problem is that if this device is on your home (or worse, your business) WiFi network and is under the control of hackers, then the hackers have free roam to any device on your network  – your desktops, servers, routers, firewalls and every other device.  Certainly, it is possible for hackers to use that device as a launching point to attack your network.  And, since your $30 webcam doesn’t even have anti virus software, never mind sophisticated malware detection, the odds of the hacker being detected is almost zero.

Because of this, it is essential that you separate the IoT devices from the rest of your network.  One option is a WiFi router that creates a separate guest WiFi that only allows a guest user access to the Internet and nothing else.

Another option is, if you are a cable Internet user, is to get a DSL connection in addition.  Typically those run about $15 a month for residential users.  You can connect all your IoT devices to the DSL and the rest of your stuff to your cable.

It does not appear that this is going to get better any time soon, so users need to figure out how to defend themselves.  You can count on the fact that hackers are already trying to figure out how to compromise your IoT devices.

Information for this post came from Security Now Episode 543.