The Internet of In-secure Things
Hackers are combining the Internet of Things with a 12 year old open source software bug and creating a potential mess.
Last week tens of thousands of hacked Internet of (in-secure) Things devices created a 600 gigabit per second attack against a security blogger’s web site and just after that, these devices created a terabit per second DDoS attack against a French web hosting site, OVH.
Many of these devices have either bad default passwords (userid=admin, password=admin, for example) or hard coded – meaning unchangeable – passwords, making it very easy for hackers.
The source code for these two hacks, called Mirai, is available on the Internet and researchers say they are already seeing other hackers toying with it to create a new attack tool.
Combine this with a TWELVE YEAR OLD bug in the very popular OPEN SOURCE software tool call OpenSSH that hackers are using to exploit these Internet of (unpatchable) Things devices and we may have a large mess.
The attackers are not using the flaw in OpenSSH to break into sites, but rather to aim huge amounts of traffic at sites under attack.
So if we look at one Internet of (in-secure) Things device – Avtech DVRs for Internet cameras, researchers have found 130,000 of these devices, which, the researchers say, have 14 exploitable bugs. If an attacker decides to use these 130,000 devices in combination with the OpenSSH attack vector, they would have a pretty decent army that would likely take down all but the biggest web sites.
So we really have two issues here.
#1 is the fact that open source software is not a panacea. Open source advocates say that open source is better because people can look at the source code for bugs. Well, that is true. They can. But almost no one does. And, if you don’t take the actual source code that you personally looked at and compile it yourself and then install that actual piece of compiled software, you really don’t know what you are running, so the story doesn’t hold water.
Add to that the fact that even though OpenSSH is EXTREMELY popular, this bug managed to stick around for 12 years.
So open source is not a silver bullet. I agree that you can use it as people suggest, but almost no one will.
#2 is the Internet of Things, or as some people are calling it, the Internet of In-Secure Things or the Internet of Unpatchable Things, both of which seem to be true.
Until we get our hands around this problem, these billions of devices that we are adding to the Internet will be a huge problem. They will be able to attack other web sites and even attack the owner’s own home and business networks. It is going to be a mess for the foreseeable future.
Until manufacturers either get the message that they have to patch IoT things AND users get the message that they have to patch their refrigerators and security cameras every month or are forced to issue patches under penalty of being sued successfully, things are unlikely to get better. You could disconnect your own IoT devices, but you will still need to deal with those people who do not disconnect their devices.
Unfortunately, I don’t have a good answer. One thing that will help, if manufacturers sign on for this, is for devices to automatically look for and install patches. That means that the manufacturers need to become serious about creating patches and then automating the installation of them. People are just not going to patch their refrigerators on a regular basis.
If you consider cell phones the ultimate IoT device, even for them we are not seeing all manufacturers being serious about patching them.
You definitely need to isolate any IoT devices on their own network so that, at least, when your IoT devices are under attack, the attackers cannot use that attack to get into the rest of your network.
Information for this post came from Computerworld.