The Internet of Things is the Internet of Terrible, we’ll round up the week’s stories & submit the TechSNAP solution to you the audience. Plus the security cost of Android fragmentation, great questions & a packed round up!

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:


Show Notes:

Internet of Terror roundup

  • Krebs has been machine-gunning articles about the Internet of Terror devices that were used to attack him recently
  • Who makes the IoT things that are under attack
  • This first post breaks down the manufacturers of the devices, who is to blame for this nonsense.
  • “As KrebsOnSecurity observed over the weekend, the source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released. Here’s a look at which devices are being targeted by this malware”
  • “The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords. Many readers have asked for more information about which devices and hardware makers were being targeted. As it happens, this is fairly easy to tell just from looking at the list of usernames and passwords included in the Mirai source code.”
  • “In all, there are 68 username and password pairs in the botnet source code. However, many of those are generic and used by dozens of products, including routers, security cameras, printers and digital video recorder (DVRs).”
  • All of the passwords are quite bad. A few look almost random, but using one random password on every device doesn’t help. It is as if they tried, but totally missed the point
  • “Regardless of whether your device is listed above, if you own a wired or wireless router, IP camera or other device that has a Web interface and you haven’t yet changed the factory default credentials, your system may already be part of an IoT botnet. Unfortunately, there is no simple way to tell one way or the other whether it has been compromised.”
  • “However, the solution to eliminating and preventing infections from this malware isn’t super difficult. Mirai is loaded into memory, which means it gets wiped once the infected device is disconnected from its power source.”
  • “Several readers have pointed out that while advising IoT users to change the password via the device’s Web interface is a nice security precaution, it may or may not address the fundamental threat. That’s because Mirai spreads via communications services called “telnet” and “SSH,” which are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” to reach a username and password prompt at the target host). The trouble is, even if one changes the password on the device’s Web interface, the same default credentials may still allow remote users to log in to the device using telnet and/or SSH.”
  • Europe to push for new security rules amid IoT mess
  • “The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections.”
  • “The Commission would encourage companies to come up with a labeling system for internet-connected devices that are approved and secure. The EU labelling system that rates appliances based on how much energy they consume could be a template for the cybersecurity ratings.”
  • That sounds great, but how do you rate the cyber security of a device? Who is going to be allowed to these audits? Who decides if the Auditor is qualified enough?
  • “One of those default passwords — username: root and password: xc3511 — is in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use it in their own products.”
  • “That information comes in an analysis published this week by Flashpoint Intel, whose security analysts discovered that the Web-based administration page for devices made by this Chinese company (http://ipaddress/Login.htm) can be trivially bypassed without even supplying a username or password, just by navigating to a page called “DVR.htm” prior to login.”
  • “The issue with these particular devices is that a user cannot feasibly change this password. The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”
  • IoT devices as proxies for cybercrime
  • “This post looks at how crooks are using hacked IoT devices as proxies to hide their true location online as they engage in a variety of other types of cybercriminal activity — from frequenting underground forums to credit card and tax refund fraud.”
  • The criminals are using your IoT device as a proxy, so when the police hunt down the person who committed the fraud, it looks like it was you.
  • “Recently, I heard from a cybersecurity researcher who’d created a virtual “honeypot” environment designed to simulate hackable IoT devices. The source, who asked to remain anonymous, said his honeypot soon began seeing traffic destined for Asus and Linksys routers running default credentials. When he examined what that traffic was designed to do, he found his honeypot systems were being told to download a piece of malware from a destination on the Web.”
  • “The researcher found that the malware being pushed to his honeypot system was designed to turn his faux infected router into a “SOCKS proxy server,” essentially a host designed to route traffic between a client and a server. Most often, SOCKS proxies are used to anonymize communications because they can help obfuscate the true origin of the client that is using the SOCKS server.”
  • “What he observed was that all of the systems were being used for a variety of badness, from proxying Web traffic destined for cybercrime forums to testing stolen credit cards at merchant Web sites. Further study of the malware files and the traffic beacons emanating from the honeypot systems indicated his honeypots were being marketed on a Web-based criminal service that sells access to SOCKS proxies in exchange for Bitcoin.”
  • Krebs’ site has a number of tips on securing your router to prevent this
  • SSH TCP Forwarding on-by-default in IoT devices, used in new cedential stuffing attacks
  • Of course, routers and other IoT devices can sometimes be used as a proxy without having to be compromised.
  • The default SSH configuration used on a number of IoT devices allows the SSH feature ‘AllowTCPForwarding’
  • This allows the attacker to login to the IoT device using the default credentials (that you sometimes cannot change), and then bounce their connection off of the device, in such a way that it leaves no trace
  • Ezra Caltum, senior security research team leader at Akamai: “We are in for an Internet of unpatchable things. This is my personal opinion, but I’m terrified about it.”

Researchers discover way to factor certain 1024 bit Diffie-Hellman keys

  • “Researchers have devised a way to place undetectable backdoors in the cryptographic keys that protect websites, virtual private networks, and Internet servers. The feat allows hackers to passively decrypt hundreds of millions of encrypted communications as well as cryptographically impersonate key owners.”
  • While there is a lot of media hype, it isn’t necessarily the end of the world just yet
  • Researcher Post
  • “We have completed a cryptanalysis computation which is at the same time a formidable achievement in terms of size (a 1024-bit discrete logarithm computation), and a small-scale undertaking in terms of computational resources (two months of calendar time on 2000 to 3000 cores). In comparison, the “real” record for discrete logarithm is 768 bits (announced this spring) and required 10 times as much computational power.”
  • “To achieve this, we cheated. Deliberately. We chose the prime number which defines the problem to be solved in a special way, so that the computation can be made much more efficient. However, we did this in a subtle way, so that the trapdoor we inserted cannot be detected.”
  • “Unfortunately, for most of the prime numbers used in cryptography today, we have no guarantee that they have not been generated with such a trapdoor. We estimate that breaking a non-trapdoored 1024-bit prime is at least 10,000 times harder than breaking our trapdoored prime was for us once we knew the trapdoor.”
  • “Our computation raises questions about some Internet standards that contain opaque, fixed primes. Theoretically, we know how to guarantee that primes have not been generated with a trapdoor, but most widely used primes come with no such public guarantee. A malicious party who inserted a trapdoored prime into a standard or an implementation would be able to break any communication whose security relies on one of these primes in a short amount of time.”
  • “Solving discrete log for a Diffie-Hellman key exchange lets an attacker decrypt messages encrypted with the negotiated key. Solving discrete log for a DSA signature lets an attacker forge signatures.”
  • So, we have a way to make sure that the process used to select a prime is not backdoored, but not a way to tell if a given prime has been backdoored
  • “We have not been able to find any documented seeds or verifiable randomness for widely used 1024-bit primes such as the RFC 5114 primes. Using “nothing up my sleeve” numbers to generate primes like the Oakley groups or the TLS 1.3 negotiated finite field Diffie-Hellman groups (RFC 7919) is a reasonable guarantee of not containing a backdoor.”
  • Some older standards contain ‘magic’ numbers, without information about the process that was used to come up with the number. Only numbers in some newer standards, where a “nothing up my sleeve” policy allows anyone to audit the process used to select the prime, are considered secure.
  • “The attack we describe affects only Diffie-Hellman and DSA, not ECDH or ECDSA. For RSA, there are not global public parameters like the primes used for Diffie-Hellman that could contain a backdoor like this.”
  • “If you run a server, use elliptic-curve cryptography or primes of at least 2048 bits.”
  • DH primes less than 1024 were banned recently, after the Logjam attack. Hopefully most people who generated new primes are already using 2048 or bigger primes
  • “If you are a developer or standards committee member, use verifiable randomness to generate any fixed cryptographic parameters, and publicly document your seeds. Appendix A.1.1.2 of FIPS 186 describes how to do this for DSA primes.”

Android Fragmentation Sinks Patching Gains — 60,000 unique models of Android device

  • It’s been 13 months since Google began releasing Android security bulletins and software patches on a scheduled, monthly basis. So far, the benefits of the new strategy to shore up Android’s defenses are mixed at best.
  • Security experts say look no further than to this past August and Google’s patching of the high-profile QuadRooter vulnerability that took 96 days for Google to go from vulnerability notification by Qualcomm to the release of the final patch for the critical flaws on Sept. 6. By comparison, it took Apple just 10 days from the time researchers tipped off the company to the notorious Trident vulnerabilities, which were publicly attacked unlike QuadRooter, to Apple releasing its iOS patch.
  • That stark difference in patch times, illustrates to many mobile security experts that despite security gains within the Android platform
  • From MediaServer hardening and file-level encryption – Google’s security efforts are still stymied by the nagging problem of fragmentation.
  • For example, only a fraction of phones vulnerable to the QuadRooter vulnerability have received Google’s patches.
  • Kyle Lady, research and development engineer at Duo Labs, says issues tied to fragmentation are hurting the Android ecosystem on two fronts.
  • One front is Google’s efforts to work with a myriad partners on identifying risks and prepping patches for Google’s monthly security updates.
  • The second is making sure those patches are deployed by Android handset makers and wireless carriers to consumers in a timely manner.
  • Since Google released its last patch to fix the QuadRooter vulnerability, only 15 percent of Android phones capable of receiving the security update had done so, according to the most recent data available from Duo Labs collected Oct. 5.
  • The patching results are interesting, “percentage of Android phones that have not patched in the last 90 days”:
    • Nexus: 2.3% (almost every phone is patched)
    • Samsung: 55% (slightly more than half of all phones are unpatched)
    • LG: 73% (almost 3/4s of all phones are unpatched)
    • Motorola: 96% unpatched
    • Sony: 98% unpatched
  • For the first time that I have seen, Google’s support policy is also spelled out:
  • “For Google’s part, it says it will provide support for its Nexus brand phones for at least three years from device availability, or 18 months after the last device is sold by Google”
  • Motorola’s phone unit was recently sold to Lenovo, which had this to say:
  • “We understand that keeping phones up-to-date with security patches is important to our customers and strive to push security patches as quickly as we can. We work with our carrier partners, software providers and other partners to extensively test patches before they are delivered, which can be in various forms, such as pure Security Maintenance Releases, scheduled Maintenance Releases and OS Upgrades.”
  • “In August, Motorola said it couldn’t promise its flagship Moto Z and Moto G4 would receive monthly Android security patches. Instead, Motorola said updates would be quarterly. Samsung and LG said they have committed to monthly security updates for their handsets. HTC did not respond to a request for comment on this story.”
  • It would be interesting to see these same numbers while looking at a more confined view, say, Phones sold in the last 18 months, rather than all phones on the market.
  • Google is also trying to solve the problem by going around the Manufacturers and the Carriers: “with the release of Android 7.0 (Nougat) Google is attempting to become more self-reliant by creating independent apps that might have otherwise been Android OS baked-in features. For example, Google recently introduced its Allo and Duo (formerly Hangouts) messaging features as standalone apps. Now, Google can push out software updates if needed to those apps, independent of device makers and carriers.”


Round Up:

Question? Comments? Contact us here!