Deadly Software - Cyberattacks On "Smart Devices"
#1
Killer Software
[Image: uk-says-russia-is-behind-new-wave-of-cyb...all&w=1200]
  Cyberattacks are happening constantly and at a high rate. It's not a matter of if you get attacked, but when. How can we possible defend ourselves from this seemingly massive threat? Technology is being integrated into everything we do. But what happens when programs we rely on get attacked or fail us?
  The internet of things (IoT) is comprised of everyday objects that are given networking capabilities. For example a baby monitor that parents can view from their phones, a refrigerator that keeps inventory of what you have in it, and thermostats that let you control them remotely and will automatically adjust the temperature depending on whether you're there or not. As of 2018, the size of the internet of things is estimated at 10 billion and it's growing. The internet of things is in its' infancy. The extent that it will be a part of our lives and everyday actions will be amazing. This will bring a lot of convenience with it, but at a price. Already, criminals are attacking the internet of things. Many IoT devices are sold with default credentials and the unknowing owners aren't aware that they are leaving their device wide open to infiltration. Even worse, sometimes the default credentials cannot be changed. The users aren't entirely to blame though. The manufacturers are careless with how their software and hardware is made at times. In the rush to put smart devices on the shelves to compete with other sellers, the devices are hastily coded and built. This results in relearning security lessons from two decades ago. Default passwords and exposed functionality are something that weren't entirely eradicated from the internet. But the IoT has made the issue arise again. The Mirai botnet exploited IoT default passwords to spread. Other botnets have done similar. After all, finding devices waiting on the internet with default passwords are a lot easier to infect than a PC. Botnets aren't the only threat to the IoT though. Baby monitors are another vulnerable part of the IoT. Many stories circulate the internet of mysterious voices coming from baby monitors. These kinds of attacks are a good glimpse of what the future will look like.
  We're already behind in IoT security. But we haven't seen anything yet. Future attacks will be far more invasive and personal. Let's take a look at an example.
A criminal scans the internet, searching for vulnerable devices. An interesting one comes up. It looks like MQTT (MQ telemetry transport). This is interesting, MQTT is usually found on IoT devices. The criminal probes the service further. It isn't password protected and he can have his way with the system in question. More investigation reveals this is a smart thermometer. Now the attacker can read all the data the thermometer has available. Oh, great so the attacker can tell what the temperature in the house is. What's the big deal? The thermometer also adjusts the temperature according to whether the owner is home or not. So if the criminal can tell when the house owner is home, they could use that to plan a physical break in to the house or give it to someone who would. Does this seem a little far fetched? Perhaps it is. The next attack however, is fairly likely to happen.
  John is leaving for work one average workday. He goes out to his car to find the doors are locked. His key fob won't unlock the doors. The car seems to have a mind of its' own. A message for John is displayed on the car's dashboard. It reads the following:
Quote:Your car has been hijacked. If you want to get it back, pay $8,000 in bitcoin to this address: 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX. You have 24 hours. If you try to contact the authorities or get into the car, I will crash it.
Cyberattacks are happening constantly and at a high rate. It's not a matter of if you get attacked, but when. How can we possible defend ourselves from this seemingly massive threat? Technology is being integrated into everything we do. But what happens when programs we rely on get attacked or fail us?

  The internet of things (IoT) is comprised of everyday objects that are given networking capabilities. For example a baby monitor that parents can view from their phones, a refrigerator that keeps inventory of what you have in it, and thermostats that let you control them remotely and will automatically adjust the temperature depending on whether you're there or not. As of 2018, the size of the internet of things is estimated at 10 billion and it's growing. The internet of things is in its' infancy. The extent that it will be a part of our lives and everyday actions will be amazing. This will bring a lot of convenience with it, but at a price. Already, criminals are attacking the internet of things. Many IoT devices are sold with default credentials and the unknowing owners aren't aware that they are leaving their device wide open to infiltration. Even worse, sometimes the default credentials cannot be changed. The users aren't entirely to blame though. The manufacturers are careless with how their software and hardware is made at times. In the rush to put smart devices on the shelves to compete with other sellers, the devices are hastily coded and built. This results in relearning security lessons from two decades ago. Default passwords and exposed functionality are something that weren't entirely eradicated from the internet. But the IoT has made the issue arise again. The Mirai botnet exploited IoT default passwords to spread. Other botnets have done similar. After all, finding devices waiting on the internet with default passwords are a lot easier to infect than a PC. Botnets aren't the only threat to the IoT though. Baby monitors are another vulnerable part of the IoT. Many stories circulate the internet of mysterious voices coming from baby monitors. These kinds of attacks are a good glimpse of what the future will look like.
  We're already behind in IoT security. But we haven't seen anything yet. Future attacks will be far more invasive and personal. Let's take a look at an example.
A criminal scans the internet, searching for vulnerable devices. An interesting one comes up. It looks like MQTT (MQ telemetry transport). This is interesting, MQTT is usually found on IoT devices. The criminal probes the service further. It isn't password protected and he can have his way with the system in question. More investigation reveals this is a smart thermometer. Now the attacker can read all the data the thermometer has available. Oh, great so the attacker can tell what the temperature in the house is. What's the big deal? The thermometer also adjusts the temperature according to whether the owner is home or not. So if the criminal can tell when the house owner is home, they could use that to plan a physical break in to the house or give it to someone who would. Does this seem a little far fetched? Perhaps it is. The next attack however, is fairly likely to happen.
  John is leaving for work one average workday. He goes out to his car to find the doors are locked. His key fob won't unlock the doors. The car seems to have a mind of its' own. A message for John is displayed on the car's dashboard. It reads the following:
Quote:Your car has been hijacked. If you want to get it back, pay $8,000 in bitcoin to this address: 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX. You have 24 hours. If you try to contact the authorities or get into the car, I will crash it.
What would you do in a situation like this? What if instead of being locked out of your car, you were locked in? The criminal doesn't just have your car. They also have you. How much would you pay to convince a criminal not to wreck your car with you in it? It's a scary prospect.
  Only time will tell exactly what cyberattacks will look like. But the more you integrate technology into your life, the more damaging it is for you when it is hijacked or simply malfunctions. IoT device manufacturers need to be put in check and held to reasonable standards. The manufacturers also need to hold themselves to standards. Our health and wellbeing depends on our technology being secure against those who would do us harm.
What would you do in a situation like this? What if instead of being locked out of your car, you were locked in? The criminal doesn't just have your car. They also have you. How much would you pay to convince a criminal not to wreck your car with you in it? It's a scary prospect.
  Only time will tell exactly what cyberattacks will look like. But the more you integrate technology into your life, the more damaging it is for you when it is hijacked or simply malfunctions. IoT device manufacturers need to be put in check and held to reasonable standards. The manufacturers also need to hold themselves to standards. Our health and wellbeing depends on our technology being secure against those who would do us harm.
Reply
#2
Oh lad Big Grin Yeah with all the internet of shit (IoT)... Car ransomware is the future.
Reply
#3
Insider Wrote:Oh lad. Yeah with all the internet of shit (IoT)... Car ransomware is the future.

Can't tell whether that was sarcastic or not. Either way, maybe it's not the future. But if you think about how stupid simple the attack concept is, it's a possible scenario. I mean, would you gamble your car or your life rather than pay up? Sure there's the possibility that if the criminal had you in the car and threatened to wreck the car you could just try to call their bluff. Realistically the criminal wouldn't likely have to crash any cars. People would probably just pay up rather than bet their life that the criminal is bluffing.
Reply
#4
(05-03-2020, 04:22 PM)Dismal_0x8 Wrote:
Insider Wrote:Oh lad. Yeah with all the internet of shit (IoT)... Car ransomware is the future.

Can't tell whether that was sarcastic or not. Either way, maybe it's not the future. But if you think about how stupid simple the attack concept is, it's a possible scenario. I mean, would you gamble your car or your life rather than pay up? Sure there's the possibility that if the criminal had you in the car and threatened to wreck the car you could just try to call their bluff. Realistically the criminal wouldn't likely have to crash any cars. People would probably just pay up rather than bet their life that the criminal is bluffing.

Sorry about my ambiguous reply Smile I just find it funny how companies have the need to connect everything to the internet... smart freezers... smart toothbrush hell even smart vibrators. Hence internet of shit.

It feels pretty surreal to think about it. But it's already been demonstrated that cars can be hacked. So it's only a matter of time before ransomware comes around. So I agree with you there. Heard they even manage to put ransomware on a shipping freighters, hospitals and even commuter systems. So yeah. The time of deadly software is already on its way.
Reply
#5
Anyone remember the guy that made the router malware? He just used techniques from botnets to gain access to insecure routers(It was either routers or some type of IoT device).

The bot would set up shop and instead of diverting resources into things like DDoS or other kinds of infrastructure he'd have the clients patch them up by changing passwords to strong ones and generally fixing security issues that are commonly exploited, after which the client would copy itself to a new device and go dormant on the now secured one.

That was some top tier Grey Hattery if i've ever seen any. If the industries involved fail in their duties to provide reasonably secure products. We could always do it for them. Not for their benefit, but for the benefit of everyone else.
Reply
#6
(05-04-2020, 11:34 AM)Vector Wrote: Anyone remember the guy that made the router malware? He just used techniques from botnets to gain access to insecure routers(It was either routers or some type of IoT device).

The bot would set up shop and instead of diverting resources into things like DDoS or other kinds of infrastructure he'd have the clients patch them up by changing passwords to strong ones and generally fixing security issues that are commonly exploited, after which the client would copy itself to a new device and go dormant on the now secured one.

That was some top tier Grey Hattery if i've ever seen any. If the industries involved fail in their duties to provide reasonably secure products. We could always do it for them. Not for their benefit, but for the benefit of everyone else.
 
I've read about that. I have a lot of respect for that kind of thing. He also made the code easy to analyze so researchers could see what it was doing.
Reply
#7
(05-04-2020, 12:36 PM)Dismal_0x8 Wrote:
(05-04-2020, 11:34 AM)Vector Wrote: Anyone remember the guy that made the router malware? He just used techniques from botnets to gain access to insecure routers(It was either routers or some type of IoT device).

The bot would set up shop and instead of diverting resources into things like DDoS or other kinds of infrastructure he'd have the clients patch them up by changing passwords to strong ones and generally fixing security issues that are commonly exploited, after which the client would copy itself to a new device and go dormant on the now secured one.

That was some top tier Grey Hattery if i've ever seen any. If the industries involved fail in their duties to provide reasonably secure products. We could always do it for them. Not for their benefit, but for the benefit of everyone else.
 
I've read about that. I have a lot of respect for that kind of thing. He also made the code easy to analyze so researchers could see what it was doing.

Yeah it was dope, when the malware came under some scrutiny he released the entire source on a website he was affiliated with, if i recall. I might have it archived somewhere. But i am not sure. I have too many samples as it is, lol.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  13.56 MHz Smart Cards EnigmaCookie 2 5,325 04-06-2018, 10:30 PM
Last Post: EnigmaCookie
  IoT "smart" lightbulbs vulnerable to persistent XSS & more. Vector 2 5,047 01-07-2017, 06:59 PM
Last Post: Vector