security New IoT botnet on the horizon? 500 Million Devices at risk, and likely won't be updated

[rcmaehl]

Sources:
CRN
Bleeping Computer

 

TL;DR

The IoT once again is wide open to another attack. This one affecting almost half a billion devices. With IoT devices potentially not even being updated, a large attack like Mirai that brought down Github, Reddit, Netflix, and other large companies could only be a short time away.

 

Media:

 

Quotes/Excerpts:

Quote

 devices are vulnerable to cyberattacks at businesses worldwide because of a 10-year-old security flaw... The report was published Friday..The web exploit in question is called DNS rebinding... allows an attacker to bypass a network firewall... to access other devices on the network... through a malicious link enclosed within an email, banner ad or another source... devices susceptible to data exfiltration, compromise and hijacking... could lead to a botnet attack similar to the Mirai malware... the impacted devices include 87 percent of switches, routers and access points; 78 percent of streaming media players and speakers; 77 percent of IP phones; 75 percent of IP cameras; 66 percent of printers; and 57 percent of smart TVs.

Quote

the cyber-security firm that discovered the BlueBorne vulnerabilities in the Bluetooth protocol, warns that nearly half a billion of today's "smart" devices are vulnerable to a decade-old attack... regarding DNS rebinding flaws in Blizzard apps, uTorrent, and Google Home, Roku TV, and Sonos devices... nearly all types of smart devices are vulnerable to DNS rebinding, ranging from smart TVs to routers, from printers to surveillance cameras, and from IP phones to smart assistants... colossal task that may never be done, requiring patches from vendors that can't be bothered with security for trivial flaws like XSS and CSRF vulnerabilities, let alone complex attacks such as DNS rebinding... IoT security has been a proverbial shitshow for the past year

 

My Opinion:

 

We really need a 3rd party certification company or some sort of regulation to force smart devices to be audited before they reach the consumer as well as ensuring they receive security patches for at least X years. We're basically mass marketing back doors into people's homes now-a-days.

[Froody129]

This basically requires unsafe browsing habits to become exposed. IMO smart devices aren't a great idea for consumers yet because of how new the security side is. People won't want to get rid of a 2 year old device because of a security flaw which they don't understand. 

 

This "up to" chart is just for clickbait. In reality it's a much smaller number, though not insignificant 

[rcmaehl]

7 minutes ago, Froody129 said:

This basically requires unsafe browsing habits to become exposed.

Unfortunately not, if the link is loaded using javascript, per say, a malicious advertisement on reddit or imgur. The device can become infected.

[mynameisjuan]

23 minutes ago, rcmaehl said:

 through a malicious link enclosed within an email, banner ad or another source.

RIP businesses because Susan couldnt keep her god damn fingers off the link to the email labeled spam because if she didnt she'd have 10 years of bad luck for not clicking and sharing within 1 min. 

 

Im getting tired of these doomsday hyped exploits. This isnt that big a deal

[AngryBeaver]

So you need to access the malicious link to be susceptible. So... how am I going to do that on my ipphone? Wait, I can't unless it is running some crazy software hack. So I guess my streaming mediaplayer/speakers are the problem, wait.... nope not going to be clicking links on them either.. Surely they mean my IP camera, wait... when was the last time I did any browsing or email viewing with it. It has to be the printer, that has to be it... nope. Maybe they mean my switches/routers/and Ap's.... well probably not seeing they are passthroughs that don't access the data (in most cases). So that leaves us with smartTV's which do have email and web capability on some models.

 

So this article is just a scare tactics/click bait. The actual risk of exposure is very very minimal. Most of the devices they listed that are susceptible are also devices that don't need any real protection from it. So why patch a device that doesn't have the capabilities to actually get infected anyways?

 

So that leaves us with one real risk which is smart TV's. Of those TV's even less have the ability to do what it would take to get infected, then you have the even lower amount of people that even use it for that purpose. On top of that both my samsung and vizio Tv's are consistently getting updates... so if this really was a big concern or issue then they would surely have patched it by now. Do people think they would risk a lawsuit because they didn't patch something this simple?

 

In the end this is just an article searching for clicks via scare tactics.

[rcmaehl]

2 minutes ago, mynameisjuan said:

RIP businesses because Susan couldnt keep her god damn fingers off the link to the email labeled spam because if she didnt she'd have 10 years of bad luck for not clicking and sharing within 1 min. 

 

Im getting tired of these doomsday hyped exploits. 

React to this reply within 30 seconds of reading or you'll have 10 years of random BSODs /s

[rcmaehl]

8 minutes ago, AngryBeaver said:

So you need to access the malicious link to be susceptible. So... how am I going to do that on my ipphone? Wait, I can't unless it is running some crazy software hack. So I guess my streaming mediaplayer/speakers are the problem, wait.... nope not going to be clicking links on them either.. Surely they mean my IP camera, wait... when was the last time I did any browsing or email viewing with it. It has to be the printer, that has to be it... nope. Maybe they mean my switches/routers/and Ap's.... well probably not seeing they are passthroughs that don't access the data (in most cases). So that leaves us with smartTV's which do have email and web capability on some models.

The actual attack would be as follows:

 

1) Malicious link is loaded on a vulnerable device, generally something with a browser, or poorly coded
2) That Device becomes a malicious DNS server within the network

3) Other devices on the same network have their network traffic affected as the device responds faster than your ISP's DNS server
4) Other devices get infected by having an embedded app load that malicious link, instead of the service/API to was trying to access, causing that device to ALSO become a malicious DNS server

5) Owner uses their endpoints that the malicious DNS servers point to to leverage other exploits and attacks against poorly secured devices

 

[Shadow Bullet]

Well at least I know my network is safer than most people, given I have pfSense as my home firewall/router. And I disallow any DNS rebinding attacks.

[AnonymousGuy]

 

11 hours ago, AngryBeaver said:

So you need to access the malicious link to be susceptible. So... how am I going to do that on my ipphone? Wait, I can't unless it is running some crazy software hack. So I guess my streaming mediaplayer/speakers are the problem, wait.... nope not going to be clicking links on them either.. Surely they mean my IP camera, wait... when was the last time I did any browsing or email viewing with it. It has to be the printer, that has to be it... nope. Maybe they mean my switches/routers/and Ap's.... well probably not seeing they are passthroughs that don't access the data (in most cases). So that leaves us with smartTV's which do have email and web capability on some models.

 

So this article is just a scare tactics/click bait. The actual risk of exposure is very very minimal. Most of the devices they listed that are susceptible are also devices that don't need any real protection from it. So why patch a device that doesn't have the capabilities to actually get infected anyways?

 

So that leaves us with one real risk which is smart TV's. Of those TV's even less have the ability to do what it would take to get infected, then you have the even lower amount of people that even use it for that purpose. On top of that both my samsung and vizio Tv's are consistently getting updates... so if this really was a big concern or issue then they would surely have patched it by now. Do people think they would risk a lawsuit because they didn't patch something this simple?

 

In the end this is just an article searching for clicks via scare tactics.

 

I spent the last hour reading about this.  It's an actual problem.

 

You hit a malicious site from say your desktop.  WebRTC leaking gives that site your LAN IP address (https://ipleak.net/).  Attacker now knows what range of IP's to scan to probe your LAN.  You can then scan all of these IP's looking for markers of IOT devices like login pages or whatever.  Then you have a list of IP addresses for your IOT devices.  DNS Rebinding can then manipulate your desktop accessing http://malicious-site.com/your_iot_device_settings_page.asp to route to malicious-site.com to your IOT device's private IP address.

 

The vulnerability comes from IOT devices having wide open HTTP servers and APIs and shit that you can dump payloads through, from any computer on your network.

 

https://chrome.google.com/webstore/detail/webrtc-leak-prevent/eiadekoaikejlgdbkbdfeijglgfdalml/related?hl=en

 

This extension will stop chrome from leaking your private IP address and make the search space larger to look for vulnerable devices if you aren't using 192.168.xx.xx (which you really shouldn't be anyways but 99% of people do).

 

Routers also may have "Prevent DNS Rebind" that stops DNS requests being sent to local machines.  But this blocks having a local DNS provider too like pi-hole unless your router supports DNSMasq exceptions.

 

 

I'll also add that this has been a known "problem" for like 10 years, but originally the problem was being able to steal your router's password and then hope telnet was enabled and then do shit from there.  IOT devices being shit security is the "new" vector.

[Amazonsucks]

I own exactly 0 of those affected devices. IoT is internet of trash.

[Amazonsucks]

19 hours ago, mynameisjuan said:

RIP businesses because Susan couldnt keep her god damn fingers off the link to the email labeled spam because if she didnt she'd have 10 years of bad luck for not clicking and sharing within 1 min. 

 

Im getting tired of these doomsday hyped exploits. This isnt that big a deal

You dont need to interact with the page or ad for an exploit kit to launch.

 

If you use the internet on a PC and dont have exploit mitigations, its a huge risk. Ad blockers and noscript are NOT exploit mitigations.

 

People can be as dismissive as they want, but iot botnets have been used for the biggest ddos attacks ever.

 

These sites show you your DNS.

 

https://www.f-secure.com/en_US/web/home_us/router-checker

 

 

https://ipleak.net shows whether WebRTCleaks your ip through your VPN.

[AngryBeaver]

11 hours ago, AnonymousGuy said:

 

 

I spent the last hour reading about this.  It's an actual problem.

 

You hit a malicious site from say your desktop.  WebRTC leaking gives that site your LAN IP address (https://ipleak.net/).  Attacker now knows what range of IP's to scan to probe your LAN.  You can then scan all of these IP's looking for markers of IOT devices like login pages or whatever.  Then you have a list of IP addresses for your IOT devices.  DNS Rebinding can then manipulate your desktop accessing http://malicious-site.com/your_iot_device_settings_page.asp to route to malicious-site.com to your IOT device's private IP address.

 

The vulnerability comes from IOT devices having wide open HTTP servers and APIs and shit that you can dump payloads through, from any computer on your network.

 

https://chrome.google.com/webstore/detail/webrtc-leak-prevent/eiadekoaikejlgdbkbdfeijglgfdalml/related?hl=en

 

This extension will stop chrome from leaking your private IP address and make the search space larger to look for vulnerable devices if you aren't using 192.168.xx.xx (which you really shouldn't be anyways but 99% of people do).

 

Routers also may have "Prevent DNS Rebind" that stops DNS requests being sent to local machines.  But this blocks having a local DNS provider too like pi-hole unless your router supports DNSMasq exceptions.

 

 

I'll also add that this has been a known "problem" for like 10 years, but originally the problem was being able to steal your router's password and then hope telnet was enabled and then do shit from there.  IOT devices being shit security is the "new" vector.

My point is this. The machine you are on has to be susceptible to this. Even if it leaks the LAN IP you are on, it doesn't mean they will pull the IP of the other devices on your network or that they can even access them. DNS rebinding has been around for awhile and the browser and OS manufacturers have put things in place to prevent most of them

[jagdtigger]

On 7/23/2018 at 2:43 PM, rcmaehl said:

some sort of regulation to force smart devices to be audited before they reach the consumer as well as ensuring they receive security patches for at least X years

Aint gonna happen. Consumer stuff is lucky if they get one year support, but the norm is to release stuff then abandon it so they can shove down the new one on our throats(guess why manufacturers trying to lock down phones and routers for example).