Do FEAR the IOT Reapers

For discussions about security.
Post Reply
Message
Author
belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

Do FEAR the IOT Reapers

#1 Post by belham2 »

https://www.theregister.co.uk/2017/10/2 ... wing_fast/


Love this paragraph in the article:

"...During this month, the malware has been evolving to exploit vulnerabilities in wireless IP-based cameras, routers, storage boxes, Wi-Fi points, and so on, from vendors including D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys, and Synology...."


Then a bit later they say:

"...Right now, check to make sure you're not exposing a vulnerable device to the internet, apply any patches if you can, look out for suspicious behavior on your network, and take a gadget offline if it's infected.."


Anybody mind telling these cheesehead-reporters exactly HOW :roll: we are supposed to 'look out' for this stuff? Or even "know" if something is "infected"? In this day and age, with so many devices flying around the house, both lan & wireless & cellular, it is damn near impossible to keep track. Even a well-thoughtout Pfsense Firewall box is nearly helpless against this continual household onslaught. I know---I build and use Pfsense firewall boxes, and the logs alone they generate would bring any person to their knees in tears :cry:

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#2 Post by prehistoric »

Meanwhile, there are new vulnerabilities to deal with in WPA2, and here's why it will take a while to fix them.

The problem in this case is not necessarily that the device itself will immediately be compromised and become part of a botnet, it is that an attacker may be able to read traffic on that channel which discloses information useful in later attacks.

My own rule for years has been that I disable remote access for administration of routers I use, (and change the default password, of course.) Set the device up so that it requires a direct wired connection for administration, even though this is inconvenient. If you use a wireless connection for administration it is possible for someone using the Krack attack to listen to traffic, including the settings and passwords you choose when you change set-up. With remote administration enabled, and the password you set known, an attacker can do just about anything.

Note that every network gateway I've seen supplied by a cable company has a backdoor which allows them to change firmware and settings even if you have remote administration disabled. They are convinced that no one else will be able to use this, (for reasons which escape me.)

Getting firmware updates even for popular home products over a year old may be a problem. Suppose you have, as I do, a home router from Cisco/Linksys. The Cisco home router business has been sold to Belkin. Even assuming Belkin now has the expertise to fix those problems, how much motivation do they have? I'm sure they would prefer that you buy new equipment.

In that particular case, I'd recommend installing the latest version of DD-WRT or OpenWRT with the patch for WPA/WPA2. The hardware will continue working long after the original commercial developer has lost interest in maintenance programming.

For large numbers of IoT devices you can't even be certain the company responsible for developing the firmware remains in business. This may be true even if the label refers to a stable and reputable company. Rebranding products takes place all the time.

Oh, just one more thing. I'm sure there will be sites offering firmware updates that contain malware to naive consumers.

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#3 Post by belham2 »

prehistoric wrote:Meanwhile, there are new vulnerabilities to deal with in WPA2, and here's why it will take a while to fix them.

The problem in this case is not necessarily that the device itself will immediately be compromised and become part of a botnet, it is that an attacker may be able to read traffic on that channel which discloses information useful in later attacks.

My own rule for years has been that I disable remote access for administration of routers I use, (and change the default password, of course.) Set the device up so that it requires a direct wired connection for administration, even though this is inconvenient. If you use a wireless connection for administration it is possible for someone using the Krack attack to listen to traffic, including the settings and passwords you choose when you change set-up. With remote administration enabled, and the password you set known, an attacker can do just about anything.

Note that every network gateway I've seen supplied by a cable company has a backdoor which allows them to change firmware and settings even if you have remote administration disabled. They are convinced that no one else will be able to use this, (for reasons which escape me.)

Getting firmware updates even for popular home products over a year old may be a problem. Suppose you have, as I do, a home router from Cisco/Linksys. The Cisco home router business has been sold to Belkin. Even assuming Belkin now has the expertise to fix those problems, how much motivation do they have? I'm sure they would prefer that you buy new equipment.

In that particular case, I'd recommend installing the latest version of DD-WRT or OpenWRT with the patch for WPA/WPA2. The hardware will continue working long after the original commercial developer has lost interest in maintenance programming.

For large numbers of IoT devices you can't even be certain the company responsible for developing the firmware remains in business. This may be true even if the label refers to a stable and reputable company. Rebranding products takes place all the time.

Oh, just one more thing. I'm sure there will be sites offering firmware updates that contain malware to naive consumers.

Pushing either DD-WRT or, especially OpenWRT right now, is not a good idea. DD-WRT is in disarray, has been for the better part of the past 12 months. The releases being put out there are buggy, and bugs are not being addressed even when they are clearly identified. There are still a few good builders there, but unfortunately they've up & left & took their skills with them (along with the skilled posters who used to post stuff). Thus, things are overall not good in the DD-WRT 'official' world.

OpenWRT is in even worse shape. It's best to know that OpenWRT has basically been abandoned, and has been so for over a year now:

https://wiki.openwrt.org/toh/linksys/wrt_ac_series

This is not just true for linksys router owners, but for everyone in general.

Tomato, thankfully, is still going strong, and is still actively being developed. I have yet to try tomato (been wedded to OpenWRT for about a ~decade), but it is increasingly looking like Tomato is going to be the only viable option.


The worst part of this, as you correctly note, is people are going to think they can just update their routers (like they do their phones and/or MSFT-iOS systems) with the click of a button. That is where all these sites, many of them malware-oriented & backed, offering up too-good-to-be-true quick fixes for the wpa2 mess, will strike. These people falling for this will quickly be toast.


Right now, the best we can advise others to do is two things:

1) to focus on 'patching' their devices (as jd noted this in the other thread about the wpa2 problem) and, if technically challenged, to do nothing with their routers---except to consider, unfortunately, buying new routers if the one they have doesn't get fixed. That s#cks, but sometimes the possible alternative happening, is way worse than just s#cking.

2) if possible, learn and/or find a friend who can set up a subnet (from your router) and completely separate all wifi and lan traffic in the house. No samba, no sharing, no anything between these devices. Then, educate the house users and instill in them a horror at using any wifi device when thinking of doing anything sensitive on-line. All sensitive things done online should only be done via 'lan' connections. This is already common practice at many worldwide skunkworks projects and, yes, in case you're wondering, it is also current common practice at many gov't high-secure facilities. Wait for WPA2 to be supplanted, this has already been in the works and now, no longer facing inertia and apathy, will be pushed forward.



Last thing that is going to be a spooky event not "IF", but "WHEN" it happens is what you wrote here:

"...Note that every network gateway I've seen supplied by a cable [..and insert any worldwide internet provider here..] company has a backdoor which allows them to change firmware and settings even if you have remote administration disabled...."

Most every large ISP/Cable/Internet provider in the world has gone to this mode. It is maddening, but their argument is (which has some validity) is that, yes, it lowers cost for them with no repairmen visiting and/or long phone conversations with customers, but they can push out updates instantly, to all. I've seen this in action, and it works.

But when you ask these same companies what happens IF the hackers gain access to the company's systems, and thus take control of this aspect of being able to access all their customer devices from the so-called "official" backdoor" built into their customer devices, well, the polite way to describe it, after they've mumbled something about hoping the company online-security posture can stop them (hold on while I uncontrollably laugh for a moment) :cry: ...anyway, the proper way to describe their response is that colour drains away from their face & they fall silent. And these are people that are in the vanguard of the industry doing this, and are knowledgeable as hell, but they know what they are up against.


Stuff, whether we like it or not, is really going to get interesting over the next several years.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#4 Post by prehistoric »

Thanks for mentioning Tomato, which will help others. My experience is from over a year back, and I was not aware of problems with DD-WRT support, I had merely seen that a patch was now available.

Unfortunately, it seems Advanced Tomato, which I would need for a dual-band router, only supports the Linksys E2500v1 and E2500v3 at the moment, and I have v2. Also I don't see any mention of patches released after Krack was discovered.

My attitude about buying new gear from companies that sold equipment with serious bugs, and then failed to support them past the warranty period, resembles my attitude toward protection rackets. You don't want to do business with people who say: "That's a nice secure network you have there. Be a shame if something happened to it."

Unfortunately, this approach has taken over a large part of the industry, and I'm not talking about the minor players.

A friend who still runs Windows wanted Norton Internet Security. I found a deal and bought it for him even though I don't run Windows myself. Now, I am regularly hit with adds for Symantec products. After the Equifax breach I was bombarded with ads for LifeLock to protect me from identity theft.

Note that I never had any agreement with Equifax, they just collected and sold information about me.

Oh, BTW, LifeLock is now owned by Symantec which is controlled by M$. So, M$ ships products which are full of bugs and subject to security breaches, their solution is for you to pay Symantec for Norton software which will prevent some known attacks, but can't do much against zero-day exploits. When this fails, and your real-world identity is in jeopardy, their solution is to sell you Lifelock, which is basically an insurance policy. You are now paying three ways for security you are not getting -- not counting the personal information those companies are collecting and selling in ways they claim won't harm you. (Is anyone auditing this data?)

Anecdote: I've just been through a predictable exercise in proving that I am really me to get a new driver license and voter registration. (I also went through the trouble to get the little V that indicates a military veteran. With that and the accompanying picture I plan to tell stories about my experiences in the American Civil War.) Part of the exercise required sending out of state for a certified copy of my birth certificate.

A friend who was actually born in the same city where she now lives, a rare thing today, had concerns about identity theft, (which is a particular problem in Florida,) so she asked a clerk of her acquaintance if just anyone could walk in and demand a copy of her birth certificate. "Oh no, you have to present your driver license."

It seems both the Department of Motor Vehicles and the Department of Vital Records have solved the problem of confirming identity by depending on another department.

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#5 Post by belham2 »

If we're being truthful, this stuff bothers us way more than it bothers most people. Reason being, we've taken time to think about what goes in the circular logic peddled by companies, or so-called "tech", companies nowadays. Most people just don't care, and won't, until it hits them & they have to go through the horror of getting their own life & identity back. In the meantime, companies profit on this and continue to do so, even when they actually do not help the victims who were directly impacted.

As far as LifeLock, I don't even want to get started on them. My disgust for how they came about, and what they did to get there, still bothers me. What's even worse, I did have an ounce of respect for Symantec, but not after this acquisition.

I really don't see a way out of all of this, because the beast, so to speak, has long been let out of the cage. The whole digital world was built upon cludgy, hole-y, patched code. There's no going back from that foundation layer. In some aspect, it will always exist. This means, to me, that by it's very nature alone, the idea of a 'personal identity that is secured to one individual' may be something we never get back.

At the complete opposite end of the spectrum, what might actually save us all from this is AI. AIs that are either bought-sold and/or assigned to you, and their whole reason for existence is to spread across the web, monitoring it, and fighting to keep your "digital ID life" yours.

It's kind of ironic when you think about it.

At least that's more comfort than reading about an organization like, for example, the IRS that refuses to give an individual taxpayer an "unique" Identification Tax Paying Number unless that person can prove they've already been compromised. "Already"? What?? Isn't this sort of thinking backward? Haven't we all already been compromised?

Ole Elon Musk has it wrong----we may need the "malice" of AI to protect what little we have left of ourselves in the 'physical' world.


Just far-out ruminations & thinking-out-loud here...... :? Otherwise I can't think about this all, it's too overwhelming---especially given everything that has already gone on. And the even bigger events that are surely to come in the next couple of years.

Personally, I am waiting for two events: 1) the first massive, as in JPM or BA or Citi or Barclays or .... strike that causes "real" widespread panic, with tens of millions of customers affected, and; 2) a nation-state, somewhere around the world, no matter big and/or small (most likely the first strikes will be against places like Malta, Isle of Man, Liechenstein, Bermuda, etc...) brought to its financial knees & thus failure due to it's digital I.D. being torn away from it like a grizzly tears away a downed foe's limbs.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#6 Post by prehistoric »

My reason for noticing absurdities and circular logic have to do with painful experience overseas. If the official way seems to prevent anything from happening, and people are still driving automobiles, to pick a random example, it becomes clear to me that there are hidden channels of operation. In some locales, not naming any, the preferred solution is bribery.

I've had experience nearer to home with systems run by "good ole boys". Bribery is at least open to all applicants, regardless of who your uncle may be.

Meanwhile, I've acquired a Linksys E2500, hardware version 1, (which means it has no version number.) This is now running Advanced Tomato, which I will still need to understand. Unfortunately, the fix for Krack still depends on one person who understands Tomato, Shibby. About all we can do is vote for a fix to issue 168.

Back on topic for this thread, Reaper may not be quite as dangerous as thought. Don't despair, there are already new possibilities.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#7 Post by rufwoof »

Most people just don't care, and won't, until it hits them
When I open up a new IP and activate ssh server or even just https, its amazing just how quickly those IP's/ports get targeted, often from IP's such as attached (China). Some of the probe attempts are enlightening to say the least.
Attachments
s.png
(94.94 KiB) Downloaded 112 times

Post Reply