57

I completely understand how IoT devices were used in the massive DDoS attacks because they are easily manipulated due to lack of firewalls, default passwords, etc.

What I don't understand is although easily hacked, most IoT devices are connected to secured private wifi networks.

Here's the question: So is it assumed that these thousands of IoT devices' networks were hacked first, then the device itself was hacked?

Helmar
  • 123
  • 7
Chad Caldwell
  • 623
  • 1
  • 5
  • 6
  • 2
    A secured private network is just a conduit for the device to reach the internet and announce "I'm here, waiting for the password". – Agent_L Oct 25 '16 at 13:11
  • pc malware can easily find and hijack local devices that aren't outside-visible. – dandavis Oct 25 '16 at 17:22
  • 3
    "*most IoT devices are connected to secured private wifi networks*" which are connected to the Internet, typically with no firewall. – David Schwartz Oct 25 '16 at 18:42

10 Answers10

82

The devices are designed to be accessible from outside the home. To offer this service to their owners, they make themselves accessible through the homeowner's router/firewall. The way they do this is by sending a UPnP packet to the owner's router that tells the router to open a port that connects back to them. They then listen for connections that arrive directly from the internet.

In other words, the devices first hacked their owner's routers by design, which exposed their own vulnerabilities. (This has nothing to do with secured, private, or open WiFi, other than many IoT devices connect via WiFi; UPnP exposes the exact same vulnerabilities on wired devices connected by Ethernet cables, too.)

To protect yourself, disable UPnP on your router.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • 11
    Note that with IPv6 the devices would be accessible by default without even needing UPnP nor opening ports (most consumer-grade routers don't firewall IPv6 from what I've seen). – André Borie Oct 25 '16 at 03:58
  • 6
    @AndréBorie It is probably not a good idea for routers to have no firewall by default. I think a large number of consumers have a (possibly unjustified) expectation that the router will protect all the insecure devices on the LAN. And I think those who really don't need the firewall will know how to access the configuration and change the firewall setting. – kasperd Oct 25 '16 at 07:22
  • 3
    @kasperd Of course it is not a good idea, but is it really a surprise given that most of these routers are made by the same idiots who make insecure IoT devices and share the same flaws (backdoors, default passwords, outdated software, etc) ? – André Borie Oct 25 '16 at 07:45
  • 5
    @AndréBorie On some level, that expectation is a hangover from IPv4 and NAT, where two devices couldn't communicate unless ports are explicitly opened on routers. It seems likely that as IPv6 adoption increases, and brings universal addressability, a lot of vunerabilities will emerge in software that opens TCP ports and trusts the data received on them. – James_pic Oct 25 '16 at 11:20
  • 13
    @AndréBorie, most consumer-grade routers that support IPv6, e.g. Linksys, _do_ firewall IPv6, but they _don't_ NAT IPv6. Those are two very different things. – Ron Maupin Oct 25 '16 at 18:44
  • 4
    @AndréBorie I've never seen a consumer grade router that _didn't_ firewall IPv6, though I'm sure one must exist. Of course, then you have the additional problem of figuring out the IPv6 address... – Michael Hampton Oct 25 '16 at 19:51
  • 1
    @AndréBorie mine has an IPv6 firewall enabled by default. And it's the router supplied by my ISP. – Nathan Osman Oct 25 '16 at 21:27
  • 2
    @kasperd What would be a really good idea would be for routers to have no firewall by default, and for devices to be secure by default, but that's not going to happen. – user253751 Oct 25 '16 at 23:54
  • 2
    You might also want to add a paragraph about users plugging their switches (or switch port of their router) to their CPE, effectively giving all of their units a public IP and no (firewall) protection what so ever from their router. Yes, people do this, and quite often too. I know, as I work for an ISP and we deal with this at least once a week. – ChristianF Oct 26 '16 at 07:28
  • I've seen this claim of IoT devices using UPnP to open ports elsewhere, too. Can someone point to actual evidence of devices that really do this? – Paul Coccoli Oct 26 '16 at 18:11
  • 2
    @PaulCoccoli, here's Panasonic's instructions describing configuring UPnP for their web cameras: http://panasonic.net/pcc/support/netwkcam/technic/status_upnp.html Also see https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol , https://en.wikipedia.org/wiki/Universal_Plug_and_Play#NAT_traversal and https://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol for info on the specifications. CERT is warning people to shut off UPnP here: https://www.us-cert.gov/ncas/alerts/TA16-288A . Krebs discusses it here: https://krebsonsecurity.com/2015/01/the-internet-of-dangerous-things/ – John Deters Oct 26 '16 at 18:33
  • @immibis I agree, that would be even better. – kasperd Oct 26 '16 at 20:11
  • @ChristianF There are actually scenarios where that is a sensible thing to do. But probably the majority of users doing that are doing it by mistake. You can probably tell the difference from whether they left DHCP enabled or not. As an ISP there are plenty of things you can do to make this scenario work well for the users. So depending on how much time you spend on users connecting their router that way by mistake, it might be worth to spend time accommodating that usage. – kasperd Oct 26 '16 at 20:22
  • @kasperd I strongly suspect they don't support that configuration because it wastes public IPs. – user253751 Oct 26 '16 at 23:18
  • @immibis If they truly care about that, they also support IPv6 and probably have configured DNS64+NAT64 for accessing IPv4-only sites. If the ISP include the IP of their DNS64 in the router advertisements they send to the clients, those clients will pretty much not use any IPv4 address they may have gotten through DHCP. – kasperd Oct 27 '16 at 06:43
  • 1
    @kasperd This is going off-topic for the question and answer. My point was that people do, some times, expose their units onto the public internet without using any kinds of protection. Rendering the need to crack the (non-existent) local network moot. – ChristianF Oct 27 '16 at 08:14
  • OK, here's what I don't get. Worms like Mirai work by scanning random public IPs and trying to telnet in, right? So if the IoT devices are behind a NAT, how would telnet on port 23 ever reach the device? UPnP would give a really high-numbered port, not a telnet port, correct? – Elliot Gorokhovsky Dec 04 '16 at 02:05
  • @RenéG , UPnP is a brief connection to the router to configure the firewall to listen on a specific port and to forward incoming packets to the camera's address (and port). The camera isn't using UPnP to make an permanent outbound connection to some address outside of the internet, which would use the random high port number you're thinking of. – John Deters Dec 04 '16 at 04:20
  • @JohnDeters Ok, makes sense. But then why would cameras (a la Mirai) forward port 23??? It doesnt make sense! I get why you'd want telnet for local debugging, but why would they specifically add telnet to the upnp forwarded ports??? – Elliot Gorokhovsky Dec 04 '16 at 05:02
15

Your understanding of the attack is not as clear as you think. In this article, Krebs mentioned that the attackers didn't really have to hack the devices. The vulnerability was well known, they just had to scan the internet for those devices.
Sure, if SSH/Telnet to the devices was disabled, the problem would have been solved easily. To make the matter worse, the hard coded credentials present in the hardware were not even visible to the web interface for the administrator.
Yes, it is absolutely imperative to know what are the devices present in your network and what are the services that you do/do not need.

EDIT : After @tlng05 's clarification about the question.
As already mentioned in other answers, you should disable UPnP on your router to absolutely make sure that your device is not straight forward configurable from the outside world.

Limit
  • 3,191
  • 1
  • 16
  • 35
  • 6
    I think OP is interested in knowing how SSH/Telnet would be accessible when the device is connected to a private home network, which would normally have an inbound NAT firewall. – tlng05 Oct 25 '16 at 03:11
  • That is a common misunderstanding. They typically have NAT devices that have firewall capabilities that vary from minimal to none at all. Where there are firewall capabilities, they are almost never enabled. – David Schwartz Oct 25 '16 at 18:44
  • 5
    @tlng05, don't confuse NAT, a kludge to extend IPv4 addressing, with firewalls. You can have a very secure firewall that doesn't have NAT enabled, and you can NAT on a device without having a firewall. The firewall/router combination is just a convenient place to NAT, but it is not a firewall. – Ron Maupin Oct 25 '16 at 18:46
  • @RonMaupin Still, if it's behind NAT, how would a telnet request on port 23 ever reach the IoT device? How would the router know to forward to the camera? I've heard stuff about UPnP on here, but why in the hell would the manufacturer forward port 23 through UPnP? Doesn't make sense! – Elliot Gorokhovsky Dec 04 '16 at 22:48
  • @RenéG, a firewall protects your network, not NAT. If you have no firewall features, it is possible to take over the router by its public address, Then NAT does nothing for you because the router knows how to get to the internal network. Also, if a different port is open, it is possible under some circumstances to get through NAT to take over an inside host, then all bets are off. NAT doesn't really provide security, firewalls do. – Ron Maupin Dec 04 '16 at 22:53
10

Your misconception is here:

secured private wifi networks

Whilst many home WiFi networks are secured against unauthorised wireless devices connecting directly, many are wide open to access from the wider Internet. It's this access (that's demanded by the IoT devices to perform their legitimate functions) that can be abused (and on a much bigger scale than physically visiting many WiFi networks).

The attack surface of a router is on both all networks!

Toby Speight
  • 1,214
  • 9
  • 17
  • 1
    Its accesible from the wider Internet, there you are correct. I won't say that is wide open. I think for over 20 years the basic routers are closed on the common ports. You cannot connect over port 22 to each ip-adres of something like that. But as stated above. UPnP removes this security big time. Never enable that, that makes your router insecure – Adam Sitemap Oct 25 '16 at 09:35
  • 3
    @AdamSitemap The only security UPnP removes is accidental security. If a port is filtered by a firewall, enabling UPnP won't unfilter it. If a port is not filtered by a firewall, any security is accidental and unreliable. – David Schwartz Oct 25 '16 at 18:45
2

What I don't understand is although easily hacked, most IoT devices are connected to secured private wifi networks.

Yes they are connected to your private wifi networks, But are they secured? Well not so much as pointed by you these device are unprotected by firewalls, IPSs unlike the enterprise networks. Some of them have ancient firmwares, which haven't been updated since ages. And yes some have default passwords still working, So that anyone can easily take access and exploit them for attacks.

So is it assumed that these thousands of IoT devices' networks were hacked first, then the device itself was hacked?

Well not necessarily, Although it may be possible in some cases. But mostly these devices are intentionally left exposed to the internet because they are needed to be accessed from anywhere around the world.

As pointed out by many examples above, If you want the CCTV footage of your house mostly you would want it live streamed on your handheld device and that is why they are needed to be accessible over internet. They are N number of other examples.

Conclusion: To use IoT devices to attack, one doesn't need access to your network. These devices can be directly accessed from internet. What we need to do is protect these devices from such un-authorized accesses and keep our devices safe without having to use expensive devices like firewalls and IPSs.

Anirudh Malhotra
  • 262
  • 1
  • 6
  • I think this adds a valuable point: my understanding is that a lot of these crappy IoT devices that have been compromised have actually been placed *outside* any firewall perimeter a user might have, directly connected to the Internet. (But then, of course, in addition you do have port-forwarding and UPnP scenarios where a device is inside the router/firewall but still vulnerable.) – mostlyinformed Oct 25 '16 at 15:04
  • @halfinformed Most likely, there is no real firewall to speak of, just a router whose job is to make things "just work", not provide protection. – David Schwartz Oct 26 '16 at 17:26
  • @halfinformed Yes this is the case but only sometimes, mostly as David said there are no firewalls and routers don't do anything. – Anirudh Malhotra Oct 28 '16 at 05:13
  • By "firewall" I mean even any lousy SOHO router or ISP distributed router with some basic firewall-like functionality. (Meaning basically any device that doesn't just let arbitrary inbound packets from the Internet through to a user's internal network.) I certainly did not mean to imply that ordinary users are typically utilizing discrete firewall devices. – mostlyinformed Oct 29 '16 at 18:53
2

UPnP can be an issue, but everybody seems to be missing the point that many of these devices make persistent standard outgoing NAT connections to the vendors' servers. All the attacker has to do is hack into the vendor's site to gain control of all of the attached IoT devices, and from there, since they are now inside home networks, to attack other computers inside the network or launch DDoS attacks. Direct HTTP, SSH or other UPnP-enabled access through your router isn't necessarily a requirement.

Craig Tullis
  • 1,483
  • 10
  • 13
  • 2
    But there's no indication that's what's happening. The vuln is in the devices and the crappy upnp-enabled routers, not the vendor's central servers. If it were the latter it would be easy to fix. – R.. GitHub STOP HELPING ICE Oct 25 '16 at 16:29
  • There have definitely been hacks into devices through vendor websites. – Craig Tullis Oct 25 '16 at 16:54
  • The MIRAI botnet and malware is not hacking the vendors' servers or website. It is directly connecting to the end-users' webcams and other IoT devices by connecting to well-known ports that the devices have exposed using UPnP, then testing a set of 66 different default credentials on those ports. Yes, someone could theoretically attack the vendor's site, but that hasn't been true for any of the recent massive DDoS attacks. – John Deters Oct 25 '16 at 21:40
  • 1
    The OP's question didn't specifically name the MIRAI botnet (the body of the question did *allude* to it). The heading is: *"Does the local network need to be hacked first for IoT devices to be accesible?"* Based on that heading, the answer is no, the attacker doesn't even always *have* to make any effort to breach your router at all. If they can get away with social engineering the IoT device vendor's company, they can get into all of the devices at once since, often, all those devices already made **outgoing** persistent connections to the IoT vendor. There's more than one IoT threat vector. – Craig Tullis Oct 26 '16 at 00:29
1

While IoT devices are indeed within secure networks, they are largely made such that they are accessible from the internet. For example, the temperature setting of your home is accessible from your phone app when you're at work. This is enabled by a connection being opened up to the internet. This answers why they're able to access the outside world.

Now, most IoT devices, or botnets, are not well patched and use loose security configurations. Parts 1 and 2 of the article found here explain this in detail, but to summarize, these devices are infected with malware. They are able to send outgoing messages to the internet (the outside world). And thus, they end up sending the "DoS" message to the target.

katrix
  • 533
  • 2
  • 13
1

Most IoT devices are on networks that are connected to the Internet by conventional SoHo NAT routers that typically have very limited firewall capabilities or where the firewalls are not enabled or maintained. There is a common myth that NAT is a security layer, it is not.

"NAT and firewalling are completely orthogonal concepts that have nothing to do with each other. Because some NAT implementations accidentally provide some firewalling, there is a persistent myth that NAT provides security. It provides no security whatsoever. None. Zero." -- How Important is NAT as a security layer?

Community
  • 1
David Schwartz
  • 4,203
  • 24
  • 21
1

It may be worthwhile thinking about terminology and what is meant when people say that IoT things have been 'hacked'. In many cases, the devices have not been hacked at all - they are performing as designed.

Broadly speaking, there are two types of network connections. The first type is a fully connected type connection where both parties need to be fully connected. Similar to a phone call, you need to have someone on both ends. With this type of connection, the initiating system makes an initial connection to the destination system and the destination system connects back to the initiating system. This type of connection is what normally occurs when it is important to be able to coordinate communications, track data packet order and request re-sending of any lost data.

The other type of connection is more like a messaging connection (think of SMS or some other messaging In this type of connection, you don't have a bi-directional connection. The originating system sends a message to the destination system and, depending on the message, the receiving system may send back a response to the sender address in the initial message. This type of communication is good when order of data, loss of some data etc is not critical.

The thing is, while fully connected connections are great for things like data integrity and because of the bi-directional nature, are difficult to spoof, they are more expensive in terms of resources and overhead. The second type of connection has less integrity and is easier to spoof because there is no bi-directional connection, but they are cheap - require less resources and have lower system overheads to process.

Many IoT systems are small, lightweight and need to be efficient. They typically have less memory and less powerful processes and therefore tend to favour designs which use connecitonless protocols rather than more expensive connected protocols. However, this also means that it is easier for rogue systems to 'lie' and do things like spoof IP addresses. This is like me sending you a message, where the return address is false. When you reply to the message your reply will go to the address in the message, but that is not the real originating address.

In effect, what is happening is that the IoT devices are being folled into sending data/responses to an innocent bystander who has not requested anything. The system has not been 'hacked', only fooled.

Often, the situation can be made worse by using amplification techniques. There are some connectionless type services out there which, when asked a vary simple/short question, will respond with a vary long answer i.e. answers with lots of data. This can make it vary easy to create a situation where suddenly, a victim site (such as a DNS) suddently starts receiving large amounts of data it was not expecting or did not ask for.

to do this, all you need to do is identify devices on the internet which support a connectionless protocol, send these devices a message which requests something which is likely to involve a large data response and spoof the IP address of the targeted victim.

to make it worse, the targeted system doesn't even need to know or understand the data being sent to it. The idea is to just send so much data that the system becomes overwhelmed - that could happen when the system is forced to look at large amounts of incoming data simply to make a decision to discard it and take no further action. With enough data, even that process of working out you need to just ignore it can be enough to prevent the system from being able to process legitimate connections. The fact that this data is comming from multiple different source systems i.e. all the IoT deices means you cannot just block an IP address because there are simply too many.

So, while it is vary true there are far too many IoT devices which ahve been poorly designed and lack sufficient security controls, a part of the problem is the conflicting requirements to implement a light-weight resource efficient solution on one hand, but somehow deal with a world with too many malicious agents who want to exploit your good intentions. There is certainly a lot IoT vendors could do to improve the situation, but for most of them, this would just increase production costs and the reality is, most consumers are not aware of the issues, so failing to invest in the better solution doesn't affect market share and therefore doesn't result in sufficient financial benefit.

Tim X
  • 3,242
  • 13
  • 13
  • In other words, similar in principle to a DNS reflection attack. – ssokolow Jan 23 '17 at 04:11
  • Yes, in the sense that these IoT devices can be used to perform the DDoS reflection attack on an unsuspecting 3rd party. There are other significant security issues with many IoT devices simply because manufacturers have not designed security into their systems. However, using them to perform DDoS reflection attacks is one of the highest concerns as it provides the potential to impact on large numbers of unsuspecting victims. The other security issues associated with IoT tend to only affect the individual/site running them,so less potential impact. – Tim X Jan 24 '17 at 09:33
  • @TimX, you said "In many cases, the devices have not been hacked at all - they are performing as designed." Except an IoT network is generally kept behind a firewall, where network security has to be penetrated first. Sure, you could possibly send my IoT devices into an amplification attack against each other that would make my house unhappy, but my traffic won't impact your house. That would require my devices to violate your firewall to get your devices to attack each other. Propagating the attack takes hacking the devices. Mirai hacked the devices, they were not "performing as designed". – John Deters Feb 07 '17 at 15:26
  • One small problem with your assumption about firewalls - IPv6. Vary few of the modems sold in the domestic market support firewalls for IPv6, yet the majority of them now support IPv6 and an increasing number of ISPs now enable IPv6 by default. The other problem is that many of these IoT devices are designed to allow external connections - either requiring port forwarding or using something awful like uPnP. Combine this with the high use of IoT in domestic and small office situations where IT skills are often low and you have a problem. Relying on the firewall is really just 'candy' security – Tim X Feb 08 '17 at 18:34
0

XM actually disabled telnet/ssh on many of their IoT devices (they supply many for new DvRs, webcams, etc.) more than a year ago. So anyone who had actually updated the firmware (who knows) or had bought a more recent model of (IoT device whatever) since then likely would have been immune from that sort of attack.

My understanding is the Mirai (not sure about the other popular one Bashlight) connected to most IoT devices through GRE - an IP point-to-point virtual tunnel. GRE is kind of like a VPN of packet delivery - it can pass data through public network privately - without the actual data/headers being identifiable and with almost no protocol overhead. So once you have a master list of exploitable cams, home sec, connected whatever devices and the models, you can scan the whole internet and tunnel IPs accessible through open ports, run against passwords, etc etc. Hard for people to see it coming because GRE looks like regular IP transmission between devices calling home or streaming home video to app, etc. This is just my take...

DrSt4ng3
  • 1
0

New in this forum I thought I'd chime in from a hobby IoT device maker's perspective. I may very well be off topic, not least since I am not entirely sure what you guys even consider to BE an IoT device, but for what it's worth:

The "IoT devices" I create, which do useless things such as report whether or not someone has moved within a certain area in a certain time, could easily be "hacked" without accessing my WiFi. You could probably just put up a receiver of the right sort (we could be talking 433MHz) and eavesdrop all day. Then you could craft your own messages and send them to my stupid device and/or the server that collects that information, and have me running home in panic since my not-so-smart-home system says it's 200 degrees Centrigrade in my fridge and five thousand people have passed into my garage but noone came out.

Basically what I'm saying is that whatever flaws the IoT devices hardware exposes directly, and it's software doesn't guard against, could be an entry port for a hacker. Heck, based on where the device is placed you could even attach your own hardware to it and start making trouble. "Here's my WiFi enabled ESP8266, go ahead and upload your own software to it via USB." But I guess that's really out of scope.

Culme
  • 101
  • Hi @Culme, the issue here is that the devices are visible to the internet, where economies of scale mean that dozens of hacked devices can be set upon thousands of other devices, which can then hack millions. An insecure 433MHz RF connection can be exploited only by an attacker physically located within signal range of your house. And hacking your single IoT device doesn't grant him the ability to hack thousands of other RF devices, unless he drives to a thousand other homes. The internet-facing vulnerabilities are the ones that lead to Mirai, not the RF facing ones. – John Deters Feb 07 '17 at 15:13