I still love to listen to GRC’s Steve Gibson on the program Security Now! A few weeks back, Steve said “The S in IoT is for Security” which made me laugh perhaps far too much. As we discover more with each passing day, it seems there is no Security in the Internet of Things.
All of my readers will be well familiar by now with the Mirai botnet, which has demonstrated the capability to cause enormous DDOS attacks, including the 665 Gbps attack against Brian Krebs and the Dyn DNS Attack which crashed a substantial portion of the US Internet.
Both of these attacks were caused by an assortment of Internet of Things devices that have default vulnerabilities or default userid and passwords that in many cases not only are not reset by the users who install these devices in their homes, but in many cases CANNOT be changed! When several people have asked me what I think the answer was going to be to this problem, I’ve replied that this seems like a Consumer Protection issue and that I hoped the Federal Trade Commission would intervene. While some companies have issued voluntary recalls, such as XiongMai Technologies of China, who makes many whitebox DVR and IP-connected webcam components that are embedded into devices made by other manufacturers, most are washing their hands of responsibility.
|Sample: XM Camera components|
XiongMai claims (in a Chinese press release) that in their case the widely abused telnet problem was fixed in April of 2015, but they already had many million devices installed before that date. Their letter to the Chinese Ministry of Justice about the issue is on the same link.
The FTC’s Carrot
The FTC seems to be taking a Carrot and Stick approach. The Carrot came first. First, all the way back in November of 2013, the Federal Trade Commission held a special Workshop on Security & Privacy in the Internet of Things, gathering formal comments (including tweets) about the presented materials. This led to their release in January of 2015 of a 71-page report “Internet of Things: Privacy and Security in a Connected World”, as well as a 12-page report for IoT system designers called “Careful Connections: Building Security in the Internet of Things”
The FTC’s Stick: D-Link Gets Hit
- D-Link allegedly hard-coded login credentials into D-Link camera software that could allow unauthorized access to cameras’ live feed.
- D-Link allegedly left users’ login credentials for its mobile app unsecured in clear, readable text on consumers’ devices.
- D-Link allegedly mishandled its own private key code used to sign into D-Link software and as a result, it was publicly available online for six months.
- D-Link allegedly failed to take reasonable steps to prevent command injection, a known vulnerability that lets attackers take control of people’s routers and send them unauthorized commands.
In this article, Consumer Education Specialist, Ari Lazarus, offers some tips to consumers for before and after they buy their router:
- Before you buy or replace a device, do research online. Use search engines to find reviews, but be skeptical about the source of the information. Is it from an impartial security expert, a consumer, or the company itself?
- Download the latest security updates. To be secure and effective, update the software that comes with your device. Check the manufacturer’s website regularly for new software and updates.
- Change your pre-set passwords. Change the device’s default password to something more complex and secure.
- “hard-coded” login credentials in D-Link camera software, often the “guest/guest” userid and password (these devices were among those targeted by the Mirai botnet)
- a software flaw known as “command injection” that allow hackers to execute unauthorized commands on D-Link routers (see for example CVE-2015-2049, CVE2015-2050, CVE-2015-2051) – security researcher Pierre Kim advised consumers to throw the security-flawed DWR-932B router in the trash, after documenting 20 known vulnerabilities.
- mis-handling of a private key code used to sign in to D-Link software, leaving the code on a publicly accessible website for more than six months (as discussed in Ars Technica in September 2015)
- leaving users’ login credentials for D-Link’s mobile applications unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information (this refers to the “mydlink Lite” app
|mydlink Lite mobile app stored userid and pass in plaintext on mobile device|
Other Actions of FTC Swinging Its Stick
This is a Security Bloggers Network syndicated blog post authored by Gary Warner, UAB / PhishMe. Read the original post at: CyberCrime & Doing Time