Monday, February 13, 2017

Internet of Things DDOS attack danger.

Yes friends, those wifi capable lightbulbs may not be such a great idea.

A full-blown Skynet situation might be the thing of science fiction (we hope, anyway), but that doesn't mean bizarre things involving machines can't happen. As proof of this, Verizon teased an entry in its upcoming 2017 Data Breach Digest that describes a recent DDoS attack on an unnamed university involving vending machines, light bulbs, and 5,000 Internet of Things (IoT) devices.

As with many DDoS attacks involving IoT devices, this one is the result of system administrators being a little too lax with security on these seemingly benign devices. The university in question dismissed complaints from students across campus about slow or inaccessible network connectivity. When things took a turn for the worse, the university called in the cavalry—Verizon's RISK (Research, Investigations, Solutions, and Knowledge) team, in this case.

It is worth reading in its entirety, because the university very nearly had to -replace- 5000 some odd light bulbs, vending machines and other little IoT doodads. That would be a big bunch of money. All because of some script kiddie with a hack, and really bad network security.
Now, here's why this is even a thing. This chip right here: ESP8266. From the wikipedia article on it:

The ESP8266 is a low-cost Wi-Fi chip with full TCP/IP stack and MCU (Micro Controller Unit) capability produced by Shanghai-based Chinese manufacturer, Espressif Systems.[1]
The chip first came to the attention of western makers in August 2014 with the ESP-01 module, made by a third-party manufacturer, AI-Thinker. This small module allows micro-controllers to connect to a Wi-Fi network and make simple TCP/IP connections using Hayes-style commands. However, at the time there was almost no English-language documentation on the chip and the commands it accepted.[2] The very low price and the fact that there were very few external components on the module which suggests that it could eventually be very inexpensive in volume, attracted many hackers to explore the module, chip, and the software on it, as well as to translate the Chinese documentation.[3]
The ESP8285 is an ESP8266 with 1 MB of built-in flash, allowing for single-chip devices capable of connecting to Wi-Fi.[4]

This particular little devil is the size of a fingernail and costs ~$5US in bare-chip form at bulk prices. One-of is $7.00. Here it is at Adafruit, with a break-out board and power circuitry etc. for under ten bucks.

This unity allows WiFi connectivity to virtually anything, amazingly cheaply. There are other such chips on the market, some are a lot cheaper. That's why we have WiFi connected LED light bulbs on the market, suddenly.

This particular chip is not as powerful as a PC, but there are lots of implementations out there that are. There are others that have less capability but are smaller, they get down to rock salt grain sized.

You can WiFi chip anything. Kid's dolls, Hot Wheel cars, flying drones smaller than a pack of smokes. Or how about an extension cord, a USB or HDMI cable, a stapler, a watch, an eraser, a pencil... an Ethernet connector... You get the picture.

And when I say "you", I mean you, Mr./Ms./Whatsit Reader can most likely crank one of these things together and program it to do what you want. It is really not hard, if you have the determination or the driving need to do it.

What has not happened, is an industry standard method for SECURING these things. You have 5,000 PC-grade devices on a network, you need to password protect them. Unfortunately, most people have no experience doing that kind of thing. Hence a university having to hire Verizon to clean up their network for them.

Here's something from 2007 about that very issue. You don't have to be a genius, the tools are out there. But, you do have to pay attention and keep up with the jerks who crack these things.

Also the hardware, Qualcom announced 802.11ax today. Brand new ARM quad-core routers and brand new receivers, a whole new universe of hackery to guard against.

Just remember, if it doesn't HAVE WiFi they have to stick a wire into it to crack it. I'm all about the wires, these days.

The Deplorably Wired Phantom

No comments: