Based in silicon valley, california, security brief is a blog by chris louie. his posts discuss current information security affairs

Government WhiteHats: Japanese Government Greenlights IoT Device Hack

Government WhiteHats: Japanese Government Greenlights IoT Device Hack

A few months ago, I documented the rise of the GreyHat hacker as it relates to insecure IoT devices.  These devices are exploited by attackers to perform malicious activities including, but not limited to DDoS attacks, crypto mining, DNS poisoning, credential theft, eavesdropping, and general mayhem.  The number of IoT devices on the internet today has surpassed the human population on Earth and is growing at an exponential rate every year.  In the race to cash in on this trend and roll out as many internet-connected devices possible, many manufacturers do not take the time or expense required to properly secure these devices.  The Mirai, Satori, Reaper, and numerous other botnets simply rely on hard-coded or weak credentials (think cisco/cisco) to infect and spread.  GreyHat hackers and governments alike are tired of feeling the effects of these malicious botnets and tired of waiting for manufacturers to take IoT security seriously, so they have taken matters into their own hands.  

After the Mirai botnet source code was leaked online, dozens of copycat botnets have appeared

After the Mirai botnet source code was leaked online, dozens of copycat botnets have appeared

Last Year, California passed the nation’s first IoT security law.  Starting in the year 2020, IoT devices sold in California must not contain hard coded default credentials.  If a device comes preconfigured with static credentials, the password must be changed upon first use.  This new law is a great step in keeping the internet free from vulnerable devices acting as an attack infrastructure for its malicious master.  However, California is only one state out of fifty in the US and the US is one of 195 nations of the world; a very small percentage of the world’s population.  Legislation is typically a step in the right direction, but not the answer to all of the internet’s problems.  Laws take a long time to pass, are often written by legislatures who do not fully understand the technology, and rarely keep up with the pace of technological advancement.

Effects of the Mirai botnet attackinf DynDNS

Effects of the Mirai botnet attackinf DynDNS

Since legislation is only part of the solution, greyhat hackers have taken it upon themselves to cure the internet of these vulnerable IoT devices.  Vulnerable IoT devices pose a serious problem to the internet at large by acting as the infrastructure needed to bring down companies or large sections of the internet.  

Last April, MikroTik released a patch to fix a critical vulnerability that allowed outside attackers to gain unauthorized access to the over two million MikroTik routers in use around the world.  While MikroTik was able to create and make a patch available to close the vulnerabilities, routers do not self-update and cybercriminals took full advantage of this to begin planting malware on MikroTik routers.  Malware payloads include cryptomining malware, DNS poisoning attacks to steal banking credentials, TLS strip for HTTP interception/injection, and remote access trojans (RATs).  Considering MikroTik routers are most commonly in use by consumers and organizations that lack IT departments and information security personnel, it is highly likely that most affected routers have not been updated and data from Shodan appears to support this.  A Russian greyhat hacker going by the handle @router_os has been exploiting the vulnerability to silently update the affected devices to patch them against further attack.  He simply runs a script to add basic firewall rules and prevent management access to the router from the outside (best security practices).  At the time of writing, over 100,000 vulnerable routers have been updated.  Despite @router_os' good intentions, it is still illegal to access another person’s equipment without their consent.

no good deed.jpg

Vigilante botnets have also been created and released into the wild, leveraging the same hard coded and weak credentials used in the malicious Mirai and Satori botnets.  The difference between the malicious and vigilante botnets is that the vigilante botnets contain no hacking tools and simply close the backdoors to prevent further exploitation.  The Hajime vigilante botnet closes open Telnet ports and BrickerBot wipes an infected device to permanently knock it offline (using a technique called phlashing).

Haijime botnet displaying a message on devices with an external display

Haijime botnet displaying a message on devices with an external display

In an unprecedented move, the Japanese Government recently approved a law allowing their government agency National Institute of Information and Communications Technology (NICT) to hack into vulnerable IoT devices of its citizens.  While the move is being touted as a vulnerability scan, the NICT will be attempting to gain unauthorized access to private citizens’ devices, an action largely illegal in most of the world.  The state of vulnerable IoT devices on the internet has finally reached a tipping point in Japan that the government is willing to suspend traditional privacy protections in favor of cleaning up the Japanese internet prior to the 2020 Summer Olympic Games in Tokyo.  Their paranoia is well rooted as Russian hackers allegedly deployed the Olympic Destroyer malware prior to the opening ceremony of the PyeongChang Winter Olympics held in South Korea as payback for the International Olympic Committee banning hundreds of Russian athletes for doping. The results of the “vulnerability scan” will be shared with the ISPs and end users will be notified if vulnerable devices are found.  At this time, the Japanese government has not made any intentions of fixing discovered vulnerable devices.

Olympic Destroyer malware contained possible false flags to make attribution more difficult

Olympic Destroyer malware contained possible false flags to make attribution more difficult

If I had a magic wand to fix the IoT vulnerability problem, my wish list would be as follows:

IoT security solutions wish list:

1. Devices manufactured without bugs or vulnerabilities

2. Disable remote management access by default

3. Top-down secure IoT platform

4. Hard coded passwords must be unique per device

5. Hard coded passwords that are not unique must be changed upon first use

6. Auto-update devices by default

7. Require digital signature for firmware and software updates

8. Firewall rules to close unnecessary ports

9. Web proxy to inspect traffic for malicious data, command and control traffic

10. RFC3514

I personally own several IoT devices such as a Nest Thermostat and an Amazon Alexa-enabled device. As a best practice, these devices are placed on a guest network (away from my NAS) with static IP addresses. These static IP addresses are then given explicit ACLs through a next generation cloud firewall and are only allowed to communicate with servers associated with the devices (Nest, Amazon, etc.). If any of these IoT devices become compromised, they will only be allowed to connect to authorized destinations and not route command and control servers.

While a dismal picture has been painted for IoT security, not all is lost. Protecting IoT devices is akin to guarding a screen door. Until there is a standard to secure and securely update IoT devices, security practitioners will be fighting an uphill battle.

iot can kill you.png

IoT: The S stands for Security

It's Not About the Money, It's About Sending a Message: 18 Months After Equifax

It's Not About the Money, It's About Sending a Message: 18 Months After Equifax

Advice From George W. Bush: New Phishing Campaigns Utilize Malware-less Payload

Advice From George W. Bush: New Phishing Campaigns Utilize Malware-less Payload