How Millions of Digital Home Devices Are Secretly Powering Cyberattacks (yahoo.com) 33
The Wall Street Journal reports on internet-connected devices — and how every year millions of them "can contain a secret digital backdoor that opens up access to your home internet, so that anyone... can surf the web as if they were you." (And this is especially true for "knockoffs that you buy online"...)
In a video report this week they tested two digital picture frames from Amazon and three streaming devices from Walmart "because we heard that they often ship with backdoor software used in cyberattacks. Security experts believe manufacturers are being paid to add this malware, but many people also get tricked into downloading the software onto their phones or computers... Within minutes of turning the devices on, there was a surge of internet traffic... Visits to gambling, porn, cryptocurrency and loads of other sketchy web sites started pouring in from users around the world." (And remote visitors also tried to access Outlook and Gmail accounts...)
Residential proxy companies even rent out access to "tens of millions of home networks around the world," according to the report. "But the problem is actually worse than that. Hackers figured out a way to seize control of these backdoors, and they started taking over these residential networks. Last month authorities arrested a 23-year-old Ottawa man, saying he'd taken control of more than a million devices to launch some of the largest cyberattacks anyone had ever seen.."
After a couple months the Journal's reporter collected logs of all the traffic, and sent it to an investigator at Comcast, who said both were conducting DDoS attacks. But estimate for the number of infected devices are as low as tens of millions or as high 500 million-plus. "We've seen nation state attacks launched through these kind of endpoints, which means your device sitting in your house is part of a nation state attack against another nation state... We've seen ad fraud, we've seen ticket scalping, we've seen financial fraud."
But more importantly, "We have seen some of the largest computer attacks — meaning computers attacking other computers at human request — ever recorded in our digital history in the last several months." At cybersecurity conferences, some are warning "there are much larger ones on the horizon if we don't get a hold of this problem."
The company making the picture frame "couldn't be reached for comment," while Amazon said it's been out of stock since last year. Both Amazon and Walmart said they take action when they confirm malware on a third-party product.
In a video report this week they tested two digital picture frames from Amazon and three streaming devices from Walmart "because we heard that they often ship with backdoor software used in cyberattacks. Security experts believe manufacturers are being paid to add this malware, but many people also get tricked into downloading the software onto their phones or computers... Within minutes of turning the devices on, there was a surge of internet traffic... Visits to gambling, porn, cryptocurrency and loads of other sketchy web sites started pouring in from users around the world." (And remote visitors also tried to access Outlook and Gmail accounts...)
Residential proxy companies even rent out access to "tens of millions of home networks around the world," according to the report. "But the problem is actually worse than that. Hackers figured out a way to seize control of these backdoors, and they started taking over these residential networks. Last month authorities arrested a 23-year-old Ottawa man, saying he'd taken control of more than a million devices to launch some of the largest cyberattacks anyone had ever seen.."
After a couple months the Journal's reporter collected logs of all the traffic, and sent it to an investigator at Comcast, who said both were conducting DDoS attacks. But estimate for the number of infected devices are as low as tens of millions or as high 500 million-plus. "We've seen nation state attacks launched through these kind of endpoints, which means your device sitting in your house is part of a nation state attack against another nation state... We've seen ad fraud, we've seen ticket scalping, we've seen financial fraud."
But more importantly, "We have seen some of the largest computer attacks — meaning computers attacking other computers at human request — ever recorded in our digital history in the last several months." At cybersecurity conferences, some are warning "there are much larger ones on the horizon if we don't get a hold of this problem."
The company making the picture frame "couldn't be reached for comment," while Amazon said it's been out of stock since last year. Both Amazon and Walmart said they take action when they confirm malware on a third-party product.
IoT SSID (Score:5, Informative)
Needs to be easier for end users to create IoT VLANs with default restrictions. I am getting to the point where I want to segment my IoT VLAN into different trust zones. Unfortunately there is some crap that has to sit in the "Guest" VLAN (which doesn't address the concern in TFS), but mostly I try to eliminate such products.
Re: IoT SSID (Score:1)
Apple had a decent enough solution with their certification for routers for Apple Home being able to restrict how such devices behaved after end of support. But I remember only two or so routers that actually had that cert and at least one stopped getting firmware updates six years ago or something.
Re: (Score:2)
Re: IoT SSID (Score:3, Interesting)
Reccomended (Score:2)
Re: (Score:2)
The basics are pretty easy to guide someone through, but the maintaining and dealing with tuning what traffic can go to trusted networks gets pretty complicated (especially with IPv6, at least for me). I have a few lazy cop-outs (HomeAssistant server has two interfaces (IoT and LAN) rather than being in its own VLAN with traffic rules to address specific ports and applications. (At one point I had a server VLAN that it sat in, but it has different needs than Influx or the PiHole or the NAS.)
Proper security
Re:IoT SSID (Score:4, Informative)
Despite having OpnSense as my router and a managed switch, for some reason I never considered separating things on my local LAN subnet until I was working on a remote backup PBS server I was going to put in my daughter's home and wanted it to by default VPN into my home, but I didn't want it to end up on my home subnet. Out came a separate subnet for a DMZ with no access to anything except me being able to access it. Once I did that, I ended up setting a guest WiFi VLAN, a second VPN subnet for remote access instead of SSH, and a separate VLAN for stuff like Roku which don't do anything but access the internet.
To be honest, doing the whole thing was somewhat easier than I thought, but nowhere near what a casual, non-technical user would be able to do. The problem is that without an actual VLAN implementation, a "guest" SSID is not ironclad. It just takes more equipment and more know-how to separate things for casual users.
Re: (Score:2)
Re: (Score:2)
A simple solution for the Roku example is to use HomeAssistant or similar to connect and control.
Re: IoT SSID (Score:2)
Re: (Score:2)
Re: (Score:2)
A searchable list? (Score:5, Insightful)
Re:A searchable list? (Score:5, Informative)
No, it's easier to just post a fear-mongering article with no real substance. You can't have people actually *knowing* what tech is compromised or anything.
Re: (Score:1)
Re: (Score:2)
The problem is that it varies a lot. And basically it comes down to names - things that require internet access especially.
Things like streaming boxes - if you buy one of those questionable boxes at the mall that claim "never pay for cable again" and such, whilst offering full access to paid content, those may or may not come with a side helping of a VPN endpoint. But it's hard to say because the
Voluntary problems are deserved problems. (Score:2)
I do not use Internet of Trifles junk anywhere on my network for what does not exist is not available for exploitation.
Craving such fecality is pathetic and any consequences deserved because they were invited.
Comcast's Faraday cage (Score:2)
Re: (Score:3)
Re: Comcast's Faraday cage (Score:2)
Wishful thinking (Score:5, Interesting)
I periodically go thru my network and enumerate every single device. Things like a picture frame do not get internet access. If a smart plug or light or other IoT device needs net, I won't buy it. My TVs don't get internet; they are either on a roku or a linux computer. Connected TVs send "home" screen shots. Roku can only scrape what I watch thru them, so no need to take a screen shot anyway. I had an amazon firetv cube with a third party network dongle to get better bandwidth than wifi. The dongle kept connecting to chinese IPs, even when the TV was off for days. That's when I started locking things down. That dongle went in the trash.
If only more people were so nerdily inclined, this would be less of a problem. I wish.
Re: (Score:1)
Millions of customers do not care. Some time ago the fire sticks started to do more things in the background when you are not watching anything. Literally millions of people have them plugged in 100% of time. Almost nobody knows. I wonder if someone already found out, what exactly amazon is changed.
Re: (Score:2)
I periodically go thru my network and enumerate every single device. Things like a picture frame do not get internet access. If a smart plug or light or other IoT device needs net, I won't buy it. My TVs don't get internet; they are either on a roku or a linux computer. Connected TVs send "home" screen shots. Roku can only scrape what I watch thru them, so no need to take a screen shot anyway. I had an amazon firetv cube with a third party network dongle to get better bandwidth than wifi. The dongle kept connecting to chinese IPs, even when the TV was off for days. That's when I started locking things down. That dongle went in the trash.
If only more people were so nerdily inclined, this would be less of a problem. I wish.
The big problem is it's easy to make a device that looks for open WIFI networks in order to connect to the mothership. This is made even easier by the fact that a lot of modern WiFi routers allow for WPS, which often lets you connect without having to enter a password. Sure you can disable it on your side... but what about your neighbours.
Short term solution is not to buy devices that have Wifi built in (I'm looking for a new washing machine and it looks like I'm limited to the cheap models), long term s
News for nerds (Score:2)
Welcome to 1995.
Re: (Score:2)
Does that have to be in English? Is Chinese permissible?
chinese (Score:1)
This is easy to fix (Score:1)
This is easy to fix.
We need an enforced standard demanding all traffic that does not have to be encrypted (e.g., anything other than payment details or PII) be visible to the person using or paying for the computer.
Home users could actually see what traffic is being sent over their home networks.
Right now, device manufacturers encrypt things like "The refrigerator's average temperature has been 40 degrees F, and the door opened 20 times in the last 48 hours." These manufacturers pay fake consumer rights act
Re: (Score:2)
Re: (Score:1)
I have no problems with your suggestion.
I can predict that some of those IP addresses will change, and that will be annoying.
Re: (Score:2)
It should also help get manufacturers to stop trying to hardcode IPs in their firmware. Dumb idea, or at least stupidly-over-optimistic in the assumption that the IP will never change.