Forumite Members › General Topics › Tech › Security Talk › Lock It Down or Get Bricked
- This topic has 23 replies, 6 voices, and was last updated 8 years, 11 months ago by
Richard.
-
AuthorPosts
-
April 7, 2017 at 7:48 am #5921
According to Ars it appears that a vigilante is bricking all badly secured IoT or Linux devices that it can find. If your camera, Pi etc are using the manufacturers default password then you risk having the device bricked in the near future.
April 7, 2017 at 9:25 am #5922This is an ethical mind f+*k
It’s bad, but could be ultimately be a good thing. Maybe? I really don’t know how I feel about it.
Probably won’t change a thing… But it may.
April 7, 2017 at 9:41 am #5923That explains the email from Ubiquiti on March 20th.
Ubiquiti takes network security very seriously and have fixed the authenticated command injection vulnerability for all affected products: airMAX, airGateway, TOUGHSwitch, and airFiber; please upgrade the firmware for your devices. Please update the firmware of your devices to the version listed below.
(UniFi, EdgeMAX, and AmpliFi products are not affected)April 7, 2017 at 1:45 pm #5924That has wow factor. :wacko:
April 7, 2017 at 5:58 pm #5936This is an ethical mind f+*k It’s bad, but could be ultimately be a good thing. Maybe? I really don’t know how I feel about it. Probably won’t change a thing… But it may.
I agree with you Steve. If the right people heard about it and took action then it would be good, but the ones who need to know would probably not understand either the issue nor how to deal with its implications, so I agree with you it probably won’t change a thing.
Is there ever a good reason why mass market items should expose their admin interface as a default, I nearly said ever? Perhaps it should be made hard to open it up so that the user would have to search it out and be motivated enough to make some security efforts. Sadly cheap and nasty always wins. I saw that a ‘personal toy item’ had similar public facing issues, why have a camera and mike on something like that and compound the issue with an open access doorway?
April 7, 2017 at 8:16 pm #5951Richard, there are easy ways to fix this issue. I have seen some IoT hardware open on the set Admin password and refuse to go any further until a new Admin name and new password were set.Sadly the Chibay stuff comes with set passwords that are hard to change, and even the Raspberry Pi does not enforce security.
A first log-on script could easily make that password 8+ characters including lower and upper case plus number and special character. Or ask some simple questions and tuen it into a password for the user.
April 7, 2017 at 8:34 pm #5953That’s exactly what Hikvision kit does. You cannot use it until you’ve set a strong password.
New cameras can be attached to a DVR which then authenticates them with it’s own password, but that password is then the cameras password if you remove it from the DVR as a standalone.
A lot of the DVRs now have an Android like pattern unlock option too for local login.
April 7, 2017 at 9:11 pm #5958It’s not really a problem. “Normal” tech users don’t use Linux. Those that do don’t use generic passwords.
Arch Linux, on a Ryzen 7 1800X, 32 GB, 5 (yes -5) HDs inc 5 SSDs, 4 RPi 3Bs + 1 RPi 4B - one as an NFS server with two more drives, PiHole (shut yours), Plex server, cloud server, and other random Pi stuff. Nice CoolerMaster case, 2 x NV GTX 1070 8GB, and a whopping 32" AOC 1440P monitor.
April 7, 2017 at 10:15 pm #5963It’s a huge problem. The Linux we’re talking about is imbedded and internet facing.
It’s always been a worry that the cheap end of IoT would go this way, but until relatively recently even premium kit had generic authentication credentials.
Then you get exploits in even properly locked down kit like the Ubiqiti AirMax kit used in the attacks.
April 8, 2017 at 4:38 am #5964“IoT users who don’t want to change default passwords and close or limit access to telnet and SSH out of concern they’ll be used in crippling attacks against others now have a much more self-interested reason for locking down their devices—preventing them from being bricked.”
There’s the problem, not the devices, but the users. As I said, if users actually did the smart things, not a problem.
Arch Linux, on a Ryzen 7 1800X, 32 GB, 5 (yes -5) HDs inc 5 SSDs, 4 RPi 3Bs + 1 RPi 4B - one as an NFS server with two more drives, PiHole (shut yours), Plex server, cloud server, and other random Pi stuff. Nice CoolerMaster case, 2 x NV GTX 1070 8GB, and a whopping 32" AOC 1440P monitor.
April 8, 2017 at 8:26 am #5965Actually Dan there is a hardware problem caused by eLinux and the hardware manufacturers. A lot of the cheap Chibay devices use a years-old version of eLinux pre-burned onto a SoC- why they do not update I don’t know but suspect version control of their own firmware is an issue. Why these little devices do not autoupdate is yet another issue, but there are practical limitations to a hardware format that is built around sdcards as storage. This thread discusses some of the practical difficulties of trying to implement an auto-update regime.
The net result is that the first line of defence is thrown at the user, often without them even knowing that they have the problem. So I guess you could paraphrase the problem as Linux being too complicated for the average user, and they should not be allowed to even use a router without sitting through a training course. :wacko:
.
April 8, 2017 at 8:54 am #5966I think Dan’s on the Linux defensive. Nobody is blaming Linux, everyone is blaming the OEMs. As Ed argues, it’s hard to blame the user. Having said that there was an exploit used in the Ubiquti attacks and that is not cheap Taiwanese crap. It just shows that nothing is invulnerable.
As for auto updating, I have been reading in this months PC Pro about Virtual Box breaking after Linux updates in ways that Windows doesn’t. Ironically it’s because Linux is the “better” o/s model and VB has to rely on it heavily, whereas with Windows it has to provide a lot of it’s own “drivers”. The argument again is that this is all VB’s fault and not Linux, but if the likes of VB can’t manage it what chance is there of the cheap jacks doing it?
The problem with consumer kit is it needs to be extremely robust in all respects and that’s hard enough to achieve with managed kit. Add to that the pressure to make it cheap and you get where we are now.
April 8, 2017 at 8:56 am #5967Richard, there are easy ways to fix this issue. I have seen some IoT hardware open on the set Admin password and refuse to go any further until a new Admin name and new password were set.Sadly the Chibay stuff comes with set passwords that are hard to change, and even the Raspberry Pi does not enforce security. A first log-on script could easily make that password 8+ characters including lower and upper case plus number and special character. Or ask some simple questions and tuen it into a password for the user.
Yes, I totally agree and more places and items are doing that with a one time password that only allows you to go to update, it is a pain for rushing first timers, but sensible for others. What I really quibble about is why the command interface is so easily accessed to allow ‘serious updates and modifications’ to be dropped in. I guess that there is not too much that can be done with cheap camera devices, so they do not see any point in doing a respectable job, this is the Chibay-junk marketers dream, stuff in a nut shell, all show, no go. Perhaps there is also a bit of ‘wow it works’ also involved without thinking through the constantly emerging new threat opportunities.
Edit,
I read some of the other posts, the use of SOC chips from old generations with severely limited fixed capabilities is an almost uncorrectable problem, should these devices really be let lose without some guardhouse function interfacing them to the rest of the world? Many of them are very cheap devices right out of their depth in today’s world of threat and ever changing menaces. I am starting to think that some form of minimum construction standards might been to be set as there are with electrical devices, cars, trucks, etc.
If governments cannot bring them selves to do something I can see the likes of the insurance industry starting to take a look via liability clauses and the like, do this, or introduce that and your cover is blown.
April 8, 2017 at 9:39 am #5971… should these devices really be let lose without some guardhouse function interfacing them to the rest of the world? Many of them are very cheap devices right out of their depth in today’s world of threat and ever changing menaces. I am starting to think that some form of minimum construction standards might been to be set as there are with electrical devices, cars, trucks, etc. If governments cannot bring them selves to do something I can see the likes of the insurance industry starting to take a look via liability clauses and the like, do this, or introduce that and your cover is blown.
Richard the problem is that the horse has already bolted. There are literally hundreds of millions of routers, intelligent switches, TVs, microcomputers, ipCameras — you name it. Almost anything with a vestige of intelligence that are already in daily use. Most of these devices are operated in complete ignorance that they have a cheap eLinux SoC at their heart. Many indeed have no obvious way to root them and change the manufacturer assigned password. Contrary to your dissertation that things are too easy to change, I believe that these ‘idiot-user-hidden’ devices are in fact the really dangerous ones as those with evil intent (be they Mafia or Nation States) have deep pockets to develop hacking attacks and unalterable Admin/admin name/password combinations are as common as muck.
I fear that many of these devices are sitting in MoD (or equivalent) facilities just awaiting the remote activation code telling them to crash & burn. As a country a stupid penny-pinching tech-ignorant Government sold-off our secure chip manufacturing industry years ago. I shudder to think just how many defence components now contain Chinese-made SoCs.
April 8, 2017 at 12:28 pm #5973I am convinced, they are crap and for that reason I have never wanted the rubbish devices. I still wonder why so many are designed to require full internet access without thoughtful controls, They to conform not to IOT, but IDIOTIC (Internet Direct Integration of Threats Including Chaos.
Why continue to allow the sale of second rate rubbish with such known troubles for now and probably increasingly for the future?
April 8, 2017 at 1:27 pm #5974Because the people with the power to stop it are clueless about such things.
Bear in mind that governments want even less security so they can protect us from pedophiles and terrorists.
April 8, 2017 at 1:43 pm #5975Because the people with the power to stop it are clueless about such things. Bear in mind that governments want even less security so they can protect us from pedophiles and terrorists.
Do you think that stuffing the internet full of IDIOTIC devices will help anyone including conspiracy theorists? The IDIOTIC devices are irrelevant to almost everyone, except the rubbish sellers.
However did the world manage before encrypted from Whatcrap? Better?
April 8, 2017 at 3:19 pm #5980Because the people with the power to stop it are clueless about such things. Bear in mind that governments want even less security so they can protect us from pedophiles and terrorists.
+1 – Unfortunately Governments have been at the leading edge of ensuring that PCs and IoT devices have less than stellar intrusion proofing. Even now we cannot scan for malware that uses certain vulnerabilities which are also in use by Governments or Police forces. A/V companies agree (or are forced) to white list these, even while the same exploits are being used by crooks.
Some of the most dangerous of the Linux exploits follow unexplained kernel alterations, for example the numerous unexplained Cisco OpenSSH vulnerabilities that have compromised countless routers gives more than ample grounds for suspicion with respect to their origins.
The problem is that the IoT encompasses a broad range of electronic equipment. The items include not just the (cretinous) ipcamera enabled vibrator and talking toys, but now covers devices without which the modern world would barely function. e.g. all routers and intelligent switches, hospital/healthcare, ecus in cars, industrial automation and so on. The list is endless. (link to examples).
Although your original point on the need for security was well-made, it is just too late. For good or ill the genie is out of the bottle. All we can hope is that the next generation of SoCs learns these security/update lessons and that the evil, stupid barstewards in Governments do not compromise such moves through their desires to snoop on everything the public does.
April 8, 2017 at 4:34 pm #5981The world didn’t do online banking and shopping before encryption.
Encryption units for use with voice calls are easily obtainable, both landline and mobile.
It’s another genie out of the bottle. You can force the big boys to compel via legislation, but to what end? It’d be playing whack-a-mole like so much internet related is. Making it illegal won’t stop the bad boys.
April 8, 2017 at 5:01 pm #5984… Making it illegal won’t stop the bad boys.
Unfortunately this applies to every facet of Modern communications – the really ‘bad boys’ are funded by the oil sheiks and/or criminal activities. As a result they have deep pockets to fund research into ways to evade Government surveillance. The only ones ‘caught’ are the relatively innocent, and the consequence is that the Government wastes megabucks on processing irrelevant dross.
-
AuthorPosts
- You must be logged in to reply to this topic.