Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Botnet Security The Internet

Ask Slashdot: Is My IoT Device Part of a Botnet? 279

As our DVRs, cameras, and routers join the Internet of Things, long-time Slashdot reader galgon wonders if he's already been compromised: There has been a number of stories of IoT devices becoming part of botnets and being used in distributed denial of service attacks. If these devices are seemingly working correctly to the user, how would they ever know the device was compromised? Is there anything the average user can do to detect when they have a misbehaving device on their network?
I'm curious how many Slashdot readers are even using IoT devices -- so leave your best answers in the comments. How would you know if your IoT device is part of a botnet?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Is My IoT Device Part of a Botnet?

Comments Filter:
  • How do you know? (Score:5, Insightful)

    by Pikoro ( 844299 ) <init@NOSPAM.init.sh> on Monday September 26, 2016 @03:36AM (#52960915) Homepage Journal

    If it's connected to the internet directly, and it has no built in security apart from "admin" "password", it's part of a botnet or soon will be.

    • by JaredOfEuropa ( 526365 ) on Monday September 26, 2016 @04:27AM (#52961061) Journal
      Especially if that password
      - Is a default password that is the same for every device sold (these days a lot of equipment ships with unique random passwords)
      - Isn't changed by the user during setup
      - Can't be changed by the user. (What the hell, OpenElec?)
      • Openelec's entire file system is read only. Given the difficulty of installing something to the image when you want to, the potential for it to be easily and automatically owned by is very low.

        • by Shoten ( 260439 ) on Monday September 26, 2016 @09:10AM (#52961859)

          Openelec's entire file system is read only. Given the difficulty of installing something to the image when you want to, the potential for it to be easily and automatically owned by is very low.

          This is not a real thing...a device whose total storage capacity is read-only. Let's look at why.

          One: if it's all read-only, it can't have a variable password...accounts and passwords need to be hardcoded, because there's no way to store new or changed account information.

          Two: if it's at all configurable, you have the same problem: where do you store the configs?

          Three: guess what else you can't have if your file system is read-only? Software updates.

          Four: let's call a spade a spade here. A more accurate way to make the claim...regardless of how infeasible it would be for any device of significant functionality...is to say this: "Openelec's entire file system is meant to be read only." An innate characteristic of most security flaws is that they permit something that is not intended. It's important to not assume that intended functionality is inevitable and invulnerable. And in this case, that "read only" capability is nothing more than Linux permissions...it's not that the OS invariably is incapable of granting write permissions. In fact, all kinds of things are writing to the file system, I would bet...information about drive mounting, accounts, etc. The file system is not inherently read only.

          Assuming that system behavior when used in its intended fashion is also what happens when someone breaks the rules is the root of most security failures.

          And now, a citation, called "squashfs howto - make changes the read-only filesystem in OpenELEC"

          https://sites.google.com/site/... [google.com]

          • Re:How do you know? (Score:5, Interesting)

            by Solandri ( 704621 ) on Monday September 26, 2016 @12:14PM (#52963061)
            I've been saying for over a decade now that at least one storage device on the computer should have a physical read-only switch. Some kind of jumper which needs to be moved, or a switch on the motherboard which needs to be physically flipped, before you can write to the device. The main OS could be stored there, while logs, configs, temp files, etc. stored on a different storage device. Security flaws like a buffer overflow would still allow access to some memory, but it'd be impossible to exploit it to modify the system to give you full root access upon reboot.

            That's the way things were in the 1970s and early 1980s, when RAM was incredibly expensive so the programming for most embedded systems was stored in ROM, using RAM only for operational data. I've only seen one modern embedded system function this way - you stored the OS on a SD card with the write-protect switch flipped, and used a second SD card for data storage.
        • Given the difficulty of installing something to the image when you want to, the potential for it to be easily and automatically owned by is very low.

          Viruses and worms can run just fine from RAM. Discovery may be slow, but once you find a vulnerable system with a read only filesystem, you have it report its IP to a C&C node, then re-infect it whenever you need it.

        • by jcdr ( 178250 )

          It's possible to remount a file system with new permissions. See the details here:
          https://www.gnu.org/software/l... [gnu.org]
          Or to mount it in a other folder with different permissions.
          Or to directly access the partition under /dev/sda1.

          To make a read-only file system work as expected you have to use a hardware way to prevent writing to the memory. For example NOR SPI flash memory usually have a write protection pin. Of course that pin must be protected against unwanted operation that could drive it. In that case you

      • by Zocalo ( 252965 ) on Monday September 26, 2016 @08:13AM (#52961587) Homepage

        these days a lot of equipment ships with unique random passwords

        True, but more often than not it's derived from the MAC address (probably programmatically on boot with a defaulted config so they don't have to program each device in the factory) which is an absolutely horrible idea for WiFi enabled devices. If a (l)user sees an apparently random string of hex, conveniently also printed onto a sticker on the box so they don't have to remember it, it's a pretty safe bet that they are going to think it's secure and, quite possibly, not something they should change because that sticker looks important. Not a major problem for someone connecting over the Internet (although if they can ID the device make/model, they've got the OID and hugely reduced the brute force effort), but a serious issue if someone happens to be coming in over your WiFi and can connect directly.

        ALWAYS change your default password, and the username too, if it'll let you.

      • Anyone who thinks this is a password problem either doesn't have many IoT devices in their homes, or was into IoT at the very beginning, and doesn't know how current devices work. I have close to 30 IoT devices in my home and have only had to deal with a password once, and that was for a cloud-based lightbulb that is so old it's no longer made.

        IoT devices for the home these days never expose the user to the password. They generally scan a QR code on the device itself or connect through a wireless connecti

    • by hcs_$reboot ( 1536101 ) on Monday September 26, 2016 @04:40AM (#52961093)
      Just install Norton AV on it, and add McAfee to be sure. Then, even a botnet wouldn't want to anymore run on that device
      • by Applehu Akbar ( 2968043 ) on Monday September 26, 2016 @07:41AM (#52961469)

        Just install Norton AV on it, and add McAfee to be sure. Then, even a botnet wouldn't want to anymore run on that device

        Yeah, that's it! "Should I have run MacAfee on my FirstAlert online smoke detectors?" you say to yourself as you gaze at the remains of your house.

        • Re:How do you know? (Score:5, Interesting)

          by geekmux ( 1040042 ) on Monday September 26, 2016 @08:18AM (#52961603)

          Just install Norton AV on it, and add McAfee to be sure. Then, even a botnet wouldn't want to anymore run on that device

          Yeah, that's it! "Should I have run MacAfee on my FirstAlert online smoke detectors?" you say to yourself as you gaze at the remains of your house.

          IoT or not, odd how you made me wonder if the smoke alarm itself has ever been the source of a fire...

          I need coffee. It's too early for this.

    • by msauve ( 701917 )
      "If it's connected to the internet directly"

      So, an infinitesimal fraction of them, since almost all would be behind a NAT router.
      • by zm ( 257549 )

        "If it's connected to the internet directly" So, an infinitesimal fraction of them, since almost all would be behind a NAT router.

        IPv6 to the rescue! No NAT and even popular routers out there pass IPv6 without an SPI. (TP-Link Archer C7 would be one).
        Speaking of, recommendations for a good router, anyone?

        • by jeffmeden ( 135043 ) on Monday September 26, 2016 @08:32AM (#52961691) Homepage Journal

          Recommendations? Take the C7 and install OpenWRT on it. Super easy to use, reliable, and capable of any firewalling you can dream up (including on IPv6). Plus then you have a nice graph to tell you how much bandwidth is in use and by which device. If you have a botnet participant in your network it will be obvious.

        • We'll wait and see how ISPs handle IPv6 when the time comes. There's no reason to believe it won't make matters worse.
          • by zm ( 257549 )

            We'll wait and see how ISPs handle IPv6 when the time comes. There's no reason to believe it won't make matters worse.

            Except the time has come, and the devices do have public IP's (router has a DHCPv6 /64 address, and doles out addresses in the same /64 range to devices behind it using SLAAC; this is Rogers in Canada)

    • by Z00L00K ( 682162 ) on Monday September 26, 2016 @06:30AM (#52961329) Homepage

      If it needs to connect to a subscription service outside your home it has the potential to become part of a bot net.

      Can you trust your thermostat to not browse your files?

      • If it needs to connect to a subscription service outside your home it has the potential to become part of a bot net.

        Can you trust your thermostat to not browse your files?

        Guess that depends on the "required" app permissions, since that side of IoT is the part that is far more blatantly in the obtrusiveness of IoT.

        • by jittles ( 1613415 ) on Monday September 26, 2016 @08:34AM (#52961707)

          If it needs to connect to a subscription service outside your home it has the potential to become part of a bot net.

          Can you trust your thermostat to not browse your files?

          Guess that depends on the "required" app permissions, since that side of IoT is the part that is far more blatantly in the obtrusiveness of IoT.

          Well if you have an SMB share, or some other unprotected share, what is to stop your thermostat from mounting it and looking at its contents? Unless you block your thermostat off of the rest of the network. Any device you have that can be controlled by a remote service could be compromised and controlled by anyone.

          • Re: (Score:2, Informative)

            by Anonymous Coward

            If you have an unprotected share and a compromised thermostat you have two problems, not one.

          • by SQLGuru ( 980662 )

            I'd be interested in a description of the ideal configuration for a home network that includes IoT devices.

            Should I have multiple routers so that I "nest" my networks. So have one network "right off the Internet" for less secure things such as IoT and then have a more secure network as a sub-network to the IoT network? So the IoT network can't see anything in the sub-network but is also protected by whatever firewall settings I decide to set?

      • Re:How do you know? (Score:4, Interesting)

        by QuietLagoon ( 813062 ) on Monday September 26, 2016 @10:42AM (#52962461)

        Can you trust your thermostat to not browse your files?

        Nowadays, that is an amazingly valid question. Just a few short years ago, if you asked that question, you would have been __________. (fill in the blank)

    • If it's connected to the internet directly, and it has no built in security apart from "admin" "password", it's part of a botnet or soon will be.

      In other words, no. Since no IoT devices are connected to the interned directly.

    • If it's connected to the internet directly, and it has no built in security apart from "admin" "password", it's part of a botnet or soon will be.

      I agree....the answer is basically, "Yes, your IoT gadget is part of a botnet" or "Your IoT gadget is not part of a botnet yet".

  • by Anonymous Coward on Monday September 26, 2016 @03:40AM (#52960939)

    The "average" user has no idea and that's why they put IOT shit on their unsecured network in the first place, duh.

    • by jandersen ( 462034 ) on Monday September 26, 2016 @04:46AM (#52961103)

      The "average" user has no idea and that's why they put IOT shit on their unsecured network in the first place, duh.

      The average user has no idea that there is something like "IoT" and that it is in any way different from the rest of "the internet". All they know is that it is "smart" to have an app on your phone that can turn on the heating and tell you the fridge is empty, and a TV that seems to understand what you want to watch, or a smart meter that tells you (and the utility company) how much gas and electricity you use up to the last minute. They won't know or care about the security implications until it goes badly wrong.

  • by Anonymous Coward on Monday September 26, 2016 @03:45AM (#52960951)

    There are free tools you can use to monitor a network, but they might not be so easy for the average user. Just googling around, I found this solution that's designed to answer such questions [f-secure.com], but note it costs money. I've never seen it in action. One would hope that you get something user-friendly at such a price.

    The other guy who said that if you can log in with "admin" as the userid and "password" as the password, or some other default login, that's spot-on. Botnet creators will probe for that, so at the very lease change the userid and password before actually going live... or just do what I do and not have any IoT stuff.

    • by skids ( 119237 )

      Basically the only way to detect intrusions on these systems is to have A) a characterization of their nominal protocol behavior including bandwidth usage patterns, connection/disconnection behaviors and other such information in addition to the basic port/service stuff. B) Have a list of the cloud servers they normally contact under standard operation, and C) Have regular automatically installed updates for A) and B) as the owner of the device screws with firmware and/or CDN contracts or the CDN itself ma

  • by ledow ( 319597 ) on Monday September 26, 2016 @03:54AM (#52960985) Homepage

    Though it doesn't seem to apply to home networks, how can you be an IT professional of any kind and NOT know what's coming into or going out of your network?

    If nothing else, precisely because of things like this where your CCTV NVR or your thermostat could be hacked and doing whatever it likes. In fact, DDoS of someone else is the LEAST of your worries if someone is able to coax your devices into running arbitrary code on your local network.

    Sorry, but this kind of thing needs management and there isn't a home router on this planet that does things like send you an email when a "new" device connects, or alerts you to unusual activity from your local network devices.

    • by Zocalo ( 252965 ) on Monday September 26, 2016 @04:28AM (#52961065) Homepage
      Pretty much this, and given how bad many IoT devices are, even if you do change the passwords, etc., it's safer to just assume that they already have been compromised, or that they will be. Since we're talking retrospectively here, set up some connection logging on your outbound router. See if there's anything in the logs that's not what you were expecting, bearing in mind that they'll almost certainly be phoning home to "check for updates" and "backup your data to the cloud" (AKA "monetize your data"). Done. A better approach would have been to be more proactive (because the typical SoHo router vendor sure as hell won't be); as a minimum lock down anything you don't need, put all the IoT type devices on a dedicated network away from the stuff that matters, and configure the router to send an alert when anything anomalous happens. Bonus points for things like implementing BCP38 [bcp38.info] locally so even when you are compromised at least tried to minimise the damage, enabling syslog and actually monitoring the output, and other basic security principles.
      • by rnturn ( 11092 )

        ``See if there's anything in the logs that's not what you were expecting, bearing in mind that they'll almost certainly be phoning home to "check for updates" and "backup your data to the cloud" (AKA "monetize your data").''

        This could include almost every IP address you find in your logs. Do you know the IP address of every ancillary site that the web sites you visit make connections to while you're browsing their pages? The advertisement servers? Any image servers? The external sites for comments/discus

        • by Zocalo ( 252965 )
          In the specific context of whether the IoT devices under discussion have been rooted or not, abnormal traffic actually does tend to stick out a bit. Legit traffic will generally be restricted to your internal network, plus a selection drawn from the vendor (and possibly a few "partners"), a cloud service operator or two, and a small pool of ISPs/MNOs that are are used to access the device remotely, depending on the device type and usage patterns - a finite set of IP ranges that will come up continually. B
      • You're talking out of your poopy hole, If your IoT devices have been compromised, your pool boy or local nerd is behind it, his botnet is limited to a few blocks, or whatever he can wardrive on his huffy 10 speed. Honestly, this is beneath the scope of what you really should be be worrying about, especially considering the current US political climate.

        In case nobody is aware, a racist tangerine is threatening to take over the worlds largest nuclear arsenal.
    • by Xtifr ( 1323 )

      how can you be an IT professional of any kind [...]

      I'm not. I'm a software developer.

      • That isn't an excuse, as a software developer you are supposedly making such software that you think is getting hacked or spied on.
        However more to the point being IT professional and even a good one doesn't mean you are able to manage all things "computer" equally well. I know I get fusterated at work when they give me a job that the system administrator or DBA normally should do. Not that I can't but because these are jobs that these people do all the time and have such processes in mussel memory while I

  • If you have to fill out cloudflare captchas when browsing, then maybe.

  • by Enter the Shoggoth ( 1362079 ) on Monday September 26, 2016 @04:04AM (#52961013)

    Is this the long sought after counter-example to Betteridge's Law [wikipedia.org] where the response to a question mark is always "yes" ?

    • Just reword it to "Is my IoT device secure" and Betteridge's Law holds.

    • by AmiMoJo ( 196126 )

      Probably not... When you consider that, for example, pretty much every TV sold now has smart features and yet the vast majority of TVs are not part of a botnet as far as we know. Ditto cars, many have some kind of connectivity now but are not infected.

      The main reason for this is that it just doesn't make economic sense to target IoT devices. With Windows you have hundreds of millions of targets and easy access via malvertising and trojans. With an IoT device it's probably behind a firewall and only connects

  • by wildstoo ( 835450 ) on Monday September 26, 2016 @04:17AM (#52961043)

    Probably beyond the abilities of Joe Average, but you could use your router/firewall/whatever to limit the bandwidth of IoT devices on your network.

    Most IoT devices seem to use very little bandwidth by design - they just send and receive simple status updates and commands - and they would be of much less value to a botnet operator if they were limited to, say, 5kbps.

  • I built them myself.

    Quite frankly, for nearly everything that is currently offered as a commercial IoT gimmick the answer to "is my IoT device part of a botnet" is "yes, or at least it can easily become soon".

  • by ctrl-alt-canc ( 977108 ) on Monday September 26, 2016 @04:30AM (#52961073)
    I don't use IoT, and I will never will. No need to share with external world room temperatures, door status or garden humidity. Electromechanical devices are enough for this, they are much cheaper, and are free from the risk of being tampered from an indian hacker.
    I still have to understand why people need to control everything from their smartphone, when there are simpler solutions that require much less of your precious free time to be implemented and used.
    • There are a surprising number of these "angry old man" rants on Slashies. We all get that the devices are insecure but, they're incredibly handy, and they will sweep the world. If you still want to keep your old TV with a dial on it for tuning, go right ahead, grandpa. The rest of us will be asking the air for a new show and don't much care if the world knows it.

      • "If you still want to keep your old TV with a dial on it for tuning, go right ahead, grandpa. The rest of us will be asking the air for a new show and don't much care if the world knows it.

        And we will pwn your young asses. :-)

      • As one of the old guys here, although my UID would indicate that I am younger than I am, I don't want a smart TV. What I really want it is big monitor with lots of hookups, a fast response time, and good color reproduction. I don't care if it has Netflix built in, my computer, my roku, my tablet, my phone all will play it just fine and likely the apps there will be kept more up to date than the prebundled shit on the "smart" TV.
      • We all get that the devices are insecure but, they're incredibly handy, and they will sweep the world.

        Yeah, and that's the problem, dumbass. They'll "sweep the world", and with it your credit cards, passwords, private photos, medical info, etc etc etc.

        You know what else is "incredibly handy"? Crack cocaine. Try it sometime, it's amazingly handy. Don't worry about any pesky side effects, just focus on how damn handy it is.

    • Said by someone posting an internet comment. Your computer is a thing and is hooked to the internet. And most likely is setup to get network updates and at least you will get notifications about these updates.

    • I still have to understand why people need to control everything from their smartphone, when there are simpler solutions that require much less of your precious free time to be implemented and used.

      IoT means more than just "control everything from your smartphone".

      The only IoT device that I knowingly have is an IP camera in the room where our grandchildren sleep whenever they come over to stay. It is only switched on when they are with us.

      It isn't controlled from a smartphone. It is accessed from one or more tablets. It is blocked from accessing the internet at my firewall. If there are firmware updates, I will download them and apply them manually, not that I expect that to happen before the sun grow

    • I don't use IoT, and I will never will. No need to share with external world room temperatures, door status or garden humidity.

      Ha ha! You are wrong. I spent all last night watching your garden humidity level.

  • And its looking a bit like megaman battle network, where everything is networked and have a virus encounter every 10 steps.

  • If you have a device connected to the internet, made by some startup or big company, who doesn't care about the security of user data.
    What can go wrong will go wrong. Your device and/or data will get hacked.
    if you are lucky, it will perhaps not happen to you, but don't count on it, so assume it's compromised, and therefore don't accept devices that are unecessarily connected to the open internet.

    So the obvious answer to the question if your connected device is compromised is "YES, it is compromised."

  • That's why I don't do IoT. My cellphone is the closest thing to IoT that I own and the only system that I don't control the software for.

  • If you are using a real router, you can check the outbound traffic originating from your things.
    Maybe you can throttle it: it'd be in the order of a few KBps and it'd be directed only towards a certain server.
    Anything else cound be an ongoing DDOS attack.
    If all of this doesn't make any sense to you then, I'd suggest you to disconnect those tin cans.
  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Monday September 26, 2016 @05:50AM (#52961247)

    Do you really want to know?
    Then analyse your LAN traffic. Wireshark and Co. are you friends.

    You're welcome. Captain Obvious was glad to help.

    • If you don't know what you're doing, you might want to stear clear of blackbox devices in your private LAN.
      I personally wouldn't trust an IOThingie that I didn't build myself with a Rasberry Pi, Arduino or something.

      Oh, and not being able to find out if your device is part of a botnet counts as 'not knowing what you're doing'.

      My 2 Eurocents.

  • I've read a few of these stories lately and while personally I run a Mikrotik router with a separate access point I thought the vast majority of shitty consumer routers still had a basic firewall that blocked all incoming connections by default? Plus for those that don't presumably all these IoT device would need NAT on your typical home network to be accessible externally so does anyone know if UPnP is required for these exploits to work? I realize this only applies to external port scans but I'd assume t
    • by stooo ( 2202012 )

      NAT traversal is not needed as soon as you have ipv6 (no NAT, no traversal needed)
      So no, this is not due to NAT traversal, it is due to security holes in IOT things.

  • Block all IoT devices in the firewall from external communication.

    If they don't work you have purchased an insecure device.

  • by beda ( 158888 ) on Monday September 26, 2016 @06:55AM (#52961385)

    Infected devices usually try to spread the infection further and their scanning attempts on the Internet are often observed. There is for instance a dedicated website for IoT devices attacking Telnet ports [turris.cz] or some more generic ones, such as the Internet Storm Center [sans.edu]. If the IP address of your device is on the list, it is very likely that you have a problem.

  • It depends on how much efforts you want to put into this. The best way to detect these kind of weird behaviors is using an intrusion detection system/ deep packet inspection at the router level. You can limit the damage they would do with a few firewall rules. As was mentioned, Having an additional layer behind your internet router can slow people down and at least prevent people from harming your local network.

    The problem is a lot of these IOT devices, is they can roam freely and some automatically connect

  • by philipmather ( 864521 ) on Monday September 26, 2016 @07:07AM (#52961403) Homepage Journal

    Depends, have you plugged it in yet?

    No need to turn it on, someone else will do that for you.

  • I have IoT devices. Are they on any botnets? I don't know, I don't spend any time checking.
    You can't however initiate a connection to them from the outside(no port forwarding) and uPnP have been disabled.
    Still if the manufacturer have failed somehow, and they have been infected from the factory or when they phone home, they could be running nasty stuff.

  • While your IoT device may or may not be part of a botnet, the fact that you 'bought into' the nonsense idea that is the "Internet of Things" means that you, as a human, are psychologically part of a commercial-botnet where you can (apparently) be compelled to do dumb things on command.

  • What Things need to be connected to the Internet ?

    • by stooo ( 2202012 )

      Fridges, Cars, light bulbs are obvious examples. They absolutely need to be connected in order to get hacked.

  • The same way you tell if you have a slowly-leaking toilet in your home: you stop using everything and look at the meter..

  • (a) Sniff your network traffic, looking for anything unusual coming from the device.

    (b) Don't use IoT stuff.

  • by Kludge ( 13653 ) on Monday September 26, 2016 @09:51AM (#52962089)

    I have often wondered the answer to this question myself: how can I tell if a machine on my network is compromised?
    So I set up a Linux box as my primary router, and monitored all the traffic going through the box, and holy crap, there is a lot of stuff.
    Every time you hit a facebook web page, the javascript in there directs your browser to hit literally dozens of other web sites, and this is true of EVERY device in your house: your wife's laptop, your son's smartphone, your dog's water bowl. When you watch a video on Netflix video, the video player hits a dozen different servers at once, and those connections come and go constantly, old ones are closed, new ones opened to different servers throughout the world with all kinds of different names. And, of course a modern computer or smartphone uses all kinds of services: time services, location services, software updates, on and on and on.

    It would be very difficult for a person to notice a low level bot doing something amiss. I have all the data, and I don't know how to do it.

  • by Not-a-Neg ( 743469 ) on Monday September 26, 2016 @10:40AM (#52962445)

    I am more concerned about a cheap IoT device shipping with spyware from China pre-installed than I am about someone hacking into my network.

They laughed at Einstein. They laughed at the Wright Brothers. But they also laughed at Bozo the Clown. -- Carl Sagan

Working...