Sunday, January 19, 2014

People aren't hacking refrigerators (probably)

I was lazy yesterday and didn't post on the big security news that a bunch of you emailed about.  A security research company says that smart TVs and refrigerators have been hacked and turned into a spam botnet:
Security researchers at Proofpoint have uncovered the very first wide-scale hack that involved television sets and at least one refrigerator.
Yes, a fridge.

This is being hailed as the first home appliance "botnet" and the first cyberattack from the Internet of Things.
Here's the press release on the situation:
Proofpoint, Inc., (NASDAQ: PFPT), a leading security-as-a-service provider, has uncovered what may be the first proven Internet of Things (IoT)-based cyberattack involving conventional household "smart" appliances. The global attack campaign involved more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator that had been compromised and used as a platform to launch attacks.


The attack that Proofpoint observed and profiled occurred between December 23, 2013 and January 6, 2014, and featured waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting Enterprises and individuals worldwide. More than 25 percent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices; instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and at least one refrigerator. No more than 10 emails were initiated from any single IP address, making the attack difficult to block based on location – and in many cases, the devices had not been subject to a sophisticated compromise; instead, misconfiguration and the use of default passwords left the devices completely exposed on public networks, available for takeover and use.
Color me skeptical.  Certainly this is theoretically possible, and I've posted before on the security dangers of "the Internet of Things".  Without doubt these smart devices are a sucking chest wound of security fail, and are indeed a target rich environment.

So why am I skeptical?  It starts off with security-by-press-release, which I've seen more than once before in my career.  Most of these are all sizzle, no steak, the product of media attention whoring that is sadly evergreen in my business.

But maybe Proofpoint is above boards (although I've never heard of them before; strike two).  There is a dismaying lack of technical information from them - a lack of proof points, if you will.  Solid security researchers provide lots of proof, and with malware incidents this proof usually includes code recovered from infected systems and IRC logs from the command and control channel.  It doesn't seem that there's any of this available.

But the biggest reason why I'm unconvinced is because of the way that most people set up their home networks.  You call your Cable company and they ship you a home router.  You plug it into the cable (or the nice Installer does it for you), and presto - instant Internet.

What's important is that things are set up by the Cable company, and you have only one IP address.  That address is shared by all of the devices in the house.  Here at Camp Borepatch, we have a lot of devices (maybe 20) all using the same address.  That's all handled by Network Address Translation (NAT) done in the cable box.

That works great when everything connects out to the Internet; it's lousy when things on the 'Net want to connect in, and you have to jump through some decently complicated technical hoops to make that happen.  The punchline: almost nobody does.

So what I'm not at all sure about is how a refrigerator (using WiFi to the cable router which does a NAT translation when the fridge connects to the 'Net) - how is that fridge reached by the Evil Bad Guy to infect it?  Assume that the fridge is a sucking chest wound of security fail.  That fail is all hidden behind the NAT translation which is effectively a diode (a one way gate) - things go out but nothing comes in.

And by "hidden", I mean hidden.  You can test this for yourself right now, by running a security scan to see what's seeable from the Internet.  Gibson Research (which has been around for a long time) has a free port scanner called Shields Up that will tell you if the Evil Bad Guys can see anything in your house.  You should see something like this, which is Camp Borepatch's electronic secure perimeter:

Green is good, and red is bad, right?  More importantly is why green is good - when the scanner tries to connect to a port, the cable router doesn't send any answer at all.  There's no way to tell whether the IP address isn't answering, or if there's nothing at that IP address at all.

And so, how do you get malware down to that refrigerator?  Like they say up in Maine, you can't get theah from heah.

This isn't discussed in Proofpoint's presser.  And so I simply don't put much credence in it.  Did they see malware generated emails?  I have no doubt about that.  Do I think that they know enough to tell whether it came from a refrigerator of a plain old infected PC?  I reserve judgement on that, waiting for more (and more compelling) information. Bottom line, this smells of too much hype: all sizzle, no steak. 

Your mileage may vary, void where prohibited, do not remove tag under penalty of law.

P.S. I'm not the only one who is skeptical.


Dave H said...

I was skeptical about that story when I read it too. On top of the reasons you give, the biosphere for embedded devices isn't eleventy billion x86 processors running one of the big three personal computer OSes. Most of them are running one of a dozen stripped down Linux variants, and the processors can be x86, ARM, PowerPC, and even some dedicated microcontroller chips have Linux ports. Getting code to run on one particular target isn't all that hard, but chances are it won't run on 90% of the devices you find.

Botnets need large numbers of infected drones to be effective. Other than as an academic exercise, there's not much payback for spending the time to port your malware to a target that might have only a few thousand instances in the field, withmost of them behind firewalls, as BP says.

Dave H said...

P.S. How do you get Shields Up to scan that many ports at once? It'll only let be do 64 at a time.

Atom Smasher said...

Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

Thanks, BP - never knew about this before - now I'll be a regular user.

R.K. Brumbelow said...

@Dave H, I have to disagree. First embedded systems are very vulnerable to exploits discovered after their production. With an embedded system you have 3 choices:

Never update: the product is now vulnerable to all exploits created after deployment of the software, but perhaps does not have writable memory so cycling the power resets it.

Seldom update: Now the device is writable, but maybe only locally. Maybe now it gets an update on service so every x months. It is vulnerable to attacks discovered between updates and patches.

Frequent update: A more moving target, but likely vulnerable to a remote update bug or hijack. Would likely be designed to have a backup BIOS for when remote updating fails: see never update.

For the never update, if you can get a remote device to execute code, does it matter how slow it is? Most firewalls face outwards. Get a man (or net connected kegerator) on the inside and most people will not notice. Also, when a company or individual standardizes on a line they become more vulnerable to attack. Example one woman I knew growing up only used 'Lady Kennmore' appliances. If you wanted to get access to her network, then you just buy the LK1.97.a-01 exploit from your favoutite mobster and boom, you are in.

Dave H said...

R.K.: I'm not saying you can't exploit an embedded system. I'm saying the Proofpoint report is unlikely because it's not worth the effort. Who's going to pay their local mobster for a crack that's only going to run on a few dozen machines? Nobody who wants a serious botnet. They want a crack that will run on thousands or tens of thousands of machines.

joethefatman said...

Thanks for the security check page. My system passed on all fronts for some reason. I guess I've got a good security process after all.

Borepatch said...

Dave H, select "All Service Ports" which will do all 1024.

R.K. Brumbelow said...

@Dave H: There are 2 security markets bulk and specific target.

I once had a lawyer pay ~$30k to the PI firm I was the Comp forensics tech for to get access to 25MB of data.

30k will buy some substantial bot net activity.

I do agree that lower hanging fruit tends to be picked faster, but many times subtle is better. For example: Embedded systems of scientific test or small production equipment. Want your adversary to lose substantial yield in production? Tweak a parameter used in a equilibrium reaction. If it takes them 2 months to get production back on track during research that can make the difference of an order of magnitude for profits, or even if a product makes it to market at all. I was called in on 3 occasions to write up similar situations and to fix more than a few periled rollouts.

I guess my point is that I see very little, if any, upside for consumers in the 'network of things' model. Every step that direction gives someone else that much more likely a chance of convincingly imitating the consumer, and the most dangerous hacks are social.

Jake (formerly Riposte3) said...

"how is that fridge reached by the Evil Bad Guy to infect it?"

I wonder how well the update/app servers at GE/Kenmore/etc. are secured?

@ Dave H: Remember, some of the more interactive appliances (like refrigerators) are running Android with a device-specific skin. If all you want is a botnet zombie, there's no need be device-specific with that setup, and I bet they'll lag several versions behind on updates, too.