Why are IoT devices so easily hacked???

Edward78 · 22 Oct 2017 at 16:38

https://thehackernews.com/2017/10/iot-botnet-malware-attack.html anyway, this is prob. over estimating (I hope) like a camera takes pics, it shouldn't beable to do a dos attack,,,

neil_g · 22 Oct 2017 at 17:00

cheap Chinese chipsets?

GeX · 22 Oct 2017 at 17:11

Software written once, and copied all over with no updates applied.

Werewolf · 22 Oct 2017 at 18:04

Also usually designed to be "easy to use" so one default password for every device, and quite often a hard coded manufacturers password for trouble shooting that is cunningly set to 1234.

Rozzy85 · 22 Oct 2017 at 18:19

One day they'll be a thread titled "Help! My app controlled door lock has locked me out the house and is demanding money".

badgeruk · 22 Oct 2017 at 18:45

Because even the most simple IoT device is running on an off the shelf arm based dev kit/or a designed based off one) from one for the big electronic firms (ST/Texas etc), running a version of linux when all they do is turn a light bulb on/off or open a door.

Where as stuff I do is Microchip based paired with a modem from a few different manufacturers on a custom designed board, running custom firmware/modem code that can only talk to a fixed IP address and can not be connected to in anyway as there is no code on the unit to allow that (unlike a full blown operating system that can run as a TCPIP server or send HTTP request's etc).

Jim99 · 22 Oct 2017 at 19:30

badgeruk said:
Because even the most simple IoT device is running on an off the shelf arm based dev kit/or a designed based off one) from one for the big electronic firms (ST/Texas etc), running a version of linux when all they do is turn a light bulb on/off or open a door.

Where as stuff I do is Microchip based paired with a modem from a few different manufacturers on a custom designed board, running custom firmware/modem code that can only talk to a fixed IP address and can not be connected to in anyway as there is no code on the unit to allow that (unlike a full blown operating system that can run as a TCPIP server or send HTTP request's etc).

I heard a talk from a security researcher recently who was talking about exactly this issue with so many IoT devices running poorly-secured Unix OSs.

As it happens, he said that a friend of his had bought an Ikea lightbulb to pull it apart, and was surprised to find it running a custom-OS that listens on a single port and exposes nothing non-essential. Point is, not all of it is that bad, though the vast majority is likely to be.

Randomface74 · 22 Oct 2017 at 19:37

Because there's no certification process to require a product to be secure before it can be sold, so the cheapest possible junk is what we get.

badgeruk · 22 Oct 2017 at 19:43

That's basically it. It costs a lot of money to develop something from scratch instead of just taking a dev kit that is running Linux and downloading some open source (or not) library from github and using that to do what ever it is you want. This is fine for a hobbiest not when you are selling 10,000's of security cameras or industrial equipment. I think it was at IFSEC they showed lots of cheap security hardware being accessed in no time as they all had had a master password that could not be changed and each Chinese manufacture just copied the code from each other (none having the source so they couldn't change it). These where running full blown Linux so could be setup to do anything.

Some of the stuff we have had to redesign for clients have been just that. An arm dev kit running the default Unix software (and passwords) stuck in an off the shelf box that cost them 10,000....

Edit: By cost a lot of money I mean for the company/person designing it. You can charge a client 1000's of pounds and if you can use off the shelf parts and code and do the code in days instead of weeks/months your quids in. As unless you have a clued up client ( I have yet to have one) they can get away with it.

Meridian · 22 Oct 2017 at 20:32

Werewolf said:
Also usually designed to be "easy to use" so one default password for every device, and quite often a hard coded manufacturers password for trouble shooting that is cunningly set to 1234.

This. Convenience and Security are mutually opposed, and the kind of people who think IoT is a good idea are the kind of people who think Convenience trumps everything.

Werewolf · 22 Oct 2017 at 20:46

Meridian said:
This. Convenience and Security are mutually opposed, and the kind of people who think IoT is a good idea are the kind of people who think Convenience trumps everything.

I must admit the thought of an internet connected door lock, that requires registration with the manufacturer sends a chill down my spine as so far the manufacturers of IOT stuff have not got a good record for their security.

Randomface74 · 22 Oct 2017 at 20:50

Yep - your goal should be to have as few 'connected things' as possible. Thermostats, lighting, meters, etc... people are replacing these things with connected versions, which are less secure, cost more, and do basically the same job - it's madness.

What they don't tell you about the smart meter thing is by the time they've got one in every home it'll be time to replace them all with the next version... perpetual money transferred from the taxpayer to the companies involved... and the companies are run by the buddies of the politicians who are pro-smart meters. The smart meters are a smart idea, for someone else.

d_brennen · 22 Oct 2017 at 21:05

I was amazed to find out several years ago that a cheap Chinese PTZ IP cam it had bought to hack about with was running a light Linux distribution (forget which). Of course ssh was enabled with default password :mad:

No mention of this anywhere of course, only the crappy app (which tried to phone home for some reason, caught by firewall). Sometimes it pays to be paranoid

GeX · 22 Oct 2017 at 23:29

Jim99 said:
As it happens, he said that a friend of his had bought an Ikea lightbulb to pull it apart, and was surprised to find it running a custom-OS that listens on a single port and exposes nothing non-essential. Point is, not all of it is that bad, though the vast majority is likely to be.

This doesn't surprise me, it's a Zigbee device - they don't tend to run full Linux stacks

LOAM · 22 Oct 2017 at 23:49

I just dont understand the attraction of having so much stuff connected to the Internet. For example why does anyone need a washing machine, a fridge, a kettle or a hob with Internet access?

Obsviouly security is a massive issue with many of these things but for me the entire concept is flawed.

Angilion · 22 Oct 2017 at 23:59

Security costs money and there's no incentive. It's not a selling point for all but a small niche of the market. If company A is selling a widget for £50 and company B is selling a widget with the same functionality for £30, B will win. Hardly anyone will know or care that A's widget is more secure and B's widget is completely insecure, spies on you and sends the data on you insecurely to somewhere (and to anyone who buys it or takes it). Neither security nor privacy are selling points on the mass market. All a company has to do is make some meaningless noises if their lack of security somehow gets a few minute's attention in some part of the media, which isn't likely to happen. Many sex toys nowadays send user data insecurely over the net and can be remotely controlled by anyone who wants to control them and even somethat that attention-grabbing gets nothing more than a passing mention in a few bits of the media. Hardly anyone cares about security and even fewer are willing to pay extra for security or even accept slightly less convenience at the same price.

It won't change unless change is forced by law.

Besides, even better security will get broken. Much less easily and often than what we have now, but the whole idea of an internet of things is a security flaw.

LOAM said:
I just dont understand the attraction of having so much stuff connected to the Internet. For example why does anyone need a washing machine, a fridge, a kettle or a hob with Internet access?

Nobody does. The attraction isn't for the users. It's for the manufacturers so they can gather more data on more people and maybe find a way to profit from that data.

Domo · 22 Oct 2017 at 23:59

Werewolf said:
I must admit the thought of an internet connected door lock, that requires registration with the manufacturer sends a chill down my spine as so far the manufacturers of IOT stuff have not got a good record for their security.

Yep - there's the current ad on TV showing a family using different ways to electronically unlock a door. This YouTube shows the various ways in which you can operate a 'smart lock'.

No thanks!

G-MAN2004 · 23 Oct 2017 at 03:13

Our house security cameras have recently been hacked and changing the password doesn't seem to stop it. The live feed shows "hacked" at the bottom and whoever it is keeps turning the brightness on full so you can't see anything.

bremen1874 · 23 Oct 2017 at 03:25

Hopefully you've checked that the firmware is current?

If someone does have the access you describe why haven't you disconnected them from the outside world?

Bhoya · 23 Oct 2017 at 06:21

If you ever get a chance to see one of his presentations, or watch his videos on YouTube, Ken Munro from PenTest Partners does some brilliant things with testing and reverse engineering various IoT devices. His presentation on the security flaws in the Internet connected adult toy was a bit of an experience...