The Internet of Buggy ThingsIt's Time to Patch or Pitch Vulnerable Devices
"If you build it, they will come." That was the inspirational takeaway from the Kevin Costner fantasy-baseball flick "Field of Dreams." But it's also an apt description for how hackers are turning up to exploit ever-increasing numbers of Internet of Things devices, which now encompass everything from webcams and baby monitors to routers and home heating systems.
It's no surprise that virus-wielding hackers are exploiting Internet of Things devices en masse, Gavin Millard, technical director for Europe, the Middle East, and Africa at Tenable Network Security, tells me. Blame too many device manufacturers rushing products to market, skimping on secure development practices, failing to audit the third-party code they use, or neglecting to take bug reports seriously. "Flaws like the recently discovered Kcodes NetUSB vulnerability are a good example of this," he says, referring to the NetUSB component, built by Taiwanese firm Kcodes, which security experts allege now puts millions of router users at risk (see NetUSB Flaw Affects Router Makers).
Where this really becomes troubling ... is in the corporate environment.
"This bug will probably never be patched by consumers, and they will probably never have any idea that their attack surface has been increased due to the weaknesses, leaving it to only be addressed when their device is replaced by next year's model," Millard says. "Where this really becomes troubling, though, is in the corporate environment," he adds, given how such devices could be exploited to steal corporate secrets or as gateways to launching "low and slow," APT-style attacks.
Router Hackers Target Ancient Flaw
While many manufacturers may "patch" flaws by releasing a new device, that doesn't mean users are purchasing new products in a timely manner. Indeed, the French malware researcher known as "Kafeine" has just discovered a new router-takeover campaign that attempts to exploit a firmware flaw that is nine years old, thus suggesting many ancient routers remain in use and unpatched. Earlier this month, he reports in a blog post, just one of the attacker's rogue DNS servers was logging up to 1 million unique hits per day from routers that had their DNS settings changed to use the attacker-controlled infrastructure.
Kafeine says the related attack infrastructure attempts to exploit various flaws, including the CVE-2015-1187 vulnerability in a service that handles ping requests in some routers, which was first publicly disclosed March 2. But the attacker-controlled infrastructure is also attempting to exploit some machines via the serious CVE-2008-1244 flaw, which allows attackers to bypass the authentication controls on unpatched Belkin routers, the researcher adds. That flaw was found in March 2008.
Kafeine notes that crimeware toolkit - a.k.a. exploit kit - developers rarely include exploits for vulnerabilities that are more than three years old, because by then so many systems have been patched against the flaw that related attacks become much less effective. Hence, it's notable that attackers are still targeting a nine-year-old Belkin flaw, as part of a router DNS-changing attack - also known as a cross-site request forgery small office/home office, or SOHO, router-pharming campaign - that is currently designed to snare more than 55 different types of routers produced by at least 14 different manufacturers, ranging from Belkin and D-Link to Microsoft and Netgear.
Attackers continue to refine the campaign, and have lately added code to detect which devices are attached to the infected router, and fingerprint them, making note of whether they have a connected microphone, speakers or webcam, and whether technologies such as the WebRTC real-time communications protocol are supported, Kafeine warns. These attackers' motivations are not yet clear, but he adds that most such attacks focus on launching man-in-the-middle attacks against online banking and WebMoney accountholders, phishing attacks, ad-click fraud, or some combination thereof.
Rogue DNS Server Hits
Router Takeovers Prevalent
That router-pharming campaign is only the latest in a long line of such attacks. On May 26, anti-virus firm ESET released an alert about Moose malware, which targets Linux-based consumer routers - and other systems that run embedded Linux - and is designed to steal people's social-networking cookies, which criminals use to rack up fake follows, likes and views.
Over the past year, meanwhile, security research firm Team Cymru issued a warning about a "SOHO pharming campaign" that had exploited 300,000 devices, and Check Point Software Technologies found that at least 12 million SOHO routers - from multiple vendors - had a flaw that could be exploited to take control of the device, despite related patches having been released beginning in 2005 (see Router Hacks: Who's Responsible?).
"The Internet of Things certainly does get a lot of attention this year, and I think rightfully so," says SANS Institute Dean of Research Johannes Ullrich in a blog post. He notes that SANS has set up a Web application honeypot - a fake system designed to allow security researchers to catalog exploits being used in the wild - and found that two of the top 10 most frequent attacks are "attacking exclusively devices," as opposed to general Web application log-ins or functionality. Linksys routers susceptible to the Moon worm are one of the most-targeted devices.
But even more frequently targeted, Ullrich says, are QNAP network-attached storage devices, which are being targeted by an automated worm designed to exploit Shellshock. Ullrich says these exploit attempts are especially concerning, because QNAP devices are often used as shared drives, or to run virtual machines or store backups. And while QNAP released a Shellshock patch in October, security experts say that many vulnerable devices have yet to be patched.
When it comes to safeguarding all Internet of Things devices, Ullrich offers the following recommendations: "Make sure you are patched as well as it gets, and try to avoid exposing the admin interface to the public." In lieu of vendors releasing timely patches - and especially for older devices for which no patches are forthcoming - users may also do well to treat their buggy IoT devices as disposable.