[HN Gopher] What are Attackers after on IoT Devices?
___________________________________________________________________
What are Attackers after on IoT Devices?
Author : lavios
Score : 68 points
Date : 2021-12-23 12:20 UTC (10 hours ago)
(HTM) web link (arxiv.org)
(TXT) w3m dump (arxiv.org)
| alamortsubite wrote:
| I don't know if current IoT devices have the resources to mine
| cryptocurrencies, but it's been tried. Eventually someone will
| pull it off.
| Havoc wrote:
| Probably way better to sell as botnet. Doubt mining on iot is
| useful. Even on a rasp4 it's pretty pointless
| als0 wrote:
| Many consumer IoT devices are just small microcontrollers that
| don't run Linux. Usually just a small embedded application in
| an RTOS, without much security at all.
|
| For powerful application processors like your TV, smartphone,
| router...there's plenty of rich data to exfiltrate and
| resources to abuse.
|
| For a microcontroller, you're either interested in controlling
| it remotely or stealing some secret from it e.g. WLAN password
| or a cloud access credential. Anything else is quite hard and
| has diminishing returns. However, in great numbers they can
| provide a significant DDoS capability.
| ClumsyPilot wrote:
| "Usually just a small embedded application in an RTOS,
| without much security at all."
|
| In security, that's probably a strength, not a weakness, if
| done right. There are less lines of code that might contain
| vulnerabilities. There is no random side service, JS library
| or OS vulnerability to attack, there might be nothing to
| listen for incoming connections, etc.
| unnouinceput wrote:
| When power is paid by somebody else and you benefit the hash
| power, regardless of how low it is in one unit, once you have
| million of unit you can create your own bitcoin pool and
| strike gold. I bet mining is way more profitable than DDoS.
| 0xbadc0de5 wrote:
| Just a few thoughts on this. IoT is a very wide category of
| devices. The results will vary widely depending which sub-
| category a particular IoT attacker finds themselves with access
| to. As a generalization, attackers may be grouped into two
| categories, professional and amateur. A professional would be
| looking to monetize access whereas an amateur is seeking access
| for other reasons (voyeurism, technical challenge, etc). Of
| course, the categories can be made more or less granular - this
| is just to highlight that when discussing results, it is helpful
| to consider attacker motivations. Take the case of an IoT camera,
| for example. From an attacker perspective, an IoT camera offers
| two points of interest: broader access to the local network (ie:
| as a jumpbox), use as a bot in a botnet (which is directly
| monetizable), and voyeuristic access (that may be further
| leveraged for monetization). However, a consumer broadband router
| is a better suited target for both local access and botnet use
| due to both its position at the network gateway and its typically
| higher processing resources. But IoT is not limited to consumer
| devices - industrial control systems (automation, HVAC, etc),
| telecom (ie: cell towers), civic services (traffic lights, water
| treatment), payment processing (ATMs, PoS, etc), heavy equipment
| (mining, farming), etc, etc, all fall into the category of
| connected "things". The attack surface on any particular device
| will vary widely in each of these and the risks depend largely on
| the attacker motivations - an amateur who finds themselves with
| coincidental access to an electrical sub-station would arguably
| pose less risk than a nation-state attacker with targeted access.
| tonymet wrote:
| how are people performing intrusion detection on home iot
| devices?
| andrewnicolalde wrote:
| I currently rely pretty much exclusively on my Unifi gateway's
| not-great IPS/IDS system, which allegedly receives updated
| threat intelligence feeds periodically. Outside of actual
| intrusion detection, I prevent my IoT devices (which are
| located in their own VLAN) from contacting the internet
| wherever possible, and entirely block any inter-VLAN traffic
| other than responses to connections initiated from devices
| residing on a "trusted clients network", which hosts my phone,
| laptop etc.
| nanidin wrote:
| > their own VLAN) from contacting the internet wherever
| possible, and entirely block any inter-VLAN traffic other
| than responses to connections initiated from devices residing
| on a "trusted clients network", which hosts my phone, laptop
| etc.
|
| I am interested in this kind of setup but lack relevant
| experience. Is this stuff you set up in the stock Unifi admin
| pages?
| n0on3 wrote:
| many sort-of-recent home network equipment support this
| stuff or equivalent (i.e., multiple networks) just as a
| configuration from their admin UI. You don't really need
| relevant experience to set this up, just very basic
| networking knowledge and will to occasionally shake your
| head at the web-based-admin-user-experience of the box.
| teitoklien wrote:
| If you're running your custom homebuilt router, you can use IDS
| systems like snort[0] or suricata[1]
|
| It's pretty fun to setup !, you can take any old desktop/laptop
| at your home and make them into your own custom router by
| running a linux or bsd instance on it.
|
| If you go this route, I would recommend suricata ids as you can
| setup more complex and sophisticated system easily, compared to
| snort.
|
| [0](https://www.snort.org/)
|
| [1](https://suricata.io/)
| kristianpaul wrote:
| If IoT devices means an old linux distro running on the wild,
| thats an always go for distributed network of devices ready to
| act.
| laurensr wrote:
| Often they want to use them as a massive botnet for DDoS attacks.
| ChuckNorris89 wrote:
| That and because they're low hanging fruits since most of them
| are built on small budgets, often with outdated kernels and
| packages, that will never see any SW updates after sale, making
| exploiting them accessible to any script kiddie with a copy of
| Kali.
| soheil wrote:
| IP addreses.
| nanidin wrote:
| sebow wrote:
| bikingbismuth wrote:
| Installing a proxy, and then selling a "residential" proxy
| service can be quite lucrative. Residential IPs are generally
| treated with less suspicion in the risk systems of payment
| processors and merchants. Similar to the monetization models of
| "free" VPN providers on mobile phones.
| vmception wrote:
| Streaming services also don't block them compared to known vpns
| and IP blocks at data centers
| IntelMiner wrote:
| That's not _strictly_ true
|
| Wave Broadband up on the US west coast for many years has
| been the victim of offering gigabit fiber optic internet
| services.
|
| Many of its clients of that service come from a country with
| a particularly "great firewall" one might say
|
| Netflix's systems will often see these rafts of connections
| with weird non-matching timezones to the IP address, Chinese
| default language and other errant data and...simply declare
| the entire ISP a VPN/Proxy provider!
|
| For a company with 500K+ customers in 3 states, this kind of
| disruption is absolutely brutal on their support lines, yet
| seems to happen almost every other month
___________________________________________________________________
(page generated 2021-12-23 23:01 UTC)