Tag Archives: Internet of Things

The Internet of Things: New Threats Emerge in a Connected World

Internet of Things Header.jpg

Could your baby monitor be used to spy on you? Is your television keeping tabs on your viewing habits? Is it possible for your car to be hacked by malicious attackers? Or could a perfectly innocent looking device like a set-top box or Internet router be used as the gateway to gain access to your home computer?

A growing number of devices are becoming the focus of security threats as the Internet of Things (IoT) becomes a reality. What is the Internet of Things? Essentially, we are moving into an era when it isn’t just computers that are connected to the Internet. Household appliances, security systems, home heating and lighting, and even cars are all becoming Internet-enabled. The grand vision is of a world where almost anything can be connected—hence the Internet of Things.

Exciting new developments are in the offing. A connected home could allow you to logon to your home network before you leave work in the evening to turn on your central heating and your oven. If your alarm goes off while you are out in the evening, you could logon to your home security system from your smartphone, check your security cameras and reset your alarm if there isn’t a problem.

Unfortunately, every new technological development usually comes with a new set of security threats. Most consumers are now very aware that their computer could be targeted with malware. There is also growing awareness that the new generation of smartphones are also vulnerable to attack. However, few people are aware of the threat to other devices.

Linux worm

The Internet of Things may be in its infancy but threats already exist. For example, Symantec investigator Kaoru Hayashi recently discovered a new worm that targeted computers running the Linux operating system. Most people have probably never come across Linux, but it plays a big role in the business world and is widely used to run Web servers and mainframes for example.

The worm, Linux.Darlloz, initially appeared to be nothing out of the ordinary. It utilizes an old vulnerability in scripting language PHP to gain access to a computer; attempts to gain administrative privileges by trying a series of commonly-used usernames and passwords and propagates itself by searching for other computers. The worm leaves a back door on the infected computer, allowing the attacker to issue commands to it.

Since the worm exploits an old vulnerability in PHP, the threat relies on finding computers that haven’t been patched in order to spread. If this was all that the worm did, it would be fairly unremarkable. However, as Kaoru investigated the threat further, he discovered something interesting. The version circulating in the wild was designed to infect only computers running Intel x86 chip architectures, which are usually found on personal computers and servers. Kaoru then discovered versions designed for the ARM, PPC, MIPS and MIPSEL chip architectures hosted on the same server as the original worm. These architectures are mostly found in devices such as home routers, set-top boxes, security cameras and industrial control systems. The attacker was in a position to begin attack these devices at a time of their choosing.

One of the interesting things this worm does is scan for instances of another Linux worm, known as Linux.Aidra. If it finds any files associated with this threat, it attempts to delete them. The worm also attempts to block the communications port used by Linux.Aidra. There is no altruistic motive behind removal of the other worm. The likelihood is that the attacker behind Linux.Darlloz knows that the kinds of devices infected by Linux.Aidra have limited memory and processing power, and does not want to share them with any other piece of malware. 

Linux.Aidra, the malware that Linux.Darlloz attempts usurp, also exemplifies this new generation of threats. Like some of the variants of Darlloz discovered by Symantec, Linux.Aidra targets smaller devices, specifically cable and DSL modems. The worm adds them to a botnet, which can be utilized by the attackers to perform distributed denial-of-service (DDoS) attacks. Whoever authored Darlloz obviously believed that Aidra infections were so widespread that it posed a potential threat to their own malware.

What is particularly worrisome about these kinds of threat is that, in many instances, the end-user may have no idea that their device is running an operating system that could be attacked. The software is, by and large, hidden away on the device. Another potential issue is that some vendors don’t supply updates, either because of hardware limitations or outdated technology, such as an inability to run newer versions of the software.

Vulnerable security cameras

This worm is just the latest in a series of incidents highlighting the emerging security threat around the Internet of Things. Earlier this year, the US Federal Trade Commission settled a case against TRENDnet, a firm that makes Internet-enabled security cameras and baby monitors. The FTC said that TRENDnet had marketed the cameras as being secure. “In fact, the cameras had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address,” the FTC said. “As a result of this failure, hundreds of consumers’ private camera feeds were made public on the Internet”.

In January 2012, a blogger made the flaw public and this resulted in people publishing links to the live feeds of nearly 700 of the cameras. “The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives,” the FTC said. As part of the company’s settlement with the FTC, the firm had to beef up the security on its devices and promising not to misrepresent their security in future promotional material.

What is notable about the TRENDnet incident is that the devices targeted were not infected with any form of malware. Their security configuration simply allowed anyone to access them if they knew how. This was not an isolated incident. There is now even a search engine called Shodan that allows people to search for a range of Internet-enabled devices.

Shodan searches for things rather than websites. Aside from security cameras and other home devices, Shodan can also find building heating control systems, water treatment plants, cars, traffic lights, fetal heart monitors and power plant controls. If a device is simply found using Shodan, it does not mean a device is vulnerable. However, services such as Shodan do make it easier for devices to be discovered if attackers know of vulnerabilities in them.

The connected world

Not all concerns relate to security vulnerabilities. Internet-enabled televisions are now quite common and offer a number of useful additional features such as access to video streaming services and Web browsing. Recently, electronics manufacturer LG confirmed that several of its television models track what people watch and send aggregate data back to the company. The company said that it did this in order to customize advertising for its customers. However, an error in the system meant that the television continued to collect data even when the feature was turned off. The company has said a firmware update is being prepared that will correct this problem.

Internet of Things 1.png

Figure 1. Estimate on the growth in the number of connected devices in the world (Source: Cisco)

The Internet of Things is still only in its early stages. The number of Internet-enabled devices is beginning to explode. According to Cisco, there are now more than 10 billion connected devices on the planet. Given that the world’s population is just over 7 billion, that means that there are now more connected devices than there are people. Cisco, which has been keeping tabs on the numbers of devices, now believes that the number of connected devices will hit 50 billion by 2020. Interestingly, the company believes that around 50 percent of the growth will occur in the last three years of this decade.

Within the past number of years, we have seen a huge range of connected devices emerge. For example the humble thermostat is now Web-enabled. So too is the light bulb, which can now be controlled with a smartphone. Even the automotive industry is sitting up and paying attention, promising connected vehicles that can receive a stream of real-time information.

What is driving this explosion? Simply put, there is now more “room” on the Internet and devices are becoming cheaper to manufacture. Every device connected to the Internet needs an address in order to communicate with other devices. This is known as an Internet Protocol (IP) address. The number of available addresses under the current system of addresses, Internet Protocol Version 4 (IPv4), has been almost exhausted. A new system, IPv6, is currently being adopted. It can provide a vastly larger number of IP addresses, billions upon billions for every single person on the plant.

Other standards are also evolving. For example, the industry charged with overseeing the Bluetooth standard for wireless communications recently announced the latest version of the technology. The group said that Bluetooth is evolving to take into account the development of the Internet of Things. The new Bluetooth standard will make it easier for devices to find and talk to each other in an increasingly crowded environment. And it will now be easier for Bluetooth-enabled devices to link up with an IPv6-enabled Internet.

In tandem with this increase in network space, Internet-enabled devices are becoming easier to manufacture. Many people may be aware of Moore’s law, the axiom that predicts that that the computing power of processors will double every two years. A corollary is that lower powered chips are becoming cheaper to manufacture all of the time. Other technologies, such as Wifi chipsets, have dropped significantly in price over recent years. All of these factors are combining to mean that it’s becoming easier and cheaper to produce Internet-enabled devices.

Staying protected

  • Perform an audit of what devices you own. Just because a device doesn’t possess a screen or a keyboard, doesn’t mean that it isn’t vulnerable to attacks.
  • If something you own is connected to your home network, there is a possibility that it accessible over the Internet and thus needs to be secured.
  • Pay attention to the security settings on any device you purchase. If it is remotely accessible, disable this feature if it isn’t needed. Change any default passwords to something only you know. Don’t use common or easily guessable passwords such as “123456” or “password”. A long combination of letters, numbers and symbols will generate a strong password.
  • Regularly check the manufacturer’s website to see if there are updates to the device’s software. If security vulnerabilities are discovered, manufacturers will often patch them in new updates to the software.

Many of your devices are attached to your home network, which is in turn connected to the Internet. Your router/modem is what stands between your devices and the wider world. Securing it is of paramount importance. Most come equipped with a Firewall, so ensure that it is turned on and properly configured.

?????????????? Linux ???

      No Comments on ?????????????? Linux ???

シマンテックは、「モノのインターネット」を狙う目的で設計されたと思われる新しい Linux ワームを発見しました。このワームは、従来のコンピュータだけでなく、さまざまな種類の小型のインターネット対応デバイスも攻撃する機能を備えています。家庭用ルーター、セットトップボックス、防犯カメラといったデバイスに通常搭載されているチップアーキテクチャごとに亜種が存在します。このようなデバイスへの攻撃はまだ確認されていないものの、その危険性があることに多くのユーザーは気付いていません。これは、自分が所有するデバイス上で Linux が稼働していることを知らないためです。

ワーム Linux.Darlloz は、PHP の脆弱性を悪用して自身を拡散します。ここで利用されているのは、「PHP の「php-cgi」に存在する情報漏えいの脆弱性」(CVE-2012-1823)で、2012 年 5 月にはパッチが公開されている古い脆弱性です。攻撃者は最近、2013 年 10 月末に公開された概念実証(PoC)コードに基づいてこのワームを作成したようです。

Linux.Darlloz は、実行されるとランダムに IP アドレスを生成し、よく使われている ID とパスワードの組み合わせでデバイス上の特定のパスにアクセスして、HTTP POST 要求を送信します。これが脆弱性を悪用しています。標的にパッチが適用されていない場合には、悪質なサーバーからワームをダウンロードして次の標的を探します。現在、このワームは Intel x86 系システムにしか感染しないようです。というのは、悪用コードのダウンロード URL が、Intel アーキテクチャ用の ELF バイナリにハードコード化されているからです。

Linux は、最もよく知られているオープンソース OS で、各種のアーキテクチャに移植されています。Intel ベースのコンピュータに限らず各種の CPU を搭載した小型デバイス、たとえば家庭用ルーターやセットトップボックス、防犯カメラから、産業用制御システムなどでも稼働しています。デバイスによっては、Apache Web サーバーや PHP サーバーなど、設定や監視に使う Web ベースのユーザーインターフェースも用意されています。

シマンテックは、この攻撃者が、同じサーバー上で ARM、PPC、MIPS、MIPSEL など Intel 以外のアーキテクチャ用の亜種をすでにホストしていることも確認しています。

ARM_0.png

図. ELF ヘッダーの “e_machine” 値を見ると、このワームが ARM アーキテクチャ用であることがわかる

これらのアーキテクチャのほとんどは、前述したようなデバイスで使われています。攻撃者は、Linux が稼働している各種のデバイスに攻撃範囲を広げることで、感染の可能性を最大限に拡大しようと試みているようですが、PC 以外のデバイスに対する攻撃はまだ確認されていません。

組み込みのオペレーティングシステムとソフトウェアを使うデバイスの製造元では、ユーザーに確認することなく製品を設定しているので、事態が複雑になっています。多くのユーザーは、家庭やオフィスで脆弱なデバイスを使っているとは認識していません。デバイスの脆弱性を仮にユーザーが認識していたとしても、製品によっては製造元から更新版が提供されないという別の問題もあります。これは、デバイスのメモリが不足していたり CPU が低速すぎたりして新しいバージョンのソフトウェアをサポートできないなど、旧式の技術やハードウェアの制限が原因となります。

Linux.Darlloz への感染を防ぐために、以下の処理を実行することをお勧めします。

  1. ネットワークに接続されているすべてのデバイスを確認する。
  2. デバイスのソフトウェアを最新のバージョンに更新する。
  3. デバイスで使用できる場合には、セキュリティソフトウェアを更新する。
  4. デバイスに強力なパスワードを設定する。
  5. 以下のパスに対する着信 HTTP POST 要求が不要な場合には、ゲートウェイまたは各デバイスで遮断する。
  • -/cgi-bin/php
  • -/cgi-bin/php5
  • -/cgi-bin/php-cgi
  • -/cgi-bin/php.cgi
  • -/cgi-bin/php4

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Linux Worm Targeting Hidden Devices

      No Comments on Linux Worm Targeting Hidden Devices

Symantec has discovered a new Linux worm that appears to be engineered to target the “Internet of things”. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras. Although no attacks against these devices have been found in the wild, many users may not realize they are at risk, since they are unaware they own devices that run Linux.

The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP ‘php-cgi’ Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the Proof of Concept (PoC) code released in late Oct 2013.

Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.

Linux is the best known open source operating system and has been ported to various architectures. Linux not only runs on Intel-based computers, but also on small devices with different CPUs, such as home routers, set-top boxes, security cameras, and even industrial control systems. Some of these devices provide a Web-based user interface for settings or monitoring, such as Apache Web servers and PHP servers.

We have also verified that the attacker already hosts some variants for other architectures including ARM, PPC, MIPS and MIPSEL on the same server.

ARM_0.png

Figure: The “e_machine” value in ELF header indicates the worm is for ARM architecture.

These architectures are mostly used in the kinds of devices described above. The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux. However, we have not confirmed attacks against non-PC devices yet.

Vendors of devices with hidden operating systems and software, who have configured their products without asking users, have complicated matters. Many users may not be aware that they are using vulnerable devices in their homes or offices. Another issue we could face is that even if users notice vulnerable devices, no updates have been provided to some products by the vendor, because of outdated technology or hardware limitations, such as not having enough memory or a CPU that is too slow to support new versions of the software.

To protect from infection by the worm, Symantec recommends users take the following steps:

  1. Verify all devices connected to the network
  2. Update their software to the latest version
  3. Update their security software when it is made available on their devices
  4. Make device passwords stronger
  5. Block incoming HTTP POST requests to the following paths at the gateway or on each device if not required:
  • -/cgi-bin/php
  • -/cgi-bin/php5
  • -/cgi-bin/php-cgi
  • -/cgi-bin/php.cgi
  • -/cgi-bin/php4

????????????????????????????

      No Comments on ????????????????????????????

cubes_concept02.png

ハリウッド映画を信じるなら、私たちはやがてロボットだらけの世界に住むようになります。ゾンビだらけの世界よりは、ありそうな話です。未来の予測図では、いたる所にロボットが存在します。スクリーンの中では、人工知能が世界征服を企てるという筋書きも定番であり、別形態に変形するロボットや自己修復の機能を持つロボットもすっかりおなじみになりました。残念ながら、ヘビーメタルのサウンドトラックに合わせてスローモーションで宙返りしながら自動車が戦闘ロボットに変形する、という段階には達していませんが、それに近づいていることは間違いありません。MIT の研究者が先日発表した M-Blocks という新モデルは、自己組み立て式ロボットの新たな一幕を象徴する刺激的な作品でした。

MIT が開発した立方体のモジュール型ロボットは、内部のはずみ車を使って自らの配置を変えます。はずみ車が生み出す瞬間的な推進力によって各モジュールは自在な方向に進み、磁力で連結します。モジュールが跳び上がって移動できるほどの強力な勢いを生むエネルギーを発生することもできます。立方体のモジュールで組み上がるのはまだ原始的な形にとどまり、残念ながら巨大な戦闘ロボットになったりはしませんが、そもそもの目標がそこにはありません。研究者が目指しているのは、各モジュールが自律的に動作することです。現在のプロトタイプは外部から制御されており、無線でコマンドを受信しています。

ここでセキュリティ研究者として気になるのは、言うまでもなく、こうしたモジュール型ロボットのセキュリティがどうなるかという点です。と言ってもご心配なく。何も、スカイネットがこの世界を支配するといった話ではありません。今はまだプロトタイプの段階にすぎないので、今後のモデルでどんな動作が可能になるかを予測しても、それは純粋な思索の域を出ませんが、ひとつ考えられる課題は、不正なモジュールを確実に識別できるかどうかでしょう。考えてもみてください。不正なロボットモジュールがシステムに混入したら、他のモジュールがすべて混乱し、形成しようとしていた構造は一瞬にして崩れてしまうのです。信頼できないノードのネットワークで信頼を築くというのは、容易に解決できる問題ではありません。逆に新しいモジュールの追加が必要になるかもしれず、それらがシームレスに統合されれば理想的です。

現在の自己組み立て式モジュール型ロボットは、コマンドを送受信する中央制御ユニットを持っており、モノのインターネット(IoT)にたとえることができます。IoT とは、単純に言えば、従来と異なるデバイスのグループをインターネットに接続することであり、大きな可能性を秘めた分野として注目を集めています。IoT の中で最も実用的なのがスマート家電機器で、一部はすでに商品化されています。現在市販されているロボット掃除機は、自己組み立て機能こそありませんが、ロボットには違いありません。

IoT に関しては、すでにセキュリティ業界から多大な関心が寄せられており、IoT をテーマとして取り上げるセキュリティ関連のカンファレンスも増えています。たとえば、ダニエル・ブエンテロ(Daniel Buentello)氏は今年の DerbyCon で、リモートコントロール式の電源スイッチを完全に乗っ取る方法についてプレゼンテーションを行いました。電灯のスイッチをオン/オフするだけなら特に脅威とは感じられませんが、窓やドアを開けられるとなれば驚きは大きくなります。しかも、これは可能性のごく一部にすぎません。冷蔵庫がポートスキャンを実行する、あるいはムード照明が他の照明器具にマルウェアを感染させるというシナリオは、どれも現実性があります。隣人によってトースターがリモートで侵入を受け、そこからの命令でステレオの電源を切られたりする、そんな日が来るかもしれないのです。そうした家電機器は厳重なセキュリティを想定して製造されているわけではないので、悪質なコードが実行されても、検出や除去は難しい可能性があります。

シマンテックは、モノの接続が進むこれからの世界で安全に過ごせるように、この分野の発展を慎重に追跡しています。冷蔵庫がコーヒーメーカーと共謀してトースターに DDoS 攻撃を仕掛けるなどという事態が近い将来に起きないことを祈っています。そんな 1 日の始まりは誰しも願い下げですから。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Self-assembling Robots May Herald Dawn of Evil Toasters

If Hollywood is to be believed, we will all one day be living in a future filled with robots, or less likely, zombies. Robots are everywhere in our predicted future. A common theme on the silver screen is the artificial intelligence mastermind attempt…