A mediagenic press-release from Proofpoint, a security firm, announced that its researchers had discovered a 100,000-device-strong botnet made up of hacked "Internet of Things" appliances, such as refrigerators. The story's very interesting, but also wildly implausible as Ars Technica's Dan Goodin explains.
The report is light on technical details, and the details that the company supplied to Goodin later just don't add up. Nevertheless, the idea of embedded systems being recruited to botnets isn't inherently implausible, and some of the attacks that Ang Cui has demonstrated scare the heck out of me.
For more speculation, see my story The Brave Little Toaster, from MIT's TRSF. Read the rest
A Symantec researcher has discovered a worm that runs on embedded Linux systems, like those found in set-top boxes and routers. It's common for owners of these devices to forget about them, letting them run in the background for so long as they don't misbehave -- and as a result, they are often out of date. The worm, called Linux.Darlloz, attacks out-of-date Linux installations running on Intel hardware (a small minority in the embedded systems world), but it would not be hard to modify it to attack embedded linuces on other chips.
In addition to being out-of-date, many of these systems have "forever day" bugs that will never be patched by their vendors, making them especially hard to secure. The anonymously authored "Internet Census 2012: Port scanning /0 using insecure embedded devices" showed that a dedicated attacker could compromise well over a million devices without much work, recruiting them to run unprecedented denial of service attacks (I wonder if anyone's thought of using this method for mining Bitcoins?).
As the researcher Ang Cui has demonstrated, embedded systems attacks are especially pernicious because it's difficult to boot them from known-good sources. Once an attacker compromises your router, printer, or set-top box, she can reprogram it to give the appearance of accepting updates without actually installing them, meaning that the system can never be provably restored to your control.
The details of the Linux.Darlloz show a much more primitive and unambitious attack, but it hints at a pretty frightening future for the compromised Internet-of-Things (I wrote a short story about this, called "The Brave Little Toaster"). Read the rest
Here's a video of Ang Cui and Michael Costello's Hacking Cisco Phones talk at the 29th Chaos Communications Congress in Berlin.