The Internet of Broken Things: why security testing matters
26 Oct. 2016
The recent Distributed Denial of Service (DDoS) attacks against the security journalist Brian Krebs’ blog and then the Domain Name Service (DNS) provider Dyn (which broke large chunks of the Internet at the end of last week) were both supposedly launched from a botnet composed of lots of easily hacked IoT things.
Whilst there’s been a lot of analysis on who is responsible (there are Russian strings in the code, and a lot of the devices are manufactured in China) and how the botnet might work, one thing is clear to us: no-one should be surprised by the progression to targeting IoT devices for botnets.
At Context, we're often employed to find security holes in things, whether it's for our public research or as part of an paid engagement. Whether it's a printer with an unauthenticated firmware update process, an alarm with baked-in guessable webserver credentials, or an IP security camera that could compromise your whole Wi-Fi network, we've found exploitable problems in loads of devices.
Taking each product in isolation, it's obviously bad from a consumer perspective if people are buying products that could compromise the security of their network. That's especially true if the product is supposed to improve security. Less parochially, these recent attacks show that the consequences could be greater than the security of your own network: if these things are easily hacked over the Internet, then they could become a part of a greater evil, a botnet.
At a recent customer event we were asked a reasonable question: "how do I know if some thing I've bought has been compromised?" There's no obvious answer. Your ISP may get in touch if you're suddenly using a lot of bandwidth. You could check the logs on your router. Or you might never know. Turn it off?
So here's the sales pitch: if you've a product that you're thinking of using, giving to your customers, buying, or selling, we can have a look at it for you. Our product security evaluations are pragmatic and relatively short. We're not always going to find every issue, but we'll approach it like an attacker would and find as much as we can in the time allowed.