How easy to grow robust botnet with low hanging fruits (IoT) - for free

March 17, 2016 (at 2:30 p.m.) in Embedded

Every day there are new vulnerabilities exposed and this “malicious knowledge” can be used by anyone how take the trouble to read about it. The tech news sites are full with “Millions of devices open to attack due to…” articles. In the most of the cases the security/pent-testes sites (e.g.: insecure.org/news/fulldisclosure/, exploit-db.com) are providing Proof of Concept (PoC) codes to let anyone to test the problem on a device of choice. On the other hand there are multiple sources and services that scan the whole Internet on daily basis (e.g.: Shodan HQ, Censys.io) and can be queried for a list of dedicated devices. For example the ones are involved in the last flaw and which are almost sure not patched immediately after the release. Poor criminal just has to use these free sources to build a their own botnet, to collect sensitive user data, to cover their malicious network activities… and whatever the devices providing for them for free.

In my research I developed a testing system (a framework), which can be feed with weaknesses with PoC codes and query stings to find the devices that could be good “candidate” for the exploit. With this framework I can test the devices (in wild range of IPs) and collect the result of these tests easily. By this approach, we 1) will have an exact list about the devices we cannot trust. Because we cannot know who is behind there vulnerable devices (the real own, a hacker, a botnet...or even NSA :) ergo cannot trust on them. The second benefit of this research is that we have exact info about the “status” of the IoT and network devices. How many are outdated, using old firmware with known vulnerabilities, how many has default credential and so on.

Attila Marosi

Attila Marosi has always been working in information security field since he started in IT. As a lieutenant of active duty he worked for almost a decade on special information security tasks occurring within the Special Service for National Security. Later he was transferred to the newly established GovCERT- Hungary, which is an additional national level in the internationally known system of CERT offices. Now he works for the SophosLab as a Senior Threat Researcher in the Emerging Thread Team to provid novel solution for the newest threats. Attila has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he is reading lections and does some teaching on different levels; on the top of them for white hat hackers. He presented on many security conferences including hack.lu, DeepSEC, AusCERT, Hacktivity, Troopers, HackerHalted and NullCon.