Hacker News new | ask | show | jobs
by egypturnash 3525 days ago
I am a non-programmer who reads HN and keeps up with tech news in general.

And every time I read about the IoT botnet, my immediate response is to look around my apartment at my Internet-connected lights, and wonder if they're part of it.

How can I find this out?

Is anyone making a tool that a non-technical user can run to squint at their network and look for evidence of Mirai, or anything else trying to take advantage of this niche?

There are plenty of tools with a reasonably simple interface that will tell me if my laptop/desktop computer is infected with something. But what can I use to diagnose the health of all of the other computers proliferating around my house?

How can a non-technical user easily monitor the overall health of their connected household? Is this a project anyone is building? Because I think it's definitely something that needs to exist now.
8 comments
egypturnash 3525 days ago
Looking over all the replies this comment received, I think my plan for seeing if my apartment's Internet Things are on any botnet is going to be "bribe that security researcher I flirt with sometimes to visit my place and run some tests". Which is not really a solution that scales, either for that friend, or for people who don't happen to run in the kinds of circles where that's someone they could conceivably trade favors with.

And it's probably not gonna get any better any time soon, either. Because I'm not sure there's a money stream in making this something a non-programmer can do. And maybe there shouldn't even be a money stream in this - maybe there should just be huge-ass fines to motivate as many people as possible along the chain from "my Internet Thing" to "the Internet" to include a white/grey hat or three on their team very early in the design process of making their camera/light bulb/pacemaker/router/modem/whatever. Although if someone reading this can figure out a way to get a money stream out of making it a lot easier to see the health of your home's devices, and keep them safe, that might be a decent YC app for you.

How do we add an immune system to the Internet Of Things? Because we sure as hell need one.

link
jnbiche 3525 days ago
> bribe that security researcher I flirt with sometimes to visit my place and run some tests...[w]hich is not really a solution that scales...

Assuming the flirting displayed is sincere, that security researcher may prove much more scalable than you'd imagine.

link
egypturnash 3521 days ago
There's not really enough of a size difference between us to make "scaling" come into play.
link
rabboRubble 3525 days ago
My reading of Krebs On Security (krebsonsecurity.com), Mirai scans for factory default passwords or hardcoded default admin credentials. Going at this as a non-technical person, I would:

* Inventory all IOT devices in your possession.

* Find the device manuals and make sure you've changed the default password(s). Note there may be devices where it appears you've updated, but that have secret credentials you can't modify.

* Make note of which of your devices do not have an obvious way to change the factory default password.

* Keep an eye out for lists of devices that are known problems, here is one such sample list: https://blog.sucuri.net/2016/09/iot-home-router-botnet-lever...

* Check each manufacturer to see if they have issued a firmware upgrade to address security issues. Apply update.

* Think about retiring devices that appear on the "bad" hardware lists or the devices with unchangeable factory defaults.

Hope this helps.

link
smartbit 3525 days ago
Dowse is trying to help you out http://dowse.eu/#sec-2-2 Dowse is a transparent proxy facilitating the awareness of ingoing and outgoing connections, from, to, and within a local area network. ... Dowse communicates with users in various ways: via a web interface, but also pushing messages via audio (synthesized speech), Bonjour and simple apps interfacing with personal mobile devices.

You can even hook up Dowse to your TV set and show a live animation of where on the your internet your devices connect to https://youtu.be/vquh3IXcduc?t=74

link
egypturnash 3521 days ago
Oooh. I think I may have finally found a use for the Raspberry Pi sitting around my apartment.
link
dmourati 3525 days ago
The best place to do this is at your border. You probably have a cable modem or router or some such that connects your home to the internet. You would typically install software known as IDS (Intrusion Detection System) such as Snort there and look for anomalous traffic.

As for a non-technical solution, it will be difficult to implement. It requires some computer know how and time. Such a secure device could be created or better yet offered by the manufacturers of the modems/routers frequently deployed in homes.

link
pmlnr 3525 days ago
The last time I played around with Snort[1] I realized I'm lightyears away from being paranoid compared to the default settings :)

It would be good to have an IDS with bare minimum settings, easy to turn on layer after layer, though I understand it's tricky.

[1]: https://www.snort.org/

link
pmlnr 3525 days ago
For non-technical users, I'd suggest the following:

Turn off the devices you don't want to check; leave only those up you want to investigate.

Visit your router on the web interface and see if there are any graphs are possible to check for things like requests/second or packets/second. If it's really high while you're not actively doing anything, that's a clue.

Visit the UPnP settings on the router. If there are ports listening for incoming internet connections, turn the UPnP off on the router.

If you can SSH to your router, log in and start collecting data with tcpdump[1]. This later can be analyzed with tools like wireshark[2], which can show you per protocol what is going in. Most of the botnets use telnet- or IRC-like interfaces which are, in most cases, plain text commands, so it's possible to spot them.

Apart from this: reset everything to factory and change all the passwords before letting anything on your network.

[1]: https://www.linux.com/blog/tcpdump-tutorial-beginners

[2]: https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntr...

link
mcbits 3525 days ago
> For non-technical users, ... routers ... packets ... UPnP ... SSH ... tcpdump ... wireshark ... protocol ... telnet ... IRC ... plain text commands ...

I think you unintentionally helped to cement GP's point. There is a huge opportunity for some kind of little box - vetted/certified or even insured - that non-technical users can plug in, click Next > Next > Finish, and be notified when any device on their home network starts acting suspicious.

link
Falkon1313 3525 days ago
Precisely. Users need something as simple as Malwarebytes where they just need to click the big 'Scan' button and after a few minutes it will say "Your living room ceiling fan is running a potentially unwanted program (bitcoinminer), your freezer is infected with a virus, your garage door opener is participating in a botnet, and your fitbit has a rootkit. Click here to quarantine and disinfect everything. Click here to repeat this scan daily and notify you if anything new shows up."

End users would expect that such a thing should be simple. But of course it's not (would need to work with any device running any OS with any interface). First we would need some sort of standard protocol for it. But a standard protocol that lets an external agent determine what software is running on any device could potentially be dangerous...

link
jnbiche 3525 days ago
Well, you wouldn't necessarily need to determine what software is running on any device to quarantine it. However, what would be helpful would be some kind of central registry of botnet traffic signatures so that the scanner could use something more than just traffic volume.
link
lqdc13 3525 days ago
This is not an easy problem.

You need a lot of data and a lot of current regularly updated information about websites being attacked or current known CnC servers. Also, there is a privacy aspect, so you can't send a lot of the data or even hashes of things to the cloud.

Such solutions might be more appropriate for workplaces in large companies and they already have things like SRX firewalls that have DDoS features.

link
ikeboy 3525 days ago
How about a simple list of devices and a way to limit bandwidth per device, with sensible defaults (very few IOT devices will need more than 100k/s, the main exception is video cameras). It can allow "burst" bandwidth but limit, say, the total used per six hours.

Disclaimer: this is off the top of my head, there may be reasons it would fail.

link
pmlnr 3525 days ago
I'm so tired of this.We live in a higly technical world and people should learn the basics. One of the reasons we are having this situation is because people don't understand their things.
link
rfrank 3525 days ago
WireShark is the first thing that jumps to mind, although I'm not sure if easy for non-technical users is the way I'd describe it.

https://www.wireshark.org/

link
avip 3525 days ago
To be part of Mirai network, your device needs to have telnet access open to the world AND use default factory credentials (which in turn must be on the lines "admin admin" or "root root").
link
Retr0spectrum 3525 days ago
I might be wrong, but in the case of Mirai I'm fairly sure you're safe if all your devices are behind NAT.
link
robolange 3525 days ago
Doesn't Mirai use UPnP IGD to work around NATs/firewalls? I imagine a lot of people have that activated on their router to play video games and whatnot.

https://krebsonsecurity.com/2016/10/who-makes-the-iot-things...

Edit: I guess it's more accurate to say that a lot of poorly designed devices use UPnP IGD to work around NATs/firewalls and Mirai takes advantage of this to infect them.

link
avip 3525 days ago
If the posted source is legit, then no.
link