The Internet of Insecure Things

[lonewolf]

In this day and age of botnets taking over random IoIT, having a single default user/pass for everything is beyond stupid. At the absolute minimum the password should be the last 4 digits of the MAC or something, though a true random per-device password would be best.

I just did a Shodan search. It gave me a list of 962 Envisalinks. Of the few I spot checked, 100% of them were using the default user/user login, and 100% of them also had the 4025 TPI port open. This, is a problem.

[GrandWizard]

No, the problem is that you should NEVER EVER EVER expose an internal piece of networking equipment, like your security system, to the public Internet.

Everyone of those people have willfully chosen to expose their security system to the open Internet. On purpose!. We warn them over and over again but it still happens.

These rules should be self-evident in this increasingly hostile world but here they are:

1) Never open up ANY ports on your router to port-forward to your security system or any other sensitve appliance for that matter.

2) Never use the TPI (port 4025) outside of your LAN, and do not use any third-party application that requires your to "port-forward" 4025 as you are asking for security troubles.

All Eyezon comunications are 100% encrypted and are completely safe to use. Our Mobile Portal is as well 100% encrypted and safe to use publicly.

M

[lonewolf]

That attitude was fine 10 years ago, but nowadays it is completely unacceptable. You will be singing a different tune when it is your server/network which is down because of a massive DDoS attack. The Oct 21st attack which brought down Dyn was caused by IoIT devices with default passwords. Users have proven time and time again they're idiots and cannot be trusted to practice safe hex. Non-unique default passwords are completely unacceptable.

[GrandWizard]

"Safe Hex" Love it!

Anyhow, the default passwords and usernames are the same as every other company in the industry. My Cisco router's default username is "admin" and the password is "admin", and that is Cisco. Are you going to say that Cisco's security lacks somehow?

The Envisalink module cannot be hacked by an outside individual as the OS is unknown and the protocols that are used are proprietary. I know you might say that this is "security by obscurity" but man it works.

However, I share your fear about the IoT security meltdown. I am quite knowledgable about cyphers and encryption (my colleague and I contributed to the Blowfish technical trials back in the 90's) and I have seen horrendous IoT products that can be hacked within the hour. Manufacturers will eventually be forced into providing real IP security, it is just a matter of when.

Thank-you lonewolf for the comments and I hope you enjoy your Envisalink. PM me if you want to discuss offline.

M

[Crikey]

That attitude was fine 10 years ago, but nowadays it is completely unacceptable.

Speaking as an IT professional with better than 25 years experience in the field: I disagree.

Put quite simply: Anybody who exposes their private LAN to the Internet such that IoT devices are readily-accessible by connections initiated from the Internet deserves to get 0wn3d. Yes: They're still the victim, but, I have no more sympathy for them than I would for somebody who got their car stolen by leaving it running, unlocked, while they quickly ran into a store.

Furthermore: If a company wants to see its CSRs inundated with customer calls, I good way to achieve that would be to implement a default password scheme that forced customers to "figure out" what is the default password of their shiny new IoT thing.

Jim

[mikep]

I absolutely agree. I publish a free android app on google play "DscKeypad" that is intended for use as an extra INTERNAL DSC Keypad on your phone or tablet. I also publish a paid android app on google play "DscServer". This app runs as a server/hub/monitor inside your network on an old android phone or tablet, and enables you to connect from outside your network securely as it uses encryption.

I've had many discussions with users who want to use the free DscKeypad when away from home by forwarding port 4025 rather than setting up the DscServer (I'm often not successful!). The warnings here are not overly pessimistic - all of our home modems/routers are flooded with automated attacks every day. Set up a monitor on the SSH port (22) to see for yourself... If you're not going to set up an encrypted service of your own you MUST use eyezon for remote access! And no, the password and panel PIN is not enough - they're sent over port 80 (the http page) or port 4025 in the clear. It's trivial to snoop to steal them, especially if you ever use them from a free, unencrypted wifi network...

[lonewolf]

That attitude was fine 10 years ago, but nowadays it is completely unacceptable.

Speaking as an IT professional with better than 25 years experience in the field: I disagree.

Put quite simply: Anybody who exposes their private LAN to the Internet such that IoT devices are readily-accessible by connections initiated from the Internet deserves to get 0wn3d. Yes: They're still the victim, but, I have no more sympathy for them than I would for somebody who got their car stolen by leaving it running, unlocked, while they quickly ran into a store.

Furthermore: If a company wants to see its CSRs inundated with customer calls, I good way to achieve that would be to implement a default password scheme that forced customers to "figure out" what is the default password of their shiny new IoT thing.

Again, that attitude was fine 10 years ago but nowadays is completely unacceptable. To use this latest attack as an example, are you saying it was Dyn's fault that a bunch of random users put unsecured devices on the internet without changing the passwords? The problem with your thinking is the user with an unsecured device is not the victim - someone else's network/servers are. The at-fault user never notices anything's wrong!

As for the password, if at&t, Comcast, Verizon, TWC, etc etc can all manage it then anyone can. All it takes is a sticker on the side of the device listing the default username and (unique to that device) password. WiFi routers have been doing it for years.

[GrandWizard]

As for the password, if at&t, Comcast, Verizon, TWC, etc etc can all manage it then anyone can. All it takes is a sticker on the side of the device listing the default username and (unique to that device) password. WiFi routers have been doing it for years.

This is not true, Comast routers/gateways (and others) have a default username of "admin" and the default password is "password". This is the same for every residential router I've ever come across.

What you are referring to is the SSID and WiFi password that are pre-loaded into the device. The reason you have to do this is because WiFi is by its nature a publicly accessable service. This is not the same as for the router's LAN interface nor the Envisalink.

[Crikey]

Again, that attitude was fine 10 years ago but nowadays is completely unacceptable.

In your opinon. I disagree.

To use this latest attack as an example, are you saying it was Dyn's fault that a bunch of random users put unsecured devices on the internet without changing the passwords?

No, I'm saying it's the fault of the end-users who put unsecured devices on the Internet.

When I bought our home, the very first thing I did was contact a local, reputable locksmith and have all the locks re-keyed. If I had not done that, and somebody'd subsequently burgled the home, would that have been the seller's fault, for failing to re-key all the locks for me?

The problem with your thinking is the user with an unsecured device is not the victim - someone else's network/servers are. The at-fault user never notices anything's wrong!

Then maybe the end-users who cluelessly do such things should be made to pay?

I believe you'll find that if somebody steals my car and subsequently causes mayhem with it: If I'd left the keys in it I would be found to have contributory guilt, whereas if I'd secured it properly I would not.

All it takes is a sticker on the side of the device listing the default username and (unique to that device) password. WiFi routers have been doing it for years.

Really? LIke I wrote: Have been doing IT for about a quarter century. Install new network-enabled devices all the time. I've never seen this, yet.

[lonewolf]

...

Looks like I was mistaken about the cableco devices. I coulda swore they recently moved to device-specific passwords.