Installing a proxy, and then selling a “residential” proxy service can be quite lucrative. Residential IPs are generally treated with less suspicion in the risk systems of payment processors and merchants. Similar to the monetization models of “free”
VPN providers on mobile phones.
Wave Broadband up on the US west coast for many years has been the victim of offering gigabit fiber optic internet services.
Many of its clients of that service come from a country with a particularly "great firewall" one might say
Netflix's systems will often see these rafts of connections with weird non-matching timezones to the IP address, Chinese default language and other errant data and...simply declare the entire ISP a VPN/Proxy provider!
For a company with 500K+ customers in 3 states, this kind of disruption is absolutely brutal on their support lines, yet seems to happen almost every other month
Just a few thoughts on this. IoT is a very wide category of devices. The results will vary widely depending which sub-category a particular IoT attacker finds themselves with access to.
As a generalization, attackers may be grouped into two categories, professional and amateur. A professional would be looking to monetize access whereas an amateur is seeking access for other reasons (voyeurism, technical challenge, etc). Of course, the categories can be made more or less granular - this is just to highlight that when discussing results, it is helpful to consider attacker motivations.
Take the case of an IoT camera, for example. From an attacker perspective, an IoT camera offers two points of interest: broader access to the local network (ie: as a jumpbox), use as a bot in a botnet (which is directly monetizable), and voyeuristic access (that may be further leveraged for monetization). However, a consumer broadband router is a better suited target for both local access and botnet use due to both its position at the network gateway and its typically higher processing resources.
But IoT is not limited to consumer devices - industrial control systems (automation, HVAC, etc), telecom (ie: cell towers), civic services (traffic lights, water treatment), payment processing (ATMs, PoS, etc), heavy equipment (mining, farming), etc, etc, all fall into the category of connected "things". The attack surface on any particular device will vary widely in each of these and the risks depend largely on the attacker motivations - an amateur who finds themselves with coincidental access to an electrical sub-station would arguably pose less risk than a nation-state attacker with targeted access.
That and because they're low hanging fruits since most of them are built on small budgets, often with outdated kernels and packages, that will never see any SW updates after sale, making exploiting them accessible to any script kiddie with a copy of Kali.
In general, attackers can do anything. For example, they can find all the information about you through the Internet and take out what they need while you are not at home. In general, it's very sad. And I believe that this should not be. My husband and I talked and decided that we need to put an alarm system at home. And moreover, we decided to install Ajax because I read a lot of different articles and reviews and only good things were said about this company. I know that there is an application through which you can track everything and it is very convenient.
I was surprised to see Ireland pop up as one of the places with a significant number of connections to one of the honeypots. I’m not a security researcher, but hadn’t heard of Ireland as being a place with a lot of that sort of activity. Is this a well-known thing?
I currently rely pretty much exclusively on my Unifi gateway’s not-great IPS/IDS system, which allegedly receives updated threat intelligence feeds periodically. Outside of actual intrusion detection, I prevent my IoT devices (which are located in their own VLAN) from contacting the internet wherever possible, and entirely block any inter-VLAN traffic other than responses to connections initiated from devices residing on a “trusted clients network”, which hosts my phone, laptop etc.
> their own VLAN) from contacting the internet wherever possible, and entirely block any inter-VLAN traffic other than responses to connections initiated from devices residing on a “trusted clients network”, which hosts my phone, laptop etc.
I am interested in this kind of setup but lack relevant experience. Is this stuff you set up in the stock Unifi admin pages?
Rest assured it is not that difficult :). Correct, I've configured several firewall rules on the UniFi web UI, since I have a UniFi router/firewall (in my case a USG). If you'd like some help, feel free to reach out to me on keybase! I'm andrewnicolalde on there.
many sort-of-recent home network equipment support this stuff or equivalent (i.e., multiple networks) just as a configuration from their admin UI. You don't really need relevant experience to set this up, just very basic networking knowledge and will to occasionally shake your head at the web-based-admin-user-experience of the box.
If you’re running your custom
homebuilt router, you can use IDS systems like snort[0] or suricata[1]
It’s pretty fun to setup !, you can take any old desktop/laptop at your home and make them into your own custom router by running a linux or bsd instance on it.
If you go this route, I would recommend suricata ids as you can setup more complex and sophisticated system easily, compared to snort.
One compromise would be to add an extra hop (like a raspberry pi ) to the IOT vlan, and install snort there. That way I could retain my primary router (currently Ubnt ERX).
Are you running stock firmware on the ERX and are you happy with it? Looking into potentially setting one up as well, any resources you could recommend for making best use of one?
Many consumer IoT devices are just small microcontrollers that don't run Linux. Usually just a small embedded application in an RTOS, without much security at all.
For powerful application processors like your TV, smartphone, router...there's plenty of rich data to exfiltrate and resources to abuse.
For a microcontroller, you're either interested in controlling it remotely or stealing some secret from it e.g. WLAN password or a cloud access credential. Anything else is quite hard and has diminishing returns. However, in great numbers they can provide a significant DDoS capability.
When power is paid by somebody else and you benefit the hash power, regardless of how low it is in one unit, once you have million of unit you can create your own bitcoin pool and strike gold. I bet mining is way more profitable than DDoS.
"Usually just a small embedded application in an RTOS, without much security at all."
In security, that's probably a strength, not a weakness, if done right. There are less lines of code that might contain vulnerabilities. There is no random side service, JS library or OS vulnerability to attack, there might be nothing to listen for incoming connections, etc.
