Yesterday was a stellar day for many, complete wipeout of Internet access to much of the East Coast and other areas around the globe. I first noticed it when trying to make a purchase with PayPal…my payment was not allowed, try later. I tried later…not allowed.. I checked my account to see if I had been wiped out, nope. Later I discovered what had happened and how vulnerable we are to attack. Below is an article that explains what happened, for those not wanting to read here is the Reader’s Digest version. A “bot” attack on DYN, an internet company that provides DNS (Domain Name Service) was hit with MILLIONS of request at the same time, this took down their system, a few hours later a second attack, later a third. Here is how the bad guys did it… Internet Of Things (IoT) had been used as Bots (Robots) to send the request to DYN… This means the baby monitor, thermostat, smoke detector, microwave, DVR, camera’s, door locks, lighting, and on it goes are devices connected to the internet WITHOUT security so they can be accessed by the bad guy, get into our network and do their dastardly deeds… They could steal you data, learn your passwords, bank account numbers, credit card numbers, turn on your cameras and watch you…(would that ever be boring around here)…in this case they used these devices to send massive request for service to Dyn all at once. That’s it, but doesn’t that bring up questions for us? Think of what all these conveniences can do for us, just this week I came home to find the garage door open…if I had the proper setup I would have been notified and could have closed it from anywhere…when we travel I leave the outside lights on, but if the electric goes out the lights won’t automatically come back on because of the type switches operating them, I could turn them on from a remote location….on and on it goes. I had several Lifx lights in my office, the color changes were amazing, but I learned of their vulnerability to being hacked so I took them out. I have been waiting for Apple to complete it’s HomeKit and will ONLY purchase products that work with the HomeKit as it’s base… Why? If you are interested in automating your home you owe it to yourself to read the article below, Apple once again is putting automation BEHIND the security Apple offers it’s consumer…If we are going to automate, you REALLY should look to installing products that work with your FREE HomeKit App…it’s the safest we can get. Have a great weekend! John Mirai-based DDoS attack highlights benefits of Apple's secure HomeKit platform By Mikey Campbell <mailto:[email protected]> Friday, October 21, 2016, 10:25 pm PT (01:25 am ET) A distributed denial of service (DDoS) attack that on Friday severely impacted internet access for many U.S. web denizens was found to be in part enabled by a botnet targeting unprotected "Internet of Things" devices. For Apple, the revelation vindicates a controversial walled garden approach to IoT borne out through the HomeKit protocol. As detailed yesterday, unknown hackers set their sights <http://appleinsider.com/articles/16/10/21/us-internet-users-suffering-under-ddos-attacks-on-key-dns-provider> on Dyn, an internet management company that provides DNS services to many major web entities. A series of repeated attacks caused websites including The Verge, Imgur and Reddit, as well as services like HBO Now, and PayPal, to see slowdowns and extended downtimes. Follow-up waves played havoc with The New York Times, CNN, Netflix, Twitter and the PlayStation Network, among many others. Though Dyn was initially unable to nail down a source, subsequent information published by security research firm Flashpoint revealed the targeted attacks involved a strain <https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/> of the Mirai malware, reports Brian Krebs. Krebs has firsthand experience with Mirai, as the malware was deployed in a DDoS attack that brought down his website, KrebsOnSecurity, in September. Mirai searches the web for IoT devices set up with default admin username and password combinations, Krebs says. Once discovered, the malware infiltrates and uses poorly protected hardware to facilitate a DDoS attack on an online entity, in this case Dyn. Poor security practices are nothing new. Uninitiated or lazy end users have for decades left factory default settings untouched on routers, networked printers and other potential intrusion vectors. But this is different. “DVRs and IP cameras like those made by Chinese company XiongMai Technologies contain a grievous security vulnerability and are in large part responsible for hosting the botnet. ”According to Krebs, DVRs and IP cameras made by Chinese company XiongMai Technologies, as well as other connected gadgets currently flooding the market, contain a grievous security vulnerability and are in large part responsible for hosting the botnet. As he explains, a portion of these devices can be reached via Telnet and SSH even after a user changes the default username and password. "The issue with these particular devices is that a user cannot feasibly change this password," said Zach Wikholm, research developer at Flashpoint. "The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist." To prevent another Mirai attack, or a similar assault harnessing IoT hardware, offending devices might require a recall, Krebs says. Short of a that, unplugging an affected product is an effective stopgap. By contrast, Apple's HomeKit features built-in end-to-end encryption, protected wireless chip <http://appleinsider.com/articles/14/11/03/first-wireless-chips-with-apple-homekit-support-now-shipping-to-device-manufacturers> standards, remote access obfuscation and other security measures designed to thwart hacks. Needless to say, it would be relatively difficult to turn a HomeKit MFi device into a DDoS zombie. Announced in 2014 alongside iOS 8, HomeKit debuted as a secure framework <http://appleinsider.com/articles/14/06/02/apple-introduces-homekit-framework-for-connected-homes> onto which manufacturers of smart home products can lattice accessory communications. Specifically, the system uses iOS and iCloud infrastructure to securely synchronize data between host devices and accessories. Apple details HomeKit protections in a security document posted to its website (PDF link <http://www.apple.com/business/docs/iOS_Security_Guide.pdf>), noting the system's reliance on public-private key pairs. First, key pairs are generated on an iOS device and assigned to each HomeKit user. The unique HomeKit identity is stored in Keychain and synchronized to other devices via iCloud Keychain. Compatible accessories generate their own key pair for communicating with linked iOS devices. Importantly, accessories will generate new key pairs when restored to factory settings. Apple uses the Secure Remote Password (3,072-bit) protocol to establish a connection between an iOS device and a HomeKit accessory via Wi-Fi or Bluetooth. Upon first use, keys are exchanged through a procedure that involves entering an 8-digit code provided by the manufacturer into a host iPhone or iPad. Finally, exchanged data is encrypted while the system verifies the accessory's MFi certification. When an iPhone communicates with a HomeKit accessory, the two devices authenticate each other using the exchanged keys, Station-to-Station protocol and per-session encryption. Further, Apple painstakingly designed a remote control feature called iCloud Remote that allows users to access their accessories when not at home. Accessories that support iCloud remote access are provisioned during the accessory's setup process. The provisioning process begins with the user signing in to iCloud. Next, the iOS device asks the accessory to sign a challenge using the Apple Authentication Coprocessor that is built into all Built for HomeKit accessories. The accessory also generates prime256v1 elliptic curve keys, and the public key is sent to the iOS device along with the signed challenge and the X.509 certificate of the authentication coprocessor. Apple's coprocessor is key to HomeKit's high level of security, though the implementation is thought to have delayed the launch of third-party products by months. The security benefits were arguably worth the wait. In addition to the above, Apple also integrates privacy safeguards that ensure only verified users have access to accessory settings, as well as privacy measures that protect against transmission of user-identifying or home-identifying data. At its core, HomeKit is a well-planned and well-executed IoT communications backbone. The accessories only work with properly provisioned devices, are difficult to infiltrate, seamlessly integrate with iPhone and, with iOS 10 and the fourth-generation Apple TV (which acts as a hub), feature rich notifications and controls accessible via Apple's dedicated Home app. And they can't indiscriminately broadcast junk data to the web. The benefits of HomeKit come at cost to manufacturers, mainly in incorporating Apple's coprocessor, but the price is undoubtedly less dear than recalling an unfixable finished product.
_______________________________________________ MacGroup mailing list Posting address: [email protected] Archive: <http://www.mail-archive.com/[email protected]/> Answers to questions: <http://erdos.math.louisville.edu/macgroup/>
