You should probably check on your smart appliances
68 points by cadey
68 points by cadey
Unfortunately the really interesting questions aren't answered here, such as how to perform such a check, and what to do if that check finds hostile behavior. I would love to learn more about how to detect a compromised device communicating with its C&C node.
such as how to perform such a check
I have no idea how to enumerate possible smart TV models, much less tell you how to scan them for malware. The best I can tell you is to not install "free TV" pirate apps.
When that article about apps embedding residential proxy SDKs first came out, I was wondering why anyone would bother installing apps on their SmartTV in the first place, but your piracy hypothesis explains it all, thanks!
If they’re being used for scraping via your home IP, can’t we “just” watch for (suspicious) outgoing HTTP(S) requests? I don’t know how to do this off the top of my head, but I’m sure it’s possible.
"How to watch for suspicious outgoing requests from a device on your home network" is exactly what I'm looking for, yes.
I have an inkling of how to do this by setting up a DNS server that logs, but this breaks if the malware uses DNS-over-HTTPS.
For scrapers, would just looking at the entropy in the target IPs work fine? I.e. if they visit half the internet (connecting overwhelmingly to 80/443) it's a clear scraper. Given a sample from couple legitimate heavy browser users we can establish a threshold under which its likely just regular browsing vs. when it gets suspicious. Especially when the addresses do not repeat that much. Regular traffic has bursts to the same IPs.
I have been wanting to build exactly this for a while - a pi-hole type device which you can plug in to get alerts for suspicious traffic. To do it well you need port mirroring etc
I’m just thinking out loud, but the router should know which device is which, and it should be able to see traffic over ports 80/443 going to various IPs, and be able to roughly map those to domain (well enough to identify suspicious traffic—my toaster shouldn’t be crawling Reddit!).
This sounds like a lot more work than running your own DNS server, obviously, but I think it would handle the DoH case. No need to decrypt anything!
Edit: obviously, this is only for highlighting scrapernet activity and not something like DDoS botnets.
In case that the appliance in question runs Android, would an app like Rethinkg (DNS + Application Firewall) help or are there easy methods for malicious apps to circumvent those?
If you have control over your router, something like darkstat can help:
https://unix4lyfe.org/darkstat/
Otherwise, if you have a switch between your router and the rest of your network (and are not using your router for WiFi), you can port-mirror your router LAN port to a device for inspection. Another option is sFlow if your switches support it.
I use an OpenBSD box as my router and use pflog to log all IoT device traffic to disk.
I can't think of a way to do it without some network engineering. The obvious answer would be to analyse traffic on your router per source device on the lan. Total traffic volume might do it, or number of distinct destination ips contacted?
Idk how to do this but my local only Amcrest camera ping home over 20,000 times a day per camera, discovered from Adguard. I just blocked their internet access to solve this. No idea what they’re pinging home about.
Oh wow, script type=ignore is brilliant because it will be completely ignored by both elinks etc and by the headless Chrome these scrapers are using, so it'll be delivered back to home base to get added to the queue
I really wish that there were a better adjective than ‘smart’ to use here. Is it really smart to embed a full-fledged CPU with a real OS and network stack in, say, a lightbulb, or a washing machine? Yeah, yeah, I know the ‘intelligence’ here purports to be the intelligence of the machine, rather than its designer or purchaser, but still.
I want my lightbulb to be a piece of hot wire, and LED or a compact fluorescent tube, not that plus a computer. If I want the lights on when I enter the room, I am fine hitting the conveniently placed switch on the wall which should last longer than a human life. I want my washing machine to was clothes; I don’t need to know that it finished its job when I am outside my home because I have to be home to unload it anyway. And so on and so forth.
Worse, when those things do have computers added they are rarely really under the control of their owners. That just seems wrong. I should not have to worry that my thermostat is sending information about what rooms in the house I frequent to someone else, or that my TV is browsing my home network or the Internet at large.
what does the 'abuse' category mean here?
It's kind of a conflated category I need to split up, but it usually means "known to be a source of email spam" or "flagged by FireHOL". Control-f "abuse" in this file: https://github.com/TecharoHQ/reputationdb/blob/main/cmd/mkdatabase/sources.go
I avoid buying them now. TVs are hard to avoid, but nothing else needs a networking connection in a house.
People actually use that nonsense? O_o
Meaning Anubis? Or 'smart' appliances? If the latter, it's getting increasingly hard to avoid. A number of people here in the UK seem to have been 'tricked' into buying washing machines that need the internet to use certain programmes. The advertising for such things should be required by law to include warnings.