The Threat of Residential Proxies
20 points by fanf
20 points by fanf
Gee, I wonder who made these a viable market 🙄
Realistically the residential proxy botnet problem is the result of decades of industry-wide neglect. Hundreds of millions of IoT devices, smart TV-s and networking equipment that is no longer receiving updates, often from defunct companies and startups. Some of it shipped with malware in the first place, but most of it is just neglected, nobody's responsibility and everybody's problem.
Do we have researched confirmation of that? I know there are some botnets that did make the news, but the residential proxy issue is backed by a lot of people willingly selling their bandwidth or sharing the connection for access to other residential proxies, since it works around stricter VPN checks from streaming services. IoT botnets like Mirai are mentioned a lot, but I'm not sure they are significant these days. LOIC for example was almost entirely willing users.
is there an easy way to detect if devices on a home network are exhibiting this behaviour apart from mitm-ing them?
I don't know of any easy way to do this myself (but would certainly be interested to hear if there is one, easy or not!), but this newsletter linked to a Krebs on Security article, which linked to A tool provided by Synthient that will apparently check if your IP address (or another) appears to have been used by a residential proxy.
I don't know how accurate the tool is, but I imagine if you have a dynamic IP address then that will probably impact it.
That tool isn't accurate. I have CenturyLink fiber, by definition a "residential" IPv4 address (CenturyLink couldn't get it together to have IPv6 addresses). The Synthient tool said my current IPv4 address is a data center address.
Apparently, a great many Android-based devices are shipping with something called Android Debug Bridge, designed for manufacturer troubleshooting. On your network, it allows your devices to be quickly rooted.
I flipped the bozo bit right here.
This is an actual thing that happens; I prevented us from shipping a device with wide-open ADB once. It's really convenient to run 'adb remote' for a device in the lab when testing a new build or debugging. It's inconvenient building a separate build for development and customer deployments when you're trying to iterate quickly.
I made some noise about that. I can imagine others may not have.
Normally, ADB is locked behind developer settings, and wireless ADB is through another hoop. I guess that wasn't the case in your environment for some reason?
Yes, of course. Custom AOSP builds.
It was extremely convenient to be able to connect to a lab device and check the logs, so the development configuration would havethat wide open. These were relatively big devices that were sitting in a lab, and people were running several dozen tests on them per day.
It was great being able to have someone call out "hey, box 3 crashed, mind looking if it's the interference issues with USB again?"
It's an obviously terrible idea to ship things in this state.