Were our YouView boxes involved in the recent attacks on Twitter, Spotify, etc?

joneshjonesh Posts: 1,297Member ✭✭✭
edited 19 March 2017, 10:46PM in Archived Posts
https://www.theguardian.com/technology/2016/oct/22/city-banks-plan-to-hoard-bitcoins-to-help-them-pa...

This article in today's Observer includes the sentence:

The attack on Krebs was launched by a large botnet, a collection of enslaved computers – in this case, hundreds of thousands of hacked devices that constitute the internet of things (IoT), notably routers, IP cameras and digital video recorders.


Does this mean that our YouView boxes might have been compromised and used to help launch the attack on Twitter, Spotify etc?

Comments

  • StephenStephen Posts: 684Member ✭✭✭✭✭
    edited 19 March 2017, 10:46PM
    Production YouView boxes have no shell (ssh/telnet) or debug access for people to get into and mess around with to set things up like this. The software images on boxes are all cryptographically signed, so boxes will verify the software and not boot anything that's been tampered with, and that thus no longer contains official matching signatures.
    It seems the hacked devices that formed this botnet had shell (or similar) access sloppily left on (with default passwords) by their manufacturers to easily enable them to be hijacked for use in coordinated attacks.

    Another problem with some of these IoT devices is that they either can't or won't be updated, so any flaws or backdoors are left unpatched, whereas YouView boxes, as we know, are fully updateable, so they can, where applicable, quickly be brought up to speed with security best practices at the same time as the rest of the world updates their servers, PCs and the like.
  • joneshjonesh Posts: 1,297Member ✭✭✭
    edited 21 December 2016, 12:03AM
    Stephen10 said:

    Production YouView boxes have no shell (ssh/telnet) or debug access for people to get into and mess around with to set things up like this. The software images on boxes are all cryptographically signed, so boxes will verify the software and not boot anything that's been tampered with, and that thus no longer contains official matching signatures.
    It seems the hacked devices that formed this botnet had shell (or similar) access sloppily left on (with default passwords) by their manufacturers to easily enable them to be hijacked for use in coordinated attacks.

    Another problem with some of these IoT devices is that they either can't or won't be updated, so any flaws or backdoors are left unpatched, whereas YouView boxes, as we know, are fully updateable, so they can, where applicable, quickly be brought up to speed with security best practices at the same time as the rest of the world updates their servers, PCs and the like.

    Good to know. Thank you for the information Stephen.
  • VisionmanVisionman Posts: 9,491Member ✭✭✭
    edited 22 December 2016, 12:06AM
    Stephen10 said:

    Production YouView boxes have no shell (ssh/telnet) or debug access for people to get into and mess around with to set things up like this. The software images on boxes are all cryptographically signed, so boxes will verify the software and not boot anything that's been tampered with, and that thus no longer contains official matching signatures.
    It seems the hacked devices that formed this botnet had shell (or similar) access sloppily left on (with default passwords) by their manufacturers to easily enable them to be hijacked for use in coordinated attacks.

    Another problem with some of these IoT devices is that they either can't or won't be updated, so any flaws or backdoors are left unpatched, whereas YouView boxes, as we know, are fully updateable, so they can, where applicable, quickly be brought up to speed with security best practices at the same time as the rest of the world updates their servers, PCs and the like.

    The above is the main reason (if not the only one) why the hacking community have no interest in YouView boxes. 
  • RoyRoy Posts: 15,205Member ✭✭✭
    edited 7 December 2016, 8:41AM
    Stephen10 said:

    Production YouView boxes have no shell (ssh/telnet) or debug access for people to get into and mess around with to set things up like this. The software images on boxes are all cryptographically signed, so boxes will verify the software and not boot anything that's been tampered with, and that thus no longer contains official matching signatures.
    It seems the hacked devices that formed this botnet had shell (or similar) access sloppily left on (with default passwords) by their manufacturers to easily enable them to be hijacked for use in coordinated attacks.

    Another problem with some of these IoT devices is that they either can't or won't be updated, so any flaws or backdoors are left unpatched, whereas YouView boxes, as we know, are fully updateable, so they can, where applicable, quickly be brought up to speed with security best practices at the same time as the rest of the world updates their servers, PCs and the like.

    Stephen, you mean there is some merit in BFIS after all? :-)
    Deploying my talents elsewhere now
  • redchizredchiz Posts: 4,924Member ✭✭✭
    edited 20 December 2016, 1:57PM
    Stephen10 said:

    Production YouView boxes have no shell (ssh/telnet) or debug access for people to get into and mess around with to set things up like this. The software images on boxes are all cryptographically signed, so boxes will verify the software and not boot anything that's been tampered with, and that thus no longer contains official matching signatures.
    It seems the hacked devices that formed this botnet had shell (or similar) access sloppily left on (with default passwords) by their manufacturers to easily enable them to be hijacked for use in coordinated attacks.

    Another problem with some of these IoT devices is that they either can't or won't be updated, so any flaws or backdoors are left unpatched, whereas YouView boxes, as we know, are fully updateable, so they can, where applicable, quickly be brought up to speed with security best practices at the same time as the rest of the world updates their servers, PCs and the like.

    "The hacking community." Arf!
  • VisionmanVisionman Posts: 9,491Member ✭✭✭
    edited 22 December 2016, 12:06AM
    Stephen10 said:

    Production YouView boxes have no shell (ssh/telnet) or debug access for people to get into and mess around with to set things up like this. The software images on boxes are all cryptographically signed, so boxes will verify the software and not boot anything that's been tampered with, and that thus no longer contains official matching signatures.
    It seems the hacked devices that formed this botnet had shell (or similar) access sloppily left on (with default passwords) by their manufacturers to easily enable them to be hijacked for use in coordinated attacks.

    Another problem with some of these IoT devices is that they either can't or won't be updated, so any flaws or backdoors are left unpatched, whereas YouView boxes, as we know, are fully updateable, so they can, where applicable, quickly be brought up to speed with security best practices at the same time as the rest of the world updates their servers, PCs and the like.

    Contributory, as always, redchiz.
  • RoyRoy Posts: 15,205Member ✭✭✭
    edited 7 December 2016, 8:41AM
    Stephen10 said:

    Production YouView boxes have no shell (ssh/telnet) or debug access for people to get into and mess around with to set things up like this. The software images on boxes are all cryptographically signed, so boxes will verify the software and not boot anything that's been tampered with, and that thus no longer contains official matching signatures.
    It seems the hacked devices that formed this botnet had shell (or similar) access sloppily left on (with default passwords) by their manufacturers to easily enable them to be hijacked for use in coordinated attacks.

    Another problem with some of these IoT devices is that they either can't or won't be updated, so any flaws or backdoors are left unpatched, whereas YouView boxes, as we know, are fully updateable, so they can, where applicable, quickly be brought up to speed with security best practices at the same time as the rest of the world updates their servers, PCs and the like.

    They say that on the Internet, no-one knows if you are a dog, but the trick is not to bark :-)
    Deploying my talents elsewhere now
Sign In or Register to comment.