- Feb 14, 2020
- 1
Context below, but my question is as follows:
Am I correct in the assumption that developing/finding RCE exploits that do not rely on succesful authentication on the target device is orders of magnitude more complex than ones that do, and as such if every IoT device in the world was suddenly magically immune to credential bruteforcing the size of (specifically) IoT botnets would likely be decimated (even when looking at projections for 10-20 years from now)?
Background: I'm a networking student working on a project focussed on hardening household IoT devices (note that it's not targetted at folks like the regulars of this forum, my target audience still has a total of three passwords). After doing my reading I've come to the conclusion that the vast, overwhelming majority of succesful attacks on these devices comes in the form of some kind of credential bruteforcing over open SSH or telnet ports, or a poorly configured webserver. Every now and then a more exotic vector is used (such as with the Deutsche Telekom hack), but even then as far as I've been able to find attacks that don't rely on credential bruteforcing to gain access in some way are incredibly rare.
Now for my project I've designed a hypothetical "product" that could prevent the authorisation attempts without hindering device functioning too much, which would then hypothetically protect household users against 99% of all attacks against their IoT devices (assuming my assessment of the threats is correct). One of the people I've asked for feedback, however, keeps raising the concern that blocking one attack vector won't neccesarily stop attackers, but instead only push them to develop attacks that use new methods. While I obviously agree with this in general, I can't help but feel like in this specific situation it's not a major concern - even if I generously assume that my product spreads worldwide and has a big enough impact to change attacker behaviour. If my product can succesfully prevent authorisation attempts attackers would be forced to develop unauthorised RCE excploits instead, and to my knowledge that's orders of magnitudes more complex and time-consuming, meaning blocking off this one vector does theoretically decrease the overall amount of attacks by large margin.
However, I am keenly aware that I am a mere student with only entry-level knowledge of the field, and I do greatly respect this particular critic so I can't help but second-guess myself. As such, I'm hoping some of the folks here have thoughts on this matter that I could take into consideration!
Am I correct in the assumption that developing/finding RCE exploits that do not rely on succesful authentication on the target device is orders of magnitude more complex than ones that do, and as such if every IoT device in the world was suddenly magically immune to credential bruteforcing the size of (specifically) IoT botnets would likely be decimated (even when looking at projections for 10-20 years from now)?
Background: I'm a networking student working on a project focussed on hardening household IoT devices (note that it's not targetted at folks like the regulars of this forum, my target audience still has a total of three passwords). After doing my reading I've come to the conclusion that the vast, overwhelming majority of succesful attacks on these devices comes in the form of some kind of credential bruteforcing over open SSH or telnet ports, or a poorly configured webserver. Every now and then a more exotic vector is used (such as with the Deutsche Telekom hack), but even then as far as I've been able to find attacks that don't rely on credential bruteforcing to gain access in some way are incredibly rare.
Now for my project I've designed a hypothetical "product" that could prevent the authorisation attempts without hindering device functioning too much, which would then hypothetically protect household users against 99% of all attacks against their IoT devices (assuming my assessment of the threats is correct). One of the people I've asked for feedback, however, keeps raising the concern that blocking one attack vector won't neccesarily stop attackers, but instead only push them to develop attacks that use new methods. While I obviously agree with this in general, I can't help but feel like in this specific situation it's not a major concern - even if I generously assume that my product spreads worldwide and has a big enough impact to change attacker behaviour. If my product can succesfully prevent authorisation attempts attackers would be forced to develop unauthorised RCE excploits instead, and to my knowledge that's orders of magnitudes more complex and time-consuming, meaning blocking off this one vector does theoretically decrease the overall amount of attacks by large margin.
However, I am keenly aware that I am a mere student with only entry-level knowledge of the field, and I do greatly respect this particular critic so I can't help but second-guess myself. As such, I'm hoping some of the folks here have thoughts on this matter that I could take into consideration!