As the OpenDNS Security Labs team took some much needed time off, we found ourselves wondering what “toys” would be connected to the Internet throughout the holiday season, and what traffic patterns would emerge as a result. This blog post will detail some of our findings through the lens of the Internet of Things (IoT) connected devices, home automation products, toys, and wearable devices.
Belkin International, Inc., an American manufacturer of consumer electronics that specializes in connectivity devices, had a relatively flat showing throughout the holiday season. The only item of note was an uptick on Monday, December 15th at 04:00 UTC. We cannot directly correlate this anomaly with any recent events so this will likely remain a mystery.
Competitor D-Link Corporation (Chinese: 友訊科技), a Taiwanese multinational networking equipment manufacturing corporation headquartered in Taipei, Taiwan, saw a similar pattern in traffic destined to signal[.]mydlink[.]com
If we look at signal[.]eu[.]mydlink[.]com, however, we notice a surge on Christmas Eve and Boxing Day (spanning multiple timezones). Again, another curious spike on December 9 that cannot be correlated to anything of consequence.
One of the most noticeable spikes after Christmas was related to the Phillips Hue lighting devices. We saw peaks of more than 1,800 queries per interval which is likely associated with the installation and configuration of the lights. With the recent announcement of the 12 Monkeys television series synchronizing with Hue home lighting to match the onscreen action, we find ourselves wondering what this traffic will look like in the coming weeks.
Google-owned Nest saw very little increase during the holidays, perhaps due to the complexity required to install the devices – compared to that of a simple lightbulb. We find ourselves wondering if this will spike in the new year and if spikes will be seen predominantly on non-workdays.
Arrayent, Inc., a software company that has developed the Arrayent Connect Platform, experienced a sizable spike in traffic to its primary domain arrayent[.]com. The largest spikes we saw, however, were before the holidays even started – perhaps people purchasing new appliances before their guests arrived?
You may not have heard of Arrayent before but you’ve probably heard of some of the brands they partner with.
We looked at some of these brands including Whirlpool (whirlpool-sw1[.]arrayent[.]com).
and Chamberlain (chamb-api[.]arrayent[.]com), a manufacturer of garage door openers and associated equipment.
So what caused the Arrayent spike? We’re still investigating.
August[.]com, makers of the August Smart Lock, saw a significant increase leading up to and continuing through the holidays. We saw peaks as high as 3,537 queries per interval during our analysis timeframe.
The most interesting spikes, and perhaps the most concerning if you are a parent of a small child, was that of traffic associated with educational entertainment company Leapfrog. The company homepage – leapfrog[.]com – saw a significant post-Christmas surge to more than ~31,000 queries per interval. At first glance, we thought this might be related to parents’ searching for instructions on how to configure the devices for their kids, registration of the devices, and even application downloads.
Looking at some of the co-occurring domains we noticed the lfcam[.]leapfrog[.]com domain had an abnormal spike as well. One can only assume that this is in some way related to a LeapFrog camera (hence ‘lfcam’) either registering or, even more alarming, uploading pictures taken by users of the devices.
The devicelog[.]leapfrog[.]com domain also sees a significant increase that likely correlates with newly purchased devices. Are these diagnostic messages being sent up to the LeapFrog cloud or are they usage statistics for actions taken on the devices?
Perhaps the most depressing, yet predictable, traffic pattern observed was that of the FitBit wireless-enabled wearable devices and activity trackers. With the start of Hanukkah (on December 18) and throughout Christmas we noticed a steady decline in callbacks to api[.]fitbit[.]com. The low point, Thursday, Dec 25 at 22:00 UTC, dropped to 429 queries per interval – or as it shall henceforth be known, “The Turkey Coma Canyon”.
We hope you enjoyed this blog post. Now throw on your activity tracker, install that connected garage door opener, install your thermostat, and hook up your new washer and dryer!
The post Internet of Things (IoT) meets the Internet of Holidays (IoH) appeared first on OpenDNS Security Labs.
With BayThreat 2014 being cancelled, OpenDNS has offered to host the first day of the two day No Big Thing (NBT) conference. In a short time, the organizers of the event have had an amazing group of speakers, sponsors, and volunteers help organize a great hacker conference.
The event is currently at capacity but there is a waitlist that anyone can add themselves to.
The event includes two days of advanced information security presentations, food, drinks, and a hallway track for socializing. Starting Friday, December 5th at 2:00pm PST, OpenDNS opens its doors to kick off the conference at 135 Bluxome Street.
Friday, December 5th at OpenDNS (135 Bluxome St, San Francisco, CA 94107)
|2:30-3:30||Richo Healy||“Audible networking with Groundstation”|
|3:30-4:30||MainBoard||“point bREak : trolling BBS applications and users back in the 90s”|
|4:30-5:00||Jason Craig||“SIGINT isn’t just for the government anymore”|
|5:00-6:00||Speaker TBA||Topic TBA|
|6:00-6:30||Provided dinner break|
|6:30-7:00||Ping Yan||“Applied statistics and machine learning techniques on in-app events”|
|7:00-8:00||Alex Pinto||“From Threat Intelligence to Defense Cleverness: A Data Science Approach”|
|8:00-10:00||Provided tacos and cerveses|
|10:00-?||Hosted party at bar TBA|
Saturday, December 6th, the conference is being hosted at the Salesforce office (121 Spear St, San Francisco, CA 94105) starting at 10:00am.
|10:00-11:00||Kymberlee Price||“More Libraries! More Vulnerabilities! More Things!”|
|11:00-12:00||Morgan Marquis-Boire||“Eve, Mallory, and Jack Bauer: Real threats for RealPeople”|
|12:00-12:30||Ben Sadegh||“How bug bounty hunters do and don’t”|
|1:00-2:00||Wartortell||“The trials and tribulations of an APTmalware author”|
|2:00-3:00||John Menerick||“Breaking or Protecting the Internet’s BuildingBlocks”|
|3:00-4:00||TBA + break|
|4:00-5:00||Dan Hranj and Josh Schwartz||“Red vs Blue”|
|5:00-6:00||Evan Booth||“MacGyveresque creative problem solving”|
|6:00-8:00||Provided dinner and drinks|
|8:00-10:00||Hosted party at bar TBA|
|10:00-?||Cash Bar Crawl (check Twitter for location updates)|
Each evening will have a hosted happy hour and dinner with an afterparty at a local bar. We hope to see you there!
Check out our the official Twitter account for the latest announcements: @nbtcon.
For directions to OpenDNS, please use the following map for a point of reference:
Last week we had the pleasure of speaking at the 6th Irish Reporting and Information Security Service Computer Emergency Response Team (IRISSCERT) Cyber Crime Conference (IRISSCon) in Dublin, Ireland. IRISSCERT is an independent, not-for-profit company, limited by guarantee, and founded in 2008 to provide a range of free services to Irish businesses and consumers in relation to information security issues to help counter the security threats posed to Irish businesses and the Irish Internet space.
In addition to presenting a talk on the threats facing Ireland’s corner of the Internet, we were also at IRISSCon to announce a data sharing partnership between IRISSCERT and OpenDNS. Visibility into emerging threats, as they are being staged, is a critical first step in staying ahead of Internet attacks and limiting their damage. We are pleased to be announcing this intelligence sharing relationship with IRISSCERT so they can use OpenDNS solutions for early detection, response, and remediation of threats in Ireland.
IRISSCERT will use OpenDNS Investigate to alert and protect Irish businesses and other organizations from malicious domains that are hosting malware, phishing sites, and botnet command-and-control (C&C) infrastructure. OpenDNS will use the threat intelligence data shared by IRISSCERT to support our ongoing research into malicious online activity around the world. The full press release can be found here.
The organizers informed us that the conference sold out (at roughly 300 people!). Not only did it sell out, but there was a lengthy waitlist to get in, with organizations and individuals calling on the day of to try and obtain “special” access.
Prior to the event, the conference speakers (myself included) got together for dinner, drinks, and lengthy discussions on the global security landscape – with a focus on Ireland and Western Europe. This was a pleasant change from the typical US-centric discussions we often encounter at North American security conferences. The craic was mighty.
For a one day conference, there were far too many great talks to call out. As you can see in the keynote by Paul Gillen, Head of Operations at @Europol_EU European Cybercrime Centre (EC3), the conference was very well attended.
In addition to the speaking portion of the conference, a well attended capture the flag (CTF) competition was run in the adjacent room. The winners, a group of students from the Institute of Technology Blanchardstown (ITB) in Dublin, had participated in previous years’ IRISSCON CTFs.
Oh, and did I mention the amazing food and drink?
Look for OpenDNS Labs at more EMEA events in 2015 as we continue to bring our global security platform to every corner of the globe. Also, if you would like to explore an information sharing partnership like the one we’ve established with IRISSCERT, please reach out to me directly at email@example.com.