This thing's strategy for finding machines to take over is so simple it's embarrassing. It tries to open an unencrypted Telnet connection to random IP addresses. If it gets a response, it tries the following username/password combinations:
Deploying millions of devices with fixed passwords that dumb is clear evidence of gross negligence on the part of IoT device manufacturers. If this gets to court, some lawyer is going to enter that list as evidence and read it to a jury.
"That's the kind of combination an idiot would have on his luggage!" - Spaceballs
LOL it's missing "admin/ztonpk, admin/tzlkisonpk, telekom/telekom" which are default passwords for root access on Telekom Serbia's modems (7-8 million devices including IPTV STBs)... It's so stupid I have to use their shitty modem and can't change the pwd because they occasionally flash new firmware to it and reset everything to default, because that's how they configure the xDSL settings.
I cannot wait for some type of top-down pressure to force IoT developers to take security seriously. The movement has been pushed into overdrive thanks to insane levels of competition where you either crush your R&D into the smallest breakneck period or you live to see your creation being sold for half of what your budget can allow by other firms lifting your efforts while you're still at the workbench.[1]
I've been getting cozy with Shenzhen-based hardware accelerators for the past year as part of a personal side-venture and I have not seen a group so pressured to deliver a product as fast as possible with security being a casual afterthought. To get a decent taste of what it's like, I wholeheartedly recommend WIRED's Future Cities documentary on Shenzhen and the companies that dwell there.[2] Their struggles for ephemeral market-share are endemic of the entire community that's taken over embedded hardware for the past few years.
The saddest aspect of it all is that this market competition isn't benefiting the consumer. IoT devices are coming out of the factories poorly engineered, badly maintained for far too short of a time, and as we've learned from this attack, being used as vectors for network intrusion and distributed censorship. Even arduino founder Massimo Banzi's widely-lauded IoT Manifesto[3] fails to approach any comprehensive statement regarding a dev's responsibility to build in some level of security to their devices.
It just isn't part of the fast-and-loose culture that has been bred by trend-setting companies with unlimited budgets making bad decisions from the very start.[4] In addition, the if-you-can't-beat-'em-join-'em attitude the West has taken towards churning out hardware devices as fast as they can before jumping to the next IoT piece of junk before the ripoffs can hurt them is really disappointing as it prevents any considerable effort from going into a device pre-and-post release.
All in all, the IoT community is not going to change their priorities unless someone very powerful forces them to and it can't happen soon enough.
I hate this phrase. It's not like a bunch of people gathered and said "let's make shitty IoT stuff!". It's not a "community", there aren't groups around advocating against security best practices.
If anything the actual community around IoT stuff takes security more seriously than most HNers.
The problem is the companies and manufacturers that aren't part of the community.
And I take issue with your [4]. That has nothing to do with security. It was a glitch, and it happened, and I personally don't like Nest as a company very much and think they make pretty shitty products, but they take security seriously, and in a discussion about IoT security linking a non-security related software bug serves no purpose. Everything has bugs, that doesn't mean it's absolute shit when something goes wrong.
Your [3] is also incorrect. The Arduino IoT Manifesto's second point is that a dev should make sure their product can be updated, and even if it's abandoned it should be able to be repurposed in something else, or updated by someone else.
It doesn't matter how "secure" a password is if it's known. Quite a few vendors ships devices with a common factory password, stated in the manual. And people put those on ther internet.
Hardcoded in some "firmware example" supplied by the vendor, someone REd the firmware and published the password on his blog, and then it was discovered by the author(s) of this malware.
Question for the C folks. The author seems to have reimplemented functions such as strlen, memcpy, and atoi in 'bot/util.h' instead of using the stdlib. Anyone know why?
Because you cannot rely on some chintzy IoT device to have dynamically loadable libraries. In all likelihood, they don't. But let's assume they do have loadable stdlib, would would you trust the integrity of your botnet to dozens of poorly designed IoT devices?
But it is easier to copy/paste those few functions rather than play with static libc and then making sure all the other functions don't get linked into the final binary.
Remember that this target IoT devices, where diversity is much higher than it would be for desktops or servers. the build scripts shows the targeted architectures:
Not the reason. Especially when the author includes headers like:
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <linux/ip.h>
#include <linux/udp.h>
#include <errno.h>
#include <fcntl.h>
Could someone please illustrate a concrete example of how having the password to my camera (assuming it has an routing through NAT) can be used to generate outbound traffic?
I have five cameras set up with NAT port holes. My passwords are (I believe) secure. But even if they were on the list, how could that be used to generate outbound traffic to DDoS someone? Presumably, only by a further vulnerability in the firmware.
In all the media / HN coverage, even with the release of Mirai source, I have yet to see a concrete example of a brand/model of camera/DVR who's firmware is exploitable. Let alone a list of models that are.
One exception: The D-Link DCS-930L[1] has a known vulnerability.
The IoT devices can be accessed over telnet. Out of curiosity: Is there a self destruct command? or a way to make one?
It seems to me that destroying the vulnerable devices would solve the DDoS problem and gives a big kick in the face of the affected manufacturers plus a good press coverage.
This was my exact thought. If we have the source code, it seems as if it wouldn't be too hard to make our own version which seeks and destroys other versions, possibly patching the system, or at least changing the password to be something secure.
Is there a reason this can't be done? (Other than a legal reason, which hackers don't tend to care too much about.)
The whole focus on IOT and random individual devices on the network seems misplaced. If all it takes is misconfiguration of random devices that join the network to take it down then you have a larger problem than these devices.
Since there is no way to police this and 'wack a mole' for billions of devices is not a practical strategy this security focus on IOT devices while nice does not address the core problem of vulnerable networks and ddos. It distracts and diverts from it.
True, but there's conversely a whole bunch of problems associated with the scandalous lack of security wrt many IoT devices, that aren't anything to do with DDoS. I wonder how many people are being watched as we speak.
Is there a page somewhere that maps these passwords to corresponding devices? Essentially a list of what devices are affected by this botnet? I don't think anything I own is affected, and I monitor my network pretty closely, but would like to double check. And make sure not to buy any of them either.
Would it be illegal to innoculate IoT devices by forking Mirai and then changing each vulnerable device's default password to a random choice of high entropy?
IANAL, but I'm pretty sure the answer to that is "yes". It would set a terrible precedent by authorising vigilantism, and I'm not sure how you would define "vulnerable" under the law.
I think the headline there, "Mirai Botnet Client, Echo Loader and CNC source code", is more descriptive and suitable than the current title.
"Mirai" is a rather generic name; for a moment I was wondering if it was related to the https://en.wikipedia.org/wiki/Toyota_Mirai ...but it did make me click to find out.
Deploying millions of devices with fixed passwords that dumb is clear evidence of gross negligence on the part of IoT device manufacturers. If this gets to court, some lawyer is going to enter that list as evidence and read it to a jury.
"That's the kind of combination an idiot would have on his luggage!" - Spaceballs