back to article Surveillance camera compromised in 98 seconds

Robert Graham, CEO of Errata Security, on Friday documented his experience setting up a $55 JideTech security camera behind a Raspberry Pi router configured to isolate the camera from his home network. According to Graham's series of Twitter posts, his camera was taken over by the Mirai botnet in just 98 seconds. Mirai …

  1. Doctor Syntax Silver badge

    "The correct mitigation is 'put these devices behind your firewall',"

    The correct mitigation is not to buy crap that can't have its password changed.

    1. Paul Crawford Silver badge

      You assume a lot, in that who of they potential buyers knows how to check telnet passwords?

      A more sensible approach would be for gov around the world to make default and non-changable passwords that work beyond the firt log-in attempt something that incurs a $1000+ fine per device.

      Only then will suppliers not be fsking morons out of the box....

      1. Mark 85

        I'm more militant.. don't buy IoT crap. Period. It's all crap as the manufacturers don't care except for the bottom line. Don't buy until they get some clues and properly secure this stuff.

        Since government is reluctant to do anything... vote with your wallet. Just don't buy it.

      2. Doctor Syntax Silver badge

        "You assume a lot, in that who of they potential buyers knows how to check telnet passwords?"

        Only those interested in mitigating the problem which was what the statement in the article was about. In other words, the best thing that you or I could do if we wanted to buy such a product.

        Of course the better solution is regulation as I've written here numerous times.

    2. Gene Cash Silver badge

      put these devices behind your firewall

      Problem is, there's an assload of stuff that doesn't work unless it's connected to the mother ship. For example, a Honeywell wi-fi thermostat. They expected me to control it through a (very misdesigned and broken) Honeywell.com website.

      I simply demand a refund for such stuff, but a lot of the time you can't tell if it's such a device at first glance in the store.

      1. Voland's right hand Silver badge
        Devil

        Problem is, there's an assload of stuff that doesn't work unless it's connected to the mother ship. For example, a Honeywell wi-fi thermostat.

        Hehe... Someone trying desperately to imitate nest without having the same monetization business plan. What a bunch of numpties.

        1. Steve Davies 3 Silver badge

          Have an upvote

          for using the word Numpty.

          Made my day

          1. Steve Davies 3 Silver badge

            Re: Have an upvote

            IMHO, the people who downvoted my comment are perfect examples of 'Numpties'.

            My post wasn't controversial or argumentative just a bit of fun. Get a life people.

      2. The Man Who Fell To Earth Silver badge
        FAIL

        @Gene

        Are you really that stupid or were you paid to troll? That Honeywell works just fine behind a firewall, which is how it supposed to be set up. It will be quite happy to be isolated to its own VLAN that has all communication with other VLANs blocked (block Inter-VLAN routing). That's because it doesn't use any direct communication with other devices on the local network anyway, or any place other than Honeywell - all app & web communication is via an encrypted connection through Honeywells servers. Just like Nest and others who do it properly.

        If you are going to have IoT (Internet of Trash) devices, its a good idea anyway to isolate them to their own VLAN and block Inter-VLAN routing so they can't see the rest of your network.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Gene

          If you are going to have IoT (Internet of Trash) devices, its a good idea anyway to isolate them to their own VLAN and block Inter-VLAN routing so they can't see the rest of your network.

          Entirely agree. But how many ordinary punters would have a clue that this is necessary, let alone any idea how to implement it (even if their crap ISP router allowed it).?

          1. Anonymous Coward
            Anonymous Coward

            Re: @Gene

            For setting up all of these separated VLANs are we talking Open/DD-WRT on a retail device or do we start running into UTM VMs, managed switches or other specialised kit territory?

            We're fvcked aren't we, the genie is out of the bottle? Trolled by light bulbs.

            1. SImon Hobson Bronze badge

              Re: @Gene

              For setting up all of these separated VLANs are we talking ...

              SOME consumer routers will do VLANs out of the box, many don't. TBH I don't have that much experience trying to do such stuff with consumer routers as we tend to specify "a bit better" stuff (eg Draytek Vigor routers) for customers where this is a requirement (and even where it isn't).

              Assuming the router itself supports it, then you also have the problem that most routers only have a small number of network ports - so you'll need a switch to extend that (especially if you have a cluster of devices remote from the router). Then you are either talking of multiple switches and associated cabling, or you need to start configuring VLANs on the switch - which means you need at least an "intelligent" switch. Thankfully there are a fair number of "basic but configurable" switches around without breaking the bank.

              But this is all stuff that your average user would not have the slightest clue about. It's easy for us It professionals to scoff at the "idiots" who can't set all this up - but really some of the comments so far display a distinct lack of appreciation of a) how this is still very much a "black art" to most people, and b) we should not be looking down on people in this situation.

              Can any of us truthfully say that we could (for example) make all the clothing we have - including growing the cotton, or manufacturing the synthetic fibre from oil you've extracted from the ground, and then spinning it into thread, weaving it into cloth, ... you get the picture. Not to mention, rearing the cow, tanning the leather etc to make the shoes. Closer to home, none of us could make (from a pile of sand and some copper ore) the computers we use. Other people can grow the cotton, other people can make that into thread and then into cloth, other people can turn that cloth into a shirt. Other people can rear the cows, other people can turn the hide into leather, other people can turn that leather into shoes. Other people can turn some sand into a silicon chip, other people can put that chip into a system, and so on. All those things that almost all of us here cannot do ourselves.

              So why do we so readily criticise others for being in the same position of not knowing everything there is to know in the world ?

    3. Shane8

      The ones that you cant change the password on...

      are NSA approved!

    4. Anonymous Coward
      Childcatcher

      >"The correct mitigation is 'put these devices behind your firewall',"

      >>The correct mitigation is not to buy crap that can't have its password changed.

      You are both right in a way. However, I doubt everyone has a SEWER VLAN (like me) for IoT stuff that is even more desperate than those devices that get to reside on the IOT VLAN ,which is for nearly trustable stuff.

      I recently bought a camera with pan and tilt and 720p output for £47 that is very Chinese and really wants to connect to a mothership and give you "app access" but if you block it from the intertubes is still fully functional for streaming into Zoneminder - I have submitted my scripts upstream and documented it on the wiki. It's a Keekoon jobbie.

      Not all IoT stuff is unusable behind a firewall but it does need careful handling.

    5. Eddy Ito
      Devil

      I'm waiting for a botnet driver to turn the irony knob to 11 and have all these crap IoT devices continuously attack their own makers. It's not a mitigation but it would put a smile on my face.

  2. MasterofDisaster

    Another check is to set thresholds on bandwidth used by the camera; typical usage is relatively stable, and if infected you should pretty quickly get an alert. It's amazing to me that with this going on for a while that multiple layers of both prevention and detection are not being employed.

    1. Nate Amsden

      you must be new to this then, amazing to me that it would be amazing to someone else to think there wasn't such protections in place. It's not as if botnets are new. What was it a decade or so ago people clocked unpatched XP systems at being hit by botnets in a matter of seconds too?

      http://www.theregister.co.uk/2004/08/19/infected_in20_minutes/

      oh sorry 20 minutes, I guess bandwidth was tighter back then. Though the brief outbreak of that SQL slammer had MSSQL systems infected in a shorter period of time. If people were running (and continue to run) SQL servers (and mongo etc) exposed to the internet on server class platforms I'm not sure how people can expect non technical folks to run their cameras in any more of a secure manor.

      (not to knock XP specifically just that sticks out in my head)

      and as for government intervention, wasn't it someone in the U.S. government anyway recently saying they are not equipped to handle this ? They need a new department etc. That will take time to spin up, fund, and stuff. Enforcement will be difficult as well, look how well the copyright enforcement goes and they are equipped to handle that.

      I don't know what the solution is myself, whatever it is it will likely take a bunch of time and resources and will probably be full of holes anyway. In the mean time do your best to protect yourself.

  3. Anonymous Coward
    Facepalm

    Yay for the apocalypse!

    I thought humanity would get taken down by amoral robots, but with IoT toasters and baby monitors, Skynet may never get its chance!

    1. Evil Auditor Silver badge

      Re: Yay for the apocalypse!

      Amoral robots? Should we ever build moral robots they will come, see what IoT crap we've done, and take the very moral decision to eliminate the root source of the problem, i.e. hufuckingmankind.

    2. Blofeld's Cat
      Coat

      Re: Yay for the apocalypse!

      "Skynet may never get its chance!"

      Indeed. Cue image of a terminator crunching his way across a field of sculls, just to enquire whether you would like a toasted teacake.

      1. Destroy All Monsters Silver badge

        Re: Yay for the apocalypse!

        Toasters taking over?

        There must be something by Philip K. Dick on this.

  4. Diginerd

    One for the ISPs...

    More than a few US ISPs catering to home users have T&Cs prohibiting them from "Hosting servers". They then filter traffic headed to their user subjects on mail, ftp and webserver ports along with outbound smtp traffic to off-net IPs.

    If you buy "Business class" service from the same ISPs you get the same service as a home user with a 20-30% price hike plus the ability to host servers/send smtp mail anywhere. However, "business" users must request the port filters be removed and accept responsibility for server traffic.

    Removing the filters takes about 5 minutes.

    Practical upshot is this provides little impediment to responsible users and saves the rest of the world from millions of spam messages being sent by clueless users.

    A decent step in the right direction would be for those ISPs to block telnet traffic by default too...

    1. Diginerd

      Re: One for the ISPs...

      I for one welcome our robot overlords (aka "auto-correct").

      All jokes about draconian ISP policies aside, "Subjects" in post above should read "SUBNET"s.

      Oops

    2. DainB Bronze badge

      Re: One for the ISPs...

      Next step - ISP decides which sites you can visit and charges you more for filter removed. Actually it can even be pay per site you want to visit.

      Sounds great isn't it ?

    3. Anonymous Coward
      Anonymous Coward

      Re: One for the ISPs...

      [ISP traffic monitoring - thanks, saved me some typing]

      I like this idea a lot, and if it's free, optional, and enabled by default but easily removable if required, why should any reasonable person (ie not a malware-slinger) have a problem with it?

      In fact in the early days of UK consumer internet, small but near-perfectly formed ISP Metronet used to do something like this - some ports blocked by default, and keep an eye on traffic for symptoms of well known/widespread/high risk exploits. If symptoms were observed, stick customer in a walled garden and have them contact support (who, remarkably for a consumer ISP, generally knew what was going on). Sadly Metronet got taken over by Plusnet and frivolities like this weren't kept around.

      Much larger and much less perfectly formed ISP NTL also had something similar at one point, at least in terms of port blocking and activity monitoring and sandboxing and customer notification. Maybe others did too, maybe some still do????

      This would have been around a decade and a half ago.

      The technology still exists, but folk seem more interested in using stuff like this, deep packet inspection, etc, for less helpful (to Joe Public) purposes e.g. the Snoopers Charter which sadly made it into UK law this week.

  5. Sitaram Chamarty

    disable UPNP and allow the mobile app to do everything

    the biggest failure is UPNP.

    They should mandate disabling that. All communication to the "mothership" should go through a mobile phone which is on the same wifi network. Yes that would essentially be akin to XSS but in a good way.

    I'm pretty sure this is the most practical, scalable, solution for this.

    1. Stoneshop
      FAIL

      Re: disable UPNP and allow the mobile app to do everything

      All communication to the "mothership" should go through a mobile phone which is on the same wifi network

      And this is going to mitigate the problem, exactly how?

      I'm pretty sure this is the most practical, scalable, solution for this.

      Oh, yes. Sure. If you say so.

      1. Sitaram Chamarty

        Re: disable UPNP and allow the mobile app to do everything

        > And this is going to mitigate the problem, exactly how?

        No direct connection from arbitrary external IPs to the weak device. The manufacturers leave upnp open because they want to talk directly to the device. Block that, because the app on the mobile (while in the same wifi network) should be able to proxy that traffic.

        This also means you cannot control your home thermostat from your office, though. There's no easy way to allow that while disallowing attacks, unless you get into some kind of authentication dialog. With the *device*.

        >> I'm pretty sure this is the most practical, scalable, solution for this.

        > Oh, yes. Sure. If you say so.

        a bit of uncalled-for hubris there I admit; mea culpa :-) Milord, I'd like that last comment of mine stricken from the record!

        At least for the attacks we're seeing that caused krebsonsecurity.com and Dyn DDOS, disallowing external connections would have certainly stopped them cold.

  6. Jeroen Braamhaar
    Big Brother

    Let's hit on a solution ...

    The best solution to the IoT pwnage problem is, of course, the humble hammer.

    However, where to vigorously and repeatedly apply it is a point of debate, but here's a shortlist of targets to consider:

    - the manufacturer, for baking fixed credentials

    - the government, for twiddling thumbs

    - the blokes running Mirai for obvious reasons

    - the device class, for offering solutions to a problem nobody is having

    - you, for falling for the IoT neofilia scam

    ;-)

    1. oiseau
      Thumb Up

      Re: Let's hit on a solution ...

      "- the device class, for offering solutions to a problem nobody is having

      - you, for falling for the IoT neofilia scam"

      Yes ...

      Finally some common sense.

      Have a +1, a pint and a good weekend to you sir.

    2. Stoneshop
      Mushroom

      Re: Let's hit on a solution ...

      Although potentially very satisfying, hitting a manufacturer or the various governments involved with a hammer can be quite time-consuming if you want to achieve noticeable results; especially governments tend to have a vogon-like impact resistance. The venerable автомат Калашникова 47 with a sufficient supply of ammo tends to bring more immediate results.

  7. Peter Prof Fox

    There are good IoT use cases

    Screw it to the wall and plug it into the Internet can be a great thing. CCTV at mum's house allows us to keep an eye on things. If we weren't tech-savvy it would have been practically impossible as where is the tech support that covers strange devices on ISP supplied and configured routers.

    I say the solution is to have DIY kit for techies as we have now, then installers who know what they're doing. You may remember in the days of yore there were chaps who came to service your television. Get a proper qualification set-up for IoT-techies and leave them to (a)sort out the basics (b)select-out the crap (c) deal with appropriate, including security, configuration.

  8. JJKing

    Why is this still a problem?

    Considering this hardcoded credential issue/problem has been around for a long time now, why do they still insist on having them hard coded? It must be one of the easiest IT issues to rectify.

    1. Diginerd

      Re: Why is this still a problem?

      ...because the business risk to the vendors is currently near zero and margins are paper thin.

      Until the Status Quo changes tune, it falls to those in a position to mitigate vendor shortsightedness to take action.

      For a concrete example of how ISP port blocking can turn a potentially deadly vendor screwup into a non-issue see Chris Miller's Defcon presentation on Chrysler Jeep hacking. Scary stuff with jaw-dropping incompetence on Chrysler's part making the PoC possible.

      The obvious downsides to a strategy where ISPs take proactive defensive measures are:

      1) Collectively rewarding the incompetence of said Vendors.

      2) Creating hoops for competent users to jump through.

      Given the circumstances it feels this is an acceptable compromise when the damage that vendor negligence can, and does, cause.

      1. Stoneshop
        Coat

        Re: Why is this still a problem?

        Until the Status Quo changes tune

        Nah, they're still playing boogie rock.

      2. Doctor Syntax Silver badge

        Re: Why is this still a problem?

        "...because the business risk to the vendors is currently near zero and margins are paper thin."

        And because TPTB haven't the wit to introduce regulation with just enough enough enforcement to tip the risk and margins in favour of selling compliant stuff.

    2. P. Lee

      Re: Why is this still a problem?

      >why do they still insist on having them hard coded?

      Because these devices are install-and-forget and if you forget the password because the last time you accessed it was three years ago then you're going to need some comprehensive password reset plan which works with your crummy-little IoT hardware.

      Easier and cheaper might be to set the TTL on all your telnet traffic to 1 by default. Setting the TTL to three or four is probably enough for most consumer kit to allow for VPN access. Having a physical switch which needs pushing to allow "advanced" access to change such things is probably enough to stop the botnets expanding. This isn't a perfect solution. It falls down if you are doing something dumb like attaching it to a cloud, but nobody's perfect! :)

  9. K. the Dude
    Coat

    "(..)secure manor."

    If those non-technical chaps can afford a manor they probably can afford old fashioned bloodhounds and iron gates. The rest of us are stuck.

  10. redpawn

    Pre-infection Defence

    Appears as though owners need to run software to "infect" their own IoT stuff with secure versions of software on each power cycle, then put the device behind a firewall and not connect the firewall to the internet. This aught to make IoT devices almost safe to use.

  11. Packet

    Perhaps I'm missing the point...

    But he specifically opened port 23 (telnet) to this device and waits for it to get compromised (which it does, rather quickly too).

    Isn't all modern SOHO equipment a combination of router + firewall (and DSL bridge / cable modem if not purchased separately)?

    So as long as the device is behind a router with inbuilt firewall blocking inbound access, it has some modicum of security.

    I'm running a Honeywell wifi thermostat behind my Cisco branded router/firewall - didn't have to open any ports inbound for it to work - it goes to the Honeywell website and I had to register an account with the MAC/serial # of the unit. It works decently well.

    Now the security of that particular Honeywell website is not up to me - it's a managed service by them.

    It's all a value add anyway - don't want wifi control of your thermostat, don't connect it to the network.

    (Did not want a Nest after all the nonsense they went through - and of course, Google data slurpage)

    1. Adrian 4

      Re: Perhaps I'm missing the point...

      But that wouldn't make an interesting headline.

  12. Anonymous Coward
    Anonymous Coward

    I've seen this episode of the outer limits. Eventually the IoT devices collapse the internet and the plot twist at the end is that we all go back to the industrial age. I 'll have to dig out my flat cap for t'coalmine.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like