back to article Today the web was broken by countless hacked devices – your 60-second summary

Today a vast army of hijacked internet-connected devices – from security cameras and video recorders to home routers – turned on their owners and broke a big chunk of the web. Compromised machines, following orders from as-yet unknown masterminds, threw massive amounts of junk traffic at servers operated by US-based Dyn, which …

Page:

  1. Doctor Syntax Silver badge

    Maybe..

    ..just maybe this will finally spur TPTB into taking some action.

    For a start oblige the manufacturers of IoTs to stop selling vulnerable devices until they're fixed.

    At the same time, put out a recall for all those currently installed to be upgraded - or do over the net upgrades if for kit that supports that.

    And then make it illegal to run a vulnerable device if it's connected to the net.

    The second item might well cost vendors more than the profit they made in the first place - good, it's time vendors were exposed to the costs of cutting corners.

    1. Mark 85 Silver badge

      Re: Maybe..

      Nice thought, but I think most manufacturers will just shut down the product line rather than do fixes. Profit and all that. As for "illegal".. that part would be ignored as any fines will be relatively miniscule and that's only if a law can get past the corporate lobbyists.

      1. Doctor Syntax Silver badge

        Re: Maybe..

        'As for "illegal".. that part would be ignored as any fines will be relatively miniscule and that's only if a law can get past the corporate lobbyists.'

        Fines can be whatever legislation and the courts make them. There's also the possibility of raising sanctions against ISPs who continue to permit their customers to continue to use such devices.

        As to lobbying, recent events have resulted in some large corporations having incentives to lobby for action.

        In general history shows that eventually potentially bad stuff does get regulated but unfortunately governments traditionally don't operate at internet speed.

        1. Destroy All Monsters Silver badge

          Re: Maybe..

          governments traditionally don't operate at internet speed

          Unless it is to exploit a moral panic to increase control in unsustainable ways for no good reason expect that "something must be done".

      2. pbryant

        Re: Maybe..

        "...only if a law can get past the corporate lobbyists." and the Republican Party.

      3. Tomato42 Silver badge
        Unhappy

        Re: Maybe..

        > Nice thought, but I think most manufacturers will just shut down the product line rather than do fixes.

        and nothing of value will be lost

        1. Metrognome

          Re: Maybe..

          What unadulterated bollocks.

          How do you outlaw the Chinese makers that flood ebay, gearbest, aliexpress and the like?

          Do you guys think that some army of standards enforcers will land in China and start shutting factories down?

          The Chinese manufacturers neither know nor care about these things; mostly the same stands for their customers.

          1. John Brown (no body) Silver badge

            Re: Maybe..

            "The Chinese manufacturers neither know nor care about these things; mostly the same stands for their customers."

            <tinfoil hat mode>

            Or, just maybe, it's all part of "The Plot"

            </tinfoil hat mode>

          2. Doctor Syntax Silver badge

            Re: Maybe..

            "mostly the same stands for their customers."

            It's the customer end that you start with. Does the kit meet UL/CE standards? If not then it becomes illegal to put it on the 'net in the relevant country or, even better, it becomes illegal for the ISPs to route it. It also becomes illegal to offer it for sale so if it's on sale from a local vendor then they get a visit from Trading Standards or whatever in that particular jurisdiction. If it's being offered for sale on eBay from China or wherever then eBay gets a visit.

            The manufacturers will get the message without direct action - they want to sell stuff, they meet the standards.

            Make no mistake, something will be done, the only questions are what and when.

            1. VulcanV5

              Re: Maybe..

              " It also becomes illegal to offer it for sale so if it's on sale from a local vendor then they get a visit from Trading Standards or whatever in that particular jurisdiction. If it's being offered for sale on eBay from China or wherever then eBay gets a visit."

              In the UK, Local Authorities run Trading Standards departments. Also in the UK, central government (i.e., taxpayer) funding of Local Authorities dwindles year on year -- as do the number of staff employed as Trading Standards officers. Quite how this ever-diminishing number of consumer protection specialists is meant to visit every vendor of unsafe cheap Chinese tat, whether sold on a real-world market stall in hundreds of towns throughout the country, or the virtual auction house of eBay, is beyond me. Using Denial of Commonsense as an approach to the issue of Denial of Service ain't going to help at all.

    2. a_yank_lurker Silver badge

      Re: Maybe..

      I doubt any legislative action will actually be all that effective. The average Congress critter is not noted for critical thinking skills but emotional pandering.

      Security is hard to do even when users are reasonably proactive. To many IoT devices ignore proper security because they make it difficult to update the device even for proactive users. This could be fixed, possibly without any new legislation. Use the existing defective product recall laws on the books since these are defective devices. After a certain period of time and genuine effort then nail the manufacturers with fines for selling and refusing to fix defective products.

      1. Ole Juul Silver badge

        Re: Maybe..

        A class action law suit by users of these devices would cover older models just fine. My non-lawyer thinking suggests that being put at risk without any warning labels would make a case. I want to see these socially irresponsible companies put out of business. I'm sure there are others willing and able to take their place.

        1. Mage Silver badge

          Re: Maybe..

          Problem is proving that the USERS/Owners suffered at all.

          1. John Lilburne Silver badge

            Re: Maybe..

            'Problem is proving that the USERS/Owners suffered at all.'

            Apparently it took down GitHub, Twitter, Reddit, Netflix, AirBnb so the world actually got smarter.

          2. Doctor Syntax Silver badge

            Re: Maybe..

            "Problem is proving that the USERS/Owners suffered at all."

            No It's the suffering that users/owners are causing to others that's the problem.

      2. Doctor Syntax Silver badge

        Re: Maybe..

        "I doubt any legislative action will actually be all that effective. The average Congress critter is not noted for critical thinking skills but emotional pandering."

        I think a few large corporations being exposed to risk like this will be able to apply as much emotional pressure as is needed to produce results.

      3. herman Silver badge

        Re: Maybe..

        I think the pretty useless FCC and CE certification standards should be expanded to include security standards and pen tests for connected devices. That will exclude the craprouter manufacturers from most of the world markets unless they improve their toys.

    3. macjules Silver badge
      Black Helicopters

      Re: Maybe..

      The "TPTB" would not take the action you require simply because Twitter and Netflix were down for a while. No, you need a DDOS attack on a bank, a hospital network, an ATC centre or anything that can seriously scare them.

      1. Doctor Syntax Silver badge

        Re: Maybe..

        The "TPTB" would not take the action you require simply because Twitter and Netflix were down for a while.

        Can't Neflix and Twitter afford to buy a few politicians do any lobbying?

    4. YetAnotherLocksmith

      But it was secure yesterday

      n/t

    5. Mage Silver badge

      Re: Maybe..

      There is actually no solution to this.

      1. Anonymous Coward
        Anonymous Coward

        Re: Maybe..

        There is actually no solution to this

        You could be right, but I think that this will spur the rise of a closed "internets" owned by Farcebook and Google. They can apply controls on these kinds of bots as well as controlling free speech. Dytopian future draws nearer.

      2. bboyes

        Re: Maybe..

        The devious cracker break-in technique? "...logging into devices using their default, factory-set passwords". Something comes to mind along the lines of "you can lead a horse to water..."

    6. heyrick Silver badge
      Stop

      Re: Maybe..

      "And then make it illegal to run a vulnerable device if it's connected to the net."

      Another fine law to make criminals out of ordinary people.

      I have an IPCAM. I wanted it mostly as a toy, but it is useful for keeping an eye on things when I'm not around. See what the cat is up to, etc.

      Out of the box, it uses uPNP to punch a hole in the router for itself. It announces its presence to several foreign servers, and it has a default telnet login of root/123456.

      I've hacked the startup script (luckily writeable) to replace the hosts file numerous times at boot to direct all of the domains that the camera uses to localhost (obtained by connecting the camera to network sharing on my PC and wiresharking what happened during boot). The uPNP failed as I've disabled that on the router. There's a STUN to an IP address that I can't do anything about (my router is an Orange Livebox so it doesn't do fancy things like blocking individual IP addresses). The default password cannot be changed. I can use chpasswd but the next time the thing is rebooted, the firmware writes a new passwd file with the root/123456 combination. I also very much doubt the online firmware upgrade is in any way secure. I will, some day, make a binary hack to the main program file to replace the firmware cgi filename with gibberish (to disabled that) and change the baked in password to something else. I tried a sleep 60 in the boot script, but the thing overwrote it with the default. It's of lower importance as you'd need to be in my local network to access it.

      I'm a nerd. I could play with this and fiddle with it. I'm sure many people will just buy the device, plug it in, and expect it to work with "the app". If that's all it takes to be a criminal, there's no hope.

      1. Wayland Bronze badge

        Re: Maybe..

        "Another fine law to make criminals out of ordinary people."

        It would be illegal to hack into someones network and spy on them. It ought to be illegal to create a Trogan program to do that. Is it illegal to sell a device like an IP cam that does that?

        There is a IP cam with a web interface that Google has spidered into it's search. You can find them and view the video. You could probably also upload new firmware to someone elses camera. They did this to UBIQUITI wireless kit earlier this year and those things had passwords.

      2. Mage Silver badge

        Re: Maybe..

        " it uses uPNP to punch a hole in the router for itself. It announces its presence to several foreign servers, and it has a default telnet login of root/123456.

        I've hacked the startup script (luckily writeable) to replace the hosts file "

        Disable uPNP on your firewall / router.

        Setup a VPN (properly) to your home network if you want to remotely access stuff on it.

        1. heyrick Silver badge

          Re: Maybe..

          "Disable uPNP on your firewall / router."

          That was the second thing I did (after changing the router's default password). I spotted the uPNP requests in wireshark. As for uPNP itself - horrendous idea. Anything that needs to receive incoming data can fail nicely and/or ask for permission.

          But letting IoT devices grant themselves authorisations? Ain't gonna happen.

          [Bootnote: Orange sets the Livebox do support uPNP by default. People can buy stuff, plug it in, and "it just works". I wonder how many even understand what this process entails?]

          1. Steve Davies 3 Silver badge

            Re: Maybe..

            Stuff the routers/firewalls supplied by the ISP's.

            Make your own Firewall box that sits between the ISP router and your network devices. Then you can control everything and these crap devices can't get out and create links to the mothership.

            Also make them on a separate subnet to your printers and computers and you know, good stuff.

            None of these devices will get on my network even though I already have my own Firewall made from a fanless NUK.

            We need to make the stores and online tat shops like Amazon and Ebay stop selling this crap. Only then might we get somewhere before it is too late.

            Getting the politicians to act before we loose a country from the internet for say a week will be impossible I'm sad to say but we the more informed amongst us can do our bit and make sure that we are not part of the problem.

            1. John Brown (no body) Silver badge

              Re: Maybe..

              "We need to make the stores and online tat shops like Amazon and Ebay stop selling this crap."

              Since both Amazon and EBay were affected by this outage, one wonders if either or both of them will take any notice. Did it hit their bottom line in sales? Chances are, no, it didn't. Sales may have dropped short term but most people trying to buy will simply try again later, so over all, the bottom line was barely touched, if at all.

              Now, if we can get some non-thinking US Congress Critter to jump on a band wagon and scream from the rafters that the US economy lost $billions in trade because of this....

      3. Richard Simpson

        Re: Maybe..

        Well maybe it would be excessive to actually prosecute end users, but running insecure devices could be made illegal indirectly via ISPs. I think it would be perfectly reasonable for ISPs to be required to identify customers whose devices are part of these botnets and then warn those customers. With the legal stick being that if the customer doesn't fix or disconnect the offending device in a reasonable period (say a couple of months) then they get cut off until they do.

        1. heyrick Silver badge

          Re: Maybe..

          "With the legal stick being that if the customer doesn't fix or disconnect the offending device in a reasonable period (say a couple of months) then they get cut off until they do."

          Aaaaand.... how long until somebody goes running to their lawyer because the compromise that did the damage in the first place came from.... yup, you guessed it. The Internet. Provided by the same ISP now making "fix it or else" threats.

      4. Doctor Syntax Silver badge

        Re: Maybe..

        "Another fine law to make criminals out of ordinary people."

        Dunno where you live but hereabouts if you're running an unsafe car on the roads you can get a conviction however ordinary you are.

        1. DropBear Silver badge
          WTF?

          Re: Maybe..

          "Dunno where you live but hereabouts if you're running an unsafe car on the roads you can get a conviction however ordinary you are."

          And cars have garages than can grant MOTs. What non-God-Tier-Entity do you have in mind that can in good faith assert that a given device is "safe"? It's exceedingly rare to discover major faults in an existing car which is why recalls work at all; with computing, it's the daily norm. So do please tell me you intend to equate "safe" with "all patches issued as of today being applied" so I can laugh all next week.

        2. Gio Ciampa

          Re: Maybe..

          Knowingly, yes...

          ...but I'll wager that 99.9% of the compromised device owners even knew they were involved.

          (I await the botnet running on (mandated) "smart" energy meters with interest...)

          1. heyrick Silver badge

            Re: Maybe..

            "(I await the botnet running on (mandated) "smart" energy meters with interest...)"

            Here in France there is a somewhat hated new smart meter called "Linky". It is not legal to refuse to accept it, and if you persist then EDF will back down and just bill €€€€s call out charge for each time the meter is read.

            I don't know how it talks to the mothership, but it'll be interesting if they think it is going to talk to my wifi. I can use my crappy IP camera as a good reason to say "either I audit the source code of this thing or you find some other method of communication".

            As an aside - a newspaper article quotes EDF as saying that the Linky does not catch fire. It's just incorrectly installed. Wait, remind me, exactly who installs meters? I also await with interest the first time this thing gets hit with lightning. We have overhead three phase to the house. It gets directly hit once every two or three years, and proximity hit several times a year. Our old meter predates me but takes this stuff in its stride. Is it optimistic or just silly to expect the Linky to be as reliable? What's worse - if there is a really bad storm, I can throw the breakers and turn everything off. Well, you can't take the meter out of circuit. Hmm.

        3. Kernel

          Re: Maybe..

          'Dunno where you live but hereabouts if you're running an unsafe car on the roads you can get a conviction however ordinary you are.'

          There's a difference between running a car on the roads that you have knowingly allowed to become unsafe, as opposed to one that was manufactured unsafe but you bought on the not unreasonable assumption that the manufacturer knew their business.

          There's always some dick-wit who tries to compare to cars, isn't there?

      5. AndrewDu

        Re: Maybe..

        "The default password cannot be changed"

        Dear God.

        It's almost like the manufacturers (or somebody...) wanted that device to be insecure and remotely compromisable.

        OK, I'll take off my tinfoil hat now.

    7. The Man Who Fell To Earth Silver badge
      FAIL

      Re: Maybe..

      Maybe some smart developer should make a free tool so that people can at least check out their local network for compromised devices.

      Not me.

      I'm too busy: https://www.youtube.com/watch?v=VASywEuqFd8

    8. Planty Bronze badge
      FAIL

      Re: Maybe..

      This is obvious clickbait, it suggests all IOT devices are vulnerable,biy the reality is, its a single manufacturer (XiongMai Technologies) that had a default password and login.

      Worse still, this company only makes IP cameras, so to suggest this ddos was caused by routers, thermostat and toasters is just pure clickbait Horsecrap.

      It's however fashionable this month to hate anything IOT, so let's just ignore that....

      1. Doctor Syntax Silver badge

        Re: Maybe..

        "This is obvious clickbait, it suggests all IOT devices are vulnerable,biy the reality is, its a single manufacturer (XiongMai Technologies) that had a default password and login."

        The answer lies somewhere in between. It might be a single manufacturer in this case and not everything is necessarily vulnerable but there have been enough reports of routers with telnet ports open on the internet side etc. You don't need to look back very far in el Reg to pick up these.

      2. Stoneshop Silver badge
        Headmaster

        Re: Maybe..

        the reality is, its a single manufacturer (XiongMai Technologies) that had a default password and login.

        That's a definition of 'reality' of which I was not previously aware.

        The Mirai code contains a list of default username/password combos for a number of devices of varying functionality, not just IP cams.

    9. Kiwi
      Linux

      Re: Maybe..

      And then make it illegal to run a vulnerable device if it's connected to the net.

      That'd mean kicking all them Windows users off the net.

      And all Macs.

      <unreadably small font>And for that matter, my Linux machines probably have some vulnerabilities in them that haven't been discovered... Yet... </unreadably small font>

      Seriously though.. That would kill all sorts of development work. Who would write and test code knowing that if they didn't find a security flaw, they or their customers could end up having to pay some sort of fine or worse? I hate Windows insecure crap as much as anyone, but there has to be some limits in here..

      (really must stop posting at 3am too..)

    10. Anonymous Coward
      Anonymous Coward

      The horse is already out of the barn and the barn's burned down

      But you blokes want a law to "fix it"

      Brilliant! Ain't no law gonna fix this problem. Massive bot armies are rampaging.

      We'll need a technical solution that ignores their requests. We'll basically have to turn them into millions of dead devices.

      And let the class action lawsuits on behalf of the consumers proceed at that point.

  2. Glenn 6

    Standards Bodies need notice

    In North America, you can't sell your electronic wares unless you have either a Canadian Standards Association (CSA), United Laboratories (UL), and possibly Federal Communications Commission (FCC) certifications to make sure they meet certain quality, safety, and in the case of FCC, RF emission standards.

    Perhaps it's time those bodies also include network safety standards being met? Companies need to be held to a high standard on these things, and they're clearly not.

    At the minimum, when things like this happen, there needs to be an investigation, and laws in place where corporations who cheap out on proper locking down of their devices are held to account.

    1. Doctor Syntax Silver badge

      Re: Standards Bodies need notice

      "Perhaps it's time those bodies also include network safety standards being met? Companies need to be held to a high standard on these things, and they're clearly not."

      Agreed. This is something I've been saying for some time. Also it should be added to CE requirements in Europe.

      The trouble is the existing deployed fleet. Those need to be fixed or taken off-line if they're not fixable.

      1. Dan 55 Silver badge

        Re: Standards Bodies need notice

        CE requirements would be useless, CE is crap, it's the manufacturer which self-certifies.

        The manufacturer should pay for tests by an independent body before going to market. No pass or no testing means fines for the manufacturer if they bring it to market and fines for the retailer who stocks it.

        Yes, this will drive up the overall price of goods, but, guess what, security costs.

        (I did say a few days ago that a 'not certified' sticker would warn the customer not to buy the tat and choose some tat with 'certified' sticker instead, but in the light of recent events that obviously isn't going to work.)

        1. Mark 110 Silver badge

          Re: Standards Bodies need notice

          Just enforcing a standard that all devices need a unique admin password of certain length structure and randomness ought to be a good start and not that hard for a device manufacturer to implement.

          1. JLV Silver badge
            Paris Hilton

            Re: Standards Bodies need notice

            Nice. But what about a default, one-time use, std user/pass combo that you _need_ to change on setup.

            Hardcoded into default factory setting, but that can only be done from a physical switch. Higher price point devices can implement other solutions for when remote password resets is needed.

            Basically demonstrate that you've spent at least 10 mins around a beer thinking about security. This may yet be a wakeup call.

            Plus, imposing reasonable import regulations re being fit for purpose should please all the nationalist types, no?

            Paris cuz she's better at security than some of these folk.

        2. DainB Bronze badge

          Re: Standards Bodies need notice

          So you will have strict requirements in EU and USA and will be attacked by botnet of routers from South America and Asia. How exactly your idea going to stop that ?

          1. Stoneshop Silver badge

            Re: Standards Bodies need notice

            So you will have strict requirements in EU and USA and will be attacked by botnet of routers from South America and Asia. How exactly your idea going to stop that ?

            "We can't stop them all so we might as well do nothing".

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019