back to article Source code unleashed for junk-blasting Internet of Things botnet

Malicious code used to press-gang IoT connected devices into a botnet was leaked online over the weekend. The Mirai malware is a DDoS Trojan and targets Linux systems and, in particular, IoT devices. A botnet formed using the malware was used to blast junk traffic at the website of security researcher Brian Krebs last month in …

  1. Anonymous Coward
    Flame

    One way...

    ...all compromised devices get their traffic sent directly to the manufacturers website by the ISPs, even with a default path, y'know to help them out...

    http://uselesstat/support/update *

    See how long it takes them to get patched when their own site goes dark

    * no https as no doubt it won't exist.

    1. TeeCee Gold badge
      Facepalm

      Re: One way...

      Very sensible and clever.

      One question. How?

    2. Anonymous Coward
      Anonymous Coward

      It would seem

      That creating random default passwords and printing them on the same sticker that has the device unique serial number & unique MAC Address printed on them, would go a long way towards dealing with this issue. The device is already being programed with that unique info (serial number & MAC Address). What's adding another unique item burned into the unit when those items are burned in going to cost?

      1. Sandtitz Silver badge

        Re: It would seem

        The consumer devices should accept by default only private network addresses, i.e. from 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16. The restriction should then be removed once the user is able to change the default password to something non-trivial. Telnet and other services (such as UPnP) except HTTP (redirected-to-HTTPS) should be disabled by default.

      2. John 104

        Re: It would seem

        @AC

        How about making the user name the serial number and the password the MAC. No extra printing required and readily available for the end user.

        1. This post has been deleted by its author

        2. Ben Tasker Silver badge

          Re: It would seem

          The only thing to watch out for with that is manufacturer idiocy. IIRC when BT first moved from having a generic default WEP/WPA password on the Homehub they went with the serial number. Umfortunately it was possible to get the AP to tell you it's serial before you'd authenticated.....

          You can almost guarantee at least one manufacturer will drop that info into the http headers, or body to aid in identifying the kit when they get a support call

  2. Mage Silver badge
    Pirate

    Lack of regulation, blah, blah

    Regulators and Government are "captured" by Telcos and Big Corporations. Thusly they avoid pro-actively enforcing existing privacy, SOGA and other consumer rights. They figure it's only worth bothering if the medja and a large number of activist voters protest,

    Radio call in shows are a panacea, they only count OFFICIAL complaints, the actual department to complain to and the procedure are usually opaque.

    This could be easily dealt with, products could lose CE / CSA / UL / FCC etc, companies and directors could be fined, as could importers and retailers. But Governments are not interested in enforcing EXISTING regulations.

    1. Charles 9 Silver badge

      Re: Lack of regulation, blah, blah

      Companies could care less about standards compliance (they'll fake it or use Amazon/eBay to ship them straight form China who doesn't care), directors will be out of the law's reach (in anti-extradition countries), and the governments WANT Big Brother avenues. So NOT so easily dealt with.

      1. Anonymous Coward
        Anonymous Coward

        Re: Lack of regulation, blah, blah

        Companies could care less about standards compliance

        Are you saying that the companies actually care about standards compliance and should care less about it? Or do you mean that Companies couldn't (could NOT) care less?

        1. Adam 1

          Re: Lack of regulation, blah, blah

          > could vs could not care less for left pondians.

          https://www.youtube.com/watch?v=om7O0MFkmpw

  3. allthecoolshortnamesweretaken

    Yes, "the net has a huge IoT problem” already, and it's getting bigger by the hour.

    You could almost think that the very idea of IoT as such was conceived by someone who always dreamt of shutting down the internet... Quite ironic, come to think of it. The original idea was to build a network that would survive a nuclear war between superpowers. Now it looks like it will be destroyed by our security cams and toasters.

    File under "can't make this shit up".

  4. Anonymous Coward
    Anonymous Coward

    Internet of ...

    ... Turds.

    1. Anonymous Coward
      Anonymous Coward

      Re: Internet of ...

      Turds degrade biologically quite rapidly and therefore disppear as a problem. These cheap IoT devices will be around for a long, long time.

      1. John Brown (no body) Silver badge

        Re: Internet of ...

        Coprolites?

      2. Anonymous Coward
        Anonymous Coward

        Re: Internet of ...

        @AC

        Only as long as gullible twats buy the stupid pointless things.

  5. Olius

    V****n manage to supply cable routers with long, strong, random passwords with stickers on the back of the device showing the password... why can't the rest of them?

    1. TeeCee Gold badge
      Meh

      Many suppliers do this. Amazing how many people then put them in places so said sticker[1] can be easily read through the nearest window....(!)

      You may be able to secure a device, but you cannot prevent its owner then proceeding to royally fuck it up.

      Best of breed here is probably Bloody Terrible, who at least put the sticker on a pull out bit that cannot be read in situ. Next best is to put it on the bottom of the device.

      [1] Usually sporting the SSID, WiFi password and admin details to make life really simple for any passing s'kiddie. See also eggs and baskets.

      1. cantankerous swineherd Silver badge

        not sure the threat model needs to include dastardly chinese hackers walking around?

    2. Rich 11 Silver badge

      By happy coincidence I received my new V****n router on Saturday. I was surprised to see that the username and password was available in five places: the base of the router, a pull-out tag for the router and on thee sticky labels (which presumably you're meant to slap on the side of your laptop or whatever -- at least, if you're not meant to you can damn well bet that most people will do so). That makes it a necessity to change the password right away (which you can damn well bet that most people will not do). There was mention in the instruction booklet of a management URL you could use for this, but the booklet didn't give the URL. I eventually found it on the base of the router, in such tiny print that I needed a magnifying glass to even confirm that it was a URL, let alone to read it correctly.

      So, all in all, a mixed bag. I can sympathise with the difficulty of finding an acceptable solution, though, given that the majority of their customers would sooner or later run into problems if asked to change the password.

      On the plus side, the router firmware looks to be self-updating. I'll reserve my final opinion on that until I see it in action.

      1. Peter 26

        "By happy coincidence I received my new V****n router on Saturday. I was surprised to see that the username and password was available in five places"

        It is pretty shitty physical security. But the vast majority of people are computer illiterate and are never going to change the password anyway. If we have to sacrifice physical security to stop the far more plausible threat of attacks via the Internet, then I think it's a good compromise.

      2. Jonathan Richards 1
        Alert

        Not the password in question

        Many of the preceding mentions of router security are talking about defaults for and securing of Wi-Fi network passwords (WEP, WPS). These are not the passwords we are talking about when compromising an IoT device: we are talking about the admin interface password, and/or the default password for an SSH or Telnet connection. After all, the DDOSers are not within range of your wireless network!

    3. Baldy50

      Just turned all these off on new V router, wise or not?

      IPv4 firewall protection

      Block fragmented IP packets

      Port scan detection

      IP flood detection

      Nice to be back, no Internet for over a week and got very bored, went through the boot notes first and do the writers on El Reg have some fetish for the nether regions?

      1. Anonymous Coward
        Anonymous Coward

        Depends

        If you are using the router AS a router then prolly not, but IF you are using it as a modem then it will have disabled em anyway.

        Besides, you should ALWAYS run a "provider" supplied router as only a modem if possible and route it into something decent. Draytek in my particular case.

    4. tr1ck5t3r

      Because the spooks cant hack them and spy on you, and cyber crime units would be out of a job looking at porn. Not many jobs you can do looking at porn, but the other one I know of is the SEC. http://edition.cnn.com/2010/POLITICS/04/23/sec.porn/

  6. Frozit

    Routers anyone?

    Who puts their IOT devices on the open side anyway? Who can afford the IP addresses?

    1. AIBailey Silver badge

      Re: Routers anyone?

      Who can afford the IP addresses?

      IPv6. Your online toothbrushes are simultaneously spearheading the migration of the internet away from IPv4, whilst also bringing said internet to its knees.

    2. Warm Braw Silver badge

      Re: Routers anyone?

      They most likely have them on the other side of their firewall but with ports forwarded - probably by UPnP. How else are you going to be able to watch your CCTV camera from your mobile phone?

    3. Anonymous Coward
      Anonymous Coward

      Re: Routers anyone?

      Upnp.

      1. Number6

        Re: Routers anyone?

        That's one of the first things I disable whatever the product. Anything wants a special accommodation on my network, it can ask nicely. Or just refuse to work and I'll figure out what needs to be done and decide whether I'm going to allow it.

        1. Version 1.0 Silver badge

          Re: Routers anyone?

          I set my systems up so that DHCP hands out an address range - and that address range is blocked from any modification of the firewall operating parameters.

    4. tr1ck5t3r
      Trollface

      Re: Routers anyone?

      Who uses encrypted comms from inside a firewall? Is that encrypted data yours or mine?

  7. Warm Braw Silver badge

    Companies entering this space need to think about longer term impact

    Companies entering this space are looking for a quick return. They're not going to think about the "longer term" just because someone asks nicely.

    1. Charles 9 Silver badge

      Re: Companies entering this space need to think about longer term impact

      They don't care about the long-term risks. If anything happens, they'll just play shell games, disappear and reappear as a new company.

  8. John Smith 19 Gold badge
    FAIL

    common login creds are a design *pattern*

    Which devs should purge from their tool box ASAP.

    But won't because it's easy and (it seems) dev tools to create (and configure) unique strong ones into their hardware are absent from the standard dev tool box.

    1. Tomato42 Silver badge
      Boffin

      Re: common login creds are a design *pattern*

      we call those antipatterns

  9. Stevie Silver badge

    Bah!

    So realistically, what can be done to clean the net after this particular Genie is out of the bottle? Not talking about how to nail down your stupid lightbulbs so they stop spreading their legs for anyone who gives them a smile, but about the currently infected tat. How do we clean house?

    1. IanCa

      Re: Bah!

      can some white hatted dev'y types please

      - decode it for us non-C speakers (speaking as a network geek who can cope with anything at network layers, but my C stopped 25 years ago, and it was sh&t then)..

      - hopefully there is some signature that ISP's can be leaned on to scan for , possibly filter, and contact customers about..

      - produce a benign version for counter-hacking (set random secure password, close open ports etc) and then have a big argument about how to use it..

      1. John Brown (no body) Silver badge

        Re: Bah!

        "- hopefully there is some signature that ISP's can be leaned on to scan for , possibly filter, and contact customers about.."

        It's been mooted for years that ISPs could monitor and detect malware emissions from customer IP address and sandbox them so they can only reach an information page telling the customer to clean their shit up. Maybe an impending webocalypse might force them to do something as a matter of self defence from zombie armies of CCTV, baby monitors, toothbrushes, toasters and fridges.

        1. Stevie Silver badge

          Re: Bah!

          All this advice only works for proper computers with engaged IT staff administering them.

          How do we clean up a world filled with pwned lightbulbs owned in the most part by people who do not know their tat is infected, do not understand what the problem is and therefore do not care?

          The issue is, how do we who DO care clean up THEIR tat and then make sure it doesn't happen again?

          I can't see a way, which is why I asked.

    2. Adam 1

      Re: Bah!

      > How do we clean house?

      There was this novel approach after the blaster worm hit in 2003.

      https://en.m.wikipedia.org/wiki/Welchia

    3. choleric

      Re: Bah!

      If the exploit code is released open source, how about the device source code is open sourced too so it can be patched?

  10. Jeroen Braamhaar
    Mushroom

    "Reiner Kappenberger, global product manager at data security firm HPE Security, argued more guidance for IoT manufacturers was needed."

    As far as I can see the best 'guidance' is steering whoever invents a new (id)IoT problem-in-search-of-a-solution device behind the shed .... and delivering a mercy bullet.

    1. Version 1.0 Silver badge

      Guidance for IoT users

      I recommend ANSI spec B173.3.[1] Grasp firmly and swing hard in a downward motion. Wonderfully cathartic.[2]

      [1] ANSI B173.3-1991 Hand Tools - Heavy Striking Tools - Safety Requirements

      [2] *WHAM* *WHAM* *WHAM*

      1. Stoneshop Silver badge
        Devil

        Re: Guidance for IoT 'developers'

        As part of the certification process, the code you write will be deployed on a robotic arm, equipped with a striking tool as referred to in ANSI B173.3-1991. You will be immobilised in a chair, positioned so that the striking tool is able to reach various sensitive parts of your autonomy. The code will be given unrestricted access to from the public Internet for 48 hours, during which you will be administered food and drink as per RSPCA guidelines.

        1. Captain Badmouth
          Headmaster

          Re: Guidance for IoT 'developers'

          <You will be immobilised in a chair, positioned so that the striking tool is able to reach various sensitive parts of your "autonomy".>

          Are you addressing the owner or his robot maid?

  11. Anonymous Coward
    Anonymous Coward

    Customers buy "devices" rather than difficullt "computers" for their convenience, ease and stability assuming that they have a long life-span.

    The realizattion that the detection and compromising of these devices are rapidly improving and that most of them will be easily the least secure thing in their home, except maybe for their smart-meter. :-)

    securiity standards should include "rolling updates" and other aspects that require more powerful devices.

  12. ecofeco Silver badge

    Conspicously missing: IoT fanbois

    Hey IoT fanbois! Where are YOU?! Come out and play!

    We heard your emperor clothes look really cool and hip!

    1. Anonymous Coward
      Anonymous Coward

      Re: Conspicously missing: IoT fanbois

      I . . . . a . m . . . . . a . . . . . f . a . n . b . o . i . . . . b . u . t . . . . . f . o . r . . . . . s . o . m . e . . . . r .e . a . s . o . n . . . . m . y . . . . . . i . n . t . e . r . n . e . t . . . . c . . . . . . o . .n . .n . . . e . c . t . i . o . n . . . . i . s . . . . .v . e . r . y . . . . s . l . o . w . . . . . . . t . o . d . a . y.

      1. DropBear Silver badge

        Re: Conspicously missing: IoT fanbois

        You do realize the "D" in DDoS stands for "distributed", right? And that any given participating node isn't usually generating preposterously high traffic...?

  13. NanoMeter

    A bloody nightmare

    The IoTs are just in the starting phase. The real nightmare will start when everything is connected, people's light bulbs, door locks, TVs, etc. The nightmare will not only be IoT's zombified for DDosing, but burglaries and break-ins via IoT.

    1. Captain Badmouth
      Thumb Up

      Re: A bloody nightmare

      Amazon want you to give them a one time access code for your "smart" front door lock so's your parcel won't get half-inched by leaving it elsewhere.

      What could possibly go wrong?

  14. Fink-Nottle

    We can see you DDOS

    And we can see you, hardcore Double DOS fanboys ... multitasking in the 80's was such fun!

  15. Allan George Dyer Silver badge
    Joke

    Our only hope?

    No-one's going to update these insecure IoT devices that are already installed, and there will always be new insecure devices being sold by the latest manufacturers at the lowest possible price.

    Our only hope is to make the exploits known, release the source code, and rely on competing groups of miscreants spreading the DDoS more-or-less evenly over their targets, diluting the effect. The internet equivalent of the Bangkok rush hour... everyone gets to work... eventually.

    1. Roland6 Silver badge

      Re: Our only hope?

      The hope has to be that by making this exploit readily available by releasing source code, just as hapened with the early worms, that it kicks vendors into taking security more seriously..

      1. Allan George Dyer Silver badge

        Re: Our only hope?

        @Roland6 - You forgot the joke icon, right?

  16. NanoMeter

    IoT and break-ins

    This commercial is about to become a classic:

    https://www.youtube.com/watch?v=_CQA3X-qNgA

  17. Nicko

    Chicken Nuggets? WTF?

    The source code makes for interesting reading.... translating the embedded Russian, the Command and Control Centre prompt is....

    "I like chicken nuggets"

    ???

  18. E_Nigma
    Windows

    Bah!

    Multiple dial combination locks often come preset to some default combination, usually 000, and people don't have to be told to change that, so the concept really isn't above an average user's intelligence. People need to stop refusing to not be idiots when it comes to the digital stuff. And I don't mind letting those who can't be arsed learn the hard way.

    Sadly, as in this case, it's often others who fare the worst, so I suppose something needs to be done, but, like I said, I wouldn't shame the manufacturers in this instance: if any Tom, Dick and Harry know that 000 isn't a good combination to guard their bikes, why do they think that admin/admin is good enough for their security camera?!

    1. DropBear Silver badge

      Re: Bah!

      Except a dial combination lock is a dedicated security device that you purchase for the sole and consciously chosen role of securing something. A better analogy would be the gas cap on your lawnmower coming with a combination lock - how many people do you think would bother to change that one...? It has nothing to do with digital - it's all about the balance of perceived consequences ("Huh? What did you say DDoS stands for? And my kit is doing it? Really? Whodathunkit...", aka zero) and risk ("Yeah right, of all the people, the Russkies are out to pop my router...", aka zero). Darwin award candidates notwithstanding, most people are fairly good at protecting themselves against well known, proven threats - in that sense, the attitude is perfectly adjusted to the typical real-life consequences to the owner: none.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bah!

        Oh? Wait until they get (a) the overage bill, (b) a cutoff notice from your ISP, and/or (c) a visit from the LEOs because you're being pegged as either criminally negligent or an accomplice.

        The thing about risk mitigation only applies if people are cognizant of the risks. Trouble is, when it comes to the Internet, it's an "out of sight, out of mind" issue and people tend to walk stark naked down paths where in real life we wouldn't dare tread without waterproof waders, kevlar vests, and a ballistic helmet.

  19. H.Winter

    Default Passwords

    Reading through the list of passwords the scanner uses I got a laugh at the last entry.

    add_auth_entry("\x4F\x4D\x56\x4A\x47\x50", "\x44\x57\x41\x49\x47\x50", 1); // mother fucker

  20. SwitchedOnScotland

    IoT getting bad press due to ignorant people.

    Routers, IP cameras, digital video recorders is not IoT.

    This is your normal IP systems in use today that use TCP/UDP over IP.

    IoT are small things that are not considered as normal devices.

    They are mostly headless and very small and mostly not seen by humans at all.

    Most talk to hubs that then talk to the world via IP.

    This is poor host security here, they left the hardware in default mode with default passwords, fools they be.

    Please stop selling IoT security fears.

    We in IoT have solved the security requirement by using hardware public key cryptography..

    Thats what i am using in IoT & LoRaWAN,

    Please wake up people stop pointing fingers in the wrong direction.

    Does now one know how to do research!

  21. Anonymous Coward
    Linux

    IoT devices uses default passwords

    Is it technically possible to program the device such as the first time it's activated it generates a unique password? The user logs in from the PC through the browser, navigates to 192.168.1.1., clicks on 'generate password', takes note of said password, then reboots the device. Shurly these technological visionaries can come up with such a solution. After all, it took me four minutes to come up with the preceding solution.

    1. Charles 9 Silver badge

      Re: IoT devices uses default passwords

      But what about people with bad memories who suddenly need to get into their routers and can't...because they forgot the password? The problem with your solution is that you have to account for stupid who will still complain if they can't get into the stuff they bought outright with their own hard-earned dollars tout suite.

      1. Anonymous Coward
        Anonymous Coward

        Re: IoT devices uses default passwords

        "But what about people with bad memories"

        They should use a mnemonic such as .. BillGatesBorgRedmondCunt .. 1955bigaborecu28 .. simples :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019