How the Grinch Stole IoT
October 18, 2016 9:24 AM   Subscribe

How the Grinch Stole IoT — Level 3 Threat Research Labs reports on the Mirai malware, which has spawned numerous botnets, including the one responsible for the distributed denial-of-service attack that took down the popular KrebsOnSecurity blog (previously).
posted by tonycpsu (22 comments total) 10 users marked this as a favorite
 
As usual, weak security practices in consumer electronics gear is a large part of the problem here, but I found this report particularly interesting because of the bit where it talks about the Mirai botnet's C2 servers being DDoSed by another botnet. No word on when we'll see the Botnet Wars Episode One trailer.
posted by tonycpsu at 9:25 AM on October 18, 2016 [4 favorites]


Waiting for the scene in a techno-thriller

General: We must take down that botnet before it launches all the nukes in the world.

Geek tech: We can do that but it'll shut down all the devices.

Pretty Spy: Those *devices* are pacemakers in millions of elderly Americans, including your mother General.

General: Throw throw the switch.

We see nursing homes across the land crowds of little old ladies dropping like flies.
posted by sammyo at 9:33 AM on October 18, 2016 [4 favorites]


If you want to despair for ever having a secure IoT, take a look at the list of vulnerable devices, and then threads like these. And as long as consumers' first impulse is to click on "Sort by Price: Low to High", this is what we're going to see.
posted by phooky at 9:42 AM on October 18, 2016 [3 favorites]


Also, and this appears to be real, sometimes Mirai will connect to an old school MUD. Here's what the login screen looks like. Metal!!!
posted by phooky at 9:46 AM on October 18, 2016 [2 favorites]


" And as long as consumers' first impulse is to click on "Sort by Price: Low to High", this is what we're going to see."

What do prices have to do with a lack of security?
posted by I-baLL at 10:05 AM on October 18, 2016


...it's far cheaper to sell every unit with the admin passcode baked into the chip than it is to have them configured with unique or semi-unique access codes. And that doesn't even get into how hard and expensive it is to also include a requirement that the end user set a new password AND test the device to make sure it isn't leaking the passwords.

Cheap is nice for consumers, but cheap and secure generally is not feasible.
posted by caution live frogs at 10:10 AM on October 18, 2016 [6 favorites]


In the Windows XP days where PCs got owned within minutes of being connected to the net, some gray hats took over and patched botnets. Maybe that should happen again.
posted by Foci for Analysis at 10:16 AM on October 18, 2016 [2 favorites]


"...it's far cheaper to sell every unit with the admin passcode baked into the chip than it is to have them configured with unique or semi-unique access codes. "

It's far cheaper to sell every unit with firmware not baked into custom chips but written to generic flash memory chips. If you can update firmware then the firmware (and the admin passcodes) aren't "baked in".
posted by I-baLL at 10:24 AM on October 18, 2016


How the Grinch Stole IoT

Stole?

STOLE????

Was there anyone that thought IoT actually wasn't going to end up being a security shitstorm only a marketing department would love? If there was, slap them for me.
posted by Thorzdad at 10:30 AM on October 18, 2016 [20 favorites]


Was there anyone that thought IoT actually wasn't going to end up being a security shitstorm only a marketing department would love?

Alright buddy, you explain how we're supposed to make buckets of short-term money that sells out our future while prioritizing security? Huh? Smart guy?
posted by lumpenprole at 11:31 AM on October 18, 2016 [4 favorites]


We Put A Chip In It
posted by rhizome at 11:34 AM on October 18, 2016 [3 favorites]


It's far cheaper to sell every unit with firmware not baked into custom chips but written to generic flash memory chips. If you can update firmware then the firmware (and the admin passcodes) aren't "baked in".

This isn't actually how this stuff works. Pretty much all of these devices have some sort of writable area that holds the passwords, or you wouldn't be able to change them at all. The question is does your manufacturing process support shipping them with unique passwords (which also have to be printed on labels on the devices so you know what the password is to connect the first time) or do all the passwords start out the same. The former is more secure, but more costly.
posted by tonycpsu at 11:35 AM on October 18, 2016 [7 favorites]


The question is does your manufacturing process support shipping them with unique passwords (which also have to be printed on labels on the devices so you know what the password is to connect the first time) or do all the passwords start out the same. The former is more secure, but more costly.

OK, but one thing I've always wondered about these devices -- besides why the hell do they exist -- is why don't they require a password change on first login, including nor permitting use of the default password? That's easy to do in software, it solves the problem for 100% of cases, and it's hardware and packaging agnostic. It is just because it makes setup (and maybe support) more complex?
posted by The Bellman at 11:58 AM on October 18, 2016 [2 favorites]


Because customers want (or marketers think they want) devices that ~~just work~~.
posted by dilaudid at 12:17 PM on October 18, 2016 [4 favorites]


Yeah, the other big challenge is that whether the exploit is default username and password, or something deeper, there's no incentive for the router makers to update the firmware. I mean, phone manufacturers are being okay with sending you later versions of the operating system, but I've got a tablet with Android 4.4, at some point Acer made a later release available, but that got pulled before I got my hands on the tablet. So I'm pretty sure that tablet is vulnerable to a well crafted JPEG, but there's nothing I can do to fix it short of ditch the tablet.

Similarly, hardware improvements and a lack of revenue for software updates means that router manufacturers would far rather you throw away your router after a year or so than keep it running, but my router needs haven't changed in over half a decade, so why should I change out that hardware?

And from a consumer standpoint, there's no real value in me "future proofing" my "investment" in computer stuff when for my home network the $35 router will do almost everything I need, and the $250 router depreciates at the same rate.
posted by straw at 12:23 PM on October 18, 2016 [4 favorites]


sometimes Mirai will connect to an old school MUD
~> telnet 5.206.225.96
Trying 5.206.225.96...
telnet: Unable to connect to remote host: Connection timed out
Jim, how do I get into that system? I want to play those games.

I mean, just because its called a MUD...
posted by Ogre Lawless at 1:12 PM on October 18, 2016 [2 favorites]


Huh - according to their infection map, Canada appears to be incredibly safe for a country located next to what appears to be the heaviest infection zone (US)...

Either that, or their reverse GeoIP lookup service does not account for Canadian IP addresses...
posted by jkaczor at 1:35 PM on October 18, 2016


Huh - according to their infection map, Canada appears to be incredibly safe for a country located next to what appears to be the heaviest infection zone (US)...

Either that, or their reverse GeoIP lookup service does not account for Canadian IP addresses...


I would think that would just be because of relative populations and number of devices available to infect. Doesn't explain how Brazil has nearly as many infections as the USA though.
posted by rodlymight at 5:05 PM on October 18, 2016 [1 favorite]


Are we not using the internetofshit tag anymore?
posted by indubitable at 5:33 PM on October 18, 2016 [1 favorite]


Are we not using the internetofshit tag anymore?

How thoughtless of me. Fixed!
posted by tonycpsu at 5:37 PM on October 18, 2016 [2 favorites]


Internet of shit.
internet of shit
posted by thewalrus at 9:14 PM on October 18, 2016




« Older Nano-spike catalysts convert carbon dioxide...   |   Digging and living below Naples: buried history of... Newer »


This thread has been archived and is closed to new comments