One Default Password Might Have Fueled the Mirai IoT Botnet
- Special Report: Network Performance Management Takes On Applications is available for free download.
- ‘s the fun part: Changing the passwords on IoT devices won’t necessarily solve the problem .
- The free publication covers both SDN controller and network virtualization (NV) technologies and how they are working together to enable the next generation of networking in data centers
- The Future of Network Virtualization and SDN Controllers Report is available for free download.
- Users can change the password that’s used for accessing the device from the web, but devices often have a separate login to grant administrators access through common protocols such as SSH and Telnet.
The Mirai botnet, built from IoT devices, took advantage of a factory-installed default password, according to cybersecurity firm Flashpoint.
@IXIAcom: One Default Password Might Have Fueled the Mirai #IoT #Botnet #Ixiacom
The Internet of Things (IoT)-based botnet that recently made headlines appears to have taken advantage of a default password in one company’s embedded management software — a password users can’t change, according to a blog posting today by security firm Flashpoint.
The vulnerability appears to apply to more than 500,000 devices around the world that are using public IP addresses.
The botnet, named Mirai, was used to conduct distributed denial-of-service (DDoS) attacks on the KrebsOnSecurity website and the hosting provider OVH last month. About a week ago, someone claiming to be the perpetrator published the code for the botnet, possibly as a safeguard against getting caught. (If the code is available to everyone, then ownership of the code isn’t necessarily incriminating.)
The attacks came mostly from Internet-connected video devices such as surveillance cameras. Flashpoint dug a little deeper and found that a common thread among many of the devices was the use of management software from Hangzhou Xiongmai Technology Co. in China.
Flashpoint is not accusing Xiongmai of anything malicious, nor was Xiongmai necessarily any more careless than countless other embedded-software vendors. The problem of default passwords, it pervades industries whose devices didn’t used to have Internet connections — medical equipment comes to mind. Note also that devices other than Xiongmai’s participated in the attack; Mirai is programmed to go on the prowl for easily-accessed IoT devices to add to its armada.
Here’s the fun part: Changing the passwords on IoT devices won’t necessarily solve the problem. Users can change the password that’s used for accessing the device from the web, but devices often have a separate login to grant administrators access through common protocols such as SSH and Telnet. These credentials are sometimes factory-installed and not changeable by the user.
This appears to be the case with the Xiongmai-based devices. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist,” writes Flashpoint researcher Zach Wikholm in the company’s blog entry.
This material may not be copied, reproduced, or modified in whole or in part for any purpose except with express written permission from an authorized representative of SDNCentral, LLC. In addition to such written permission to copy, reproduce, or modify this document in whole or part, an acknowledgement of the authors of the document and all applicable portions of the copyright notice must be clearly referenced. All Rights Reserved.