The widespread Internet outage last week has been traced to the infection of some 500,000 IP cameras and DVRs made by a single company in China – Hangzhou Xiongmai Technology – that shipped devices with weak default passwords.
But don’t indict the entire category of smart-home devices and the Internet of Things, says Will Price, founder of the home automation developer Simple Control (Roomie Remote) and an expert cryptographer who co-founded PGP, the company behind the most widely used email encryption software in the world (ultimately acquired by Symantec).
“A popular meme is that this [DDoS attack] is related to the ‘Internet of Things,’ but that's just a marketing buzzword,” Price tells CE Pro. “Very specific network camera DVRs and camera firmware was involved in this particular attack. The budding Internet of Things has no more to do with this than the advent of the Internet caused Windows XP security problems. It is the vendors releasing products not properly secured that are at fault.”
In this case, a botnet scoured the Internet for easy targets, trying 68 combinations of user names and passwords, such as “admin” and “12345,” depositing “Mirai” malware on vulnerable devices and then commanding the devices to flood the Web.
The hackers have released the source code used in the attack, so copycat crimes are inevitable.
“This is an infrastructure attack,” Price notes. “Regular users are not threatened by this.”
Even so, the disruption was a stark reminder to consumers that factory-set passwords need to be changed for all connected devices and a wake-up call to manufacturers to quit enabling hackable credentials.
How to Find Default Passwords: Online User Manuals
Security expert Brian Krebs of the eponymous site performed a quick online review of devices with pre-set usernames and passwords, simply by looking for the information in the manufacturers’ installation guides.
His list of potentially vulnerable devices include a Samsung Camera (admin/1111111), Ubiquiti AirOS Router (ubnt/ubnt), Axis IP cameras (root/pass), Panasonic printer (root/00000000) and numerous cameras and DVRs from Dahua, HiSilicon and others.
Price suggests, “Information on patching or even disconnecting vulnerable devices by specific models from the Internet needs to be more available – the equivalent of the airlines now announcing on every flight that Galaxy Note 7 devices are not allowed.”
Manufacturers should be publicly flogged for shipping smart devices with dumb defaults – or something like that.
“Vendors that continue to release products unpatched and vulnerable to these kinds of issues must be named and openly identified (usually end users have no idea this is even happening on their network) and for repeat offenders, shamed,” Price says.
Thwarting DDoS and other network attacks should be a national priority, he adds.
“DDoS is the primary attack mechanism in use today and defending against it requires needs nation-level oversight over routing and automatic DDoS detection and defense,” according to Price. “This infrastructure does not exist today so each of these events requires effectively a one-off solution.”
As it happens, the attack coincides with the U.S. government’s surrender of the Domain Name System (DNS) to an international body, ICANN. The target of the attack was Dyn, a major DNS provider.
“The U.S. is now in a much more precarious position than it was previously relative to DNS attacks,” Price says.
He warns that this most recent attack was just a practice run, like the test fire of a missile – “a warning that we need to get our infrastructure in place to defend in the future against significantly improved versions of this attack.”
In the meantime, change those usernames and passwords, people.