Weak Credentials Fuel IoT Botnets

Botnets powered by Internet of Things (IoT) devices have recently made headlines after powering massive distributed denial of service (DDoS) attacks. The underlying issues with IoT devices, however, are by no means new. IoT botnets are possible mainly because enslaved devices often have security flaws, many of which have been discussed numerous times before.

The rise of DDoS botnets leveraging IoT devices for their dirty work once again brought to the spotlight how easily such products can be hacked to install backdoors. A slew of IoT devices reuse cryptographic keys and/or use easy-to-guess, hardcoded default login credentials, making them susceptible to brute-force and other types of attacks, especially since many users don’t or can’t change those credentials.

Mirai, a Linux backdoor initially detailed in early September, was observed relying on this weakness to find and ensnare IoT devices into a botnet. The botnet’s source code has been released online several days ago and is said to have been used to launch DDoS attacks against Brian Krebs’ website and hosting provider OVH, and to be powered by more than 150,000 IoT devices, including cameras and digital video recorders (DVRs).

To find and ensnare devices into the botnet, the malware scans the Telnet service on DVRs and WebIP Cameras on Busybox, as well as on other Linux-based IoT boxes with Busybox, and on unattended Linux servers, then attempts to login using hardcoded usernames and passwords to brute-force discovered devices. BASHLITE, a botnet that supposedly abuses over 1 million IoT devices, uses the same attack method.

This modus operandi, however, might not be exclusive to these two malware families alone, considering the large number of attacks that a single DVR device is hit with: “The IP address is hit by telnet attempts pretty much every minute. Instead of having to wait for a long time to see an attack, my problem was that the DVR was often overwhelmed by the attacks, and the telnet server stopped responding,” Johannes B. Ullrich, Ph.D., CTO SANS Internet Storm Center, reveals.

Ullrich was attempting to test how bad it would be to expose a DVR to an Internet connection, and he didn’t have to wait long to discover. The attacks tried a variety of passwords, but only one of them was set up on the honeypot, so only some attacks were successful.

Those attacks that came through, however, followed a similar pattern, starting with the attacker making sure that they didn’t connect to a router or a honeypot by using specific commands. Next, the attacker would fingerprint the device and test whether a binary file could be created on it. Then, the attacker would attempt to download a tool on the exposed device, or to create a binary directly on it.

The purpose of the attack, however, was to download and install malware onto the exposed DVR, and to leverage it to scan for more vulnerable hosts at the high rate of over 100 connections per second, Ullrich explains. The security researcher reveals that the device was attacked several times an hour and that none of the attackers attempted to reset the default password, meaning that the DVR remained exposed to other attacks.

The issue, however, is that this DVR isn’t the only insecure device exposed to the Internet, but that there are a great deal of other devices that also lack proper security right from the start. Mirai’s source code contains 68 username and password pairs, and “many of those are generic and used by dozens of products, including routers, security cameras, printers and digital video recorder (DVRs),” Brian Krebs reveals.

Ullrich’s experiment revealed an attack pattern previously associated with both Mirai and BASHLITE, which might have been adopted by other botnets as well. Over the past several months, a botnet known as LizardStresser was also observed launching massive DDoS attacks powered by IoT devices, including a 540 Gigabits per second (Gbps) attack against public-facing properties and organizations affiliated with the Olympics.

With tens of thousands of compromised CCTV devices located all around the world also abused in DDoS attacks, and numerous Trojans targeting IoT designed specifically for this type of attacks, Symantec researchers have concluded that the primary purpose of IoT malware is the launch of DDoS attacks.

Related: Hacker Releases Source Code of IoT Malware Mirai

Related: New Remaiten Malware Builds Botnet of Linux-Based Routers

Related: The IoT Sky is Falling: How Being Connected Makes Us Insecure

view counter
image
Ionut Arghire is an international correspondent for SecurityWeek.
Previous Columns by Ionut Arghire:
Tags:
Original author: Ionut Arghire