List of Credentials Causes Worry Over Mirai Redux
The potential for a large attack harnessing internet of things devices has been made clear once again by the attention drawn to a large list of devices with weak or default telnet credentials.
See Also: How to Scale Your Vendor Risk Management Program
Ankit Anubhav, a principal security researcher with NewSky Security, tweeted on Friday a link on Pastebin to a list of 33,000 devices, although many are duplicates.
The list, first posted in June, contains IP addresses and, in some cases, usernames and passwords, for telnet, the remote access facility that is often left open on devices such as routers, IP cameras and digital video recorders.
The list was posted by someone going by the nickname Miraip0ts, a reference to the internet of things botnet that infected vulnerable devices via telnet last year. Other Pastebin posts from Miraip0ts suggest an interest in tools and scripts for hacking.
Pastebin has taken the list offline, yet it remains preserved in the Internet Archive. But the list doesn’t matter so much because devices that have telnet turned on and face the internet can be easily found using the Shodan search engine.
“This credential dump required no hacking whatsoever,” writes Stetson Smith, an IT support analyst, on Twitter. “You could find these with a little research. This dump just makes it convenient.”
But Anubhav’s tweet highlights that despite the large distributed denial-of-service attacks executed last year using vulnerable internet-of-things devices, there are still loads of insecure devices that could possibly be taken over by attackers.
The discovery of the list was enough for the GDI Foundation, a nonprofit security group based in the Netherlands, to make an effort at remediation.
“We are in the process of contacting as many currently affected host owners as possible in an attempt to lock down these vulnerable devices,” the group wrote on Twitter on Saturday.
Victor Gevers, co-founder of GDI, followed up on Monday morning: “Some of them should be locked down by now. We have been sending a lot of emails.”
The foundation wrote on Saturday that it had sent 1,775 emails reporting vulnerable devices, mostly to ISPs in Asia.
ISPs are a key partner in trying to clean up the internet of things since they have the customer relationship. While ISPs can identify the customers that have vulnerable devices, it’s still up to the customer whether to take action.
As has been pointed out many times, older IoT devices may have hardcoded default credentials and were manufactured at a time when the internet was perceived to be a less malicious place.
Other devices may need a firmware update to fix issues. But IoT manufacturers often don’t support products beyond a few years even if pieces of equipment, such as routers, may only rarely be replaced and even then usually not for security issues.
The GDI Foundation’s effort is important, if perhaps generally unappreciated, work. Experts warned for years that low-end devices with connectivity were ripe for attack, and their predictions came true last year with the Mirai botnet.
One of the first significant Mirai strikes came in September 2016, when the botnet was trained on the blog of journalist Brian Krebs. The source code for Mirai leaked, enabling others to harness and modify the code.
Mirai was engineered with the default login credentials for a variety of digital video recorders and IP cameras. With internet-facing ports, those devices were easily taken over. Mirai was a worm, the term for self-propagating code, so after taking over a device, it began a search and tried to infect new ones.
One month later, attackers trained Mirai on Dyn, an internet infrastructure provider that provides DNS services to a variety of companies. The attack made it difficult for some users to reach Twitter, PayPal, Spotify and other major services, showing for the first time the incredibly disruptive power of an IoT botnet (see Mirai Botnet Pummels Internet DNS in Unprecedented Attack).
Around the end of November 2016, a version of Mirai was used against Deutsche Telekom, crippling around 900,000 routers (see Mirai Botnet Knocks Out Deutsche Telekom Routers).