IoT Devices With Default Telnet Passwords Used As Botnet

Slashdot reader stiebing.ja writes: IoT devices, like DVR recorders or webcams, which are running Linux with open telnet access and have no passwords or default passwords are currently a target of attacks which try to install malware which then makes the devices a node of a botnet for DDoS attacks. As the malware, called Linux/Mirai, only resides in memory, once the attack has been successful, revealing if your device got captured isn't so easy, and also analyzing the malware is difficult, as it will vanish on reboot.
Plus the malware lays low at first, though "it is obvious that the main purpose is still for a DDoS botnet," according to MalwareMustDie, and it's designed to spread rapidly to other IoT devices using a telnet scanner. "According to the experts, several attacks have been detected in the wild," according to the article, which warns that many antivirus solutions are still unable to detect the malware, and "If you have an IoT device, please make sure you have no telnet service open and running."

Telnet?

Why is telnet used to access these IoT devices? At the very least a secure shell session (ssh) with a strong default password randomly generated the first time the device is switched on after connecting it to a notebook or desktop computer via USB cable. The newly generated password could be transferred automatically to the computer as a text file and then the device's USB port automatically disabled by the device itself and the only way to change the password is by locally logging into the device via SSH. The owner can re-enable the USB port if they choose although best not to do so.

Re:Telnet?

[sjames]

Why so complicated? The problem is automated remote access. Just use ssh and a unique password set at the factory and printed on a sticker.

Bonus points for avoiding lockout, a jumper inside the unit allows password-less access.

Alternatively, a user accessible button. Pressing it opens a 5 minute window for login. Otherwise, no access.

Re:Telnet?

[gweihir]

Simple: The design was done by the cheapest morons available. This is so obviously completely incompetent, that the ones responsible must be management for hiring the wrong people.

Re: Wait, the story is in error

Sorry and unimaginative trolling

Damn millennials

Are all of those IOT devices designed by millennials ??

Re:Damn millennials

IOT === Idiots or Twats.
IMHO that describes the designer of pretty well all IoT devices released so far.

Security is hard

Security is hard but it is really disconcerting to see companies fail to even try to create secure IoT devices.

Re:Security is hard

[gweihir]

Well, yes, security is hard, but these people are not even trying.

Re: Security is hard

That was my point?

Port 23 is script kiddie heaven

Never EVER have open telnet (port 23). Unless you run a honeypot VM don't do it. Add a firewall rule to block all port 23 traffic on your LAN.

Re:Port 23 is script kiddie heaven

[SeriousTube]

Any sane firewall will have all ports blocked except the ones you need.

Re:Port 23 is script kiddie heaven

[arth1]

Many devices have a telnet or ssh listener on different ports, precisely because they tend to be blocked.

Re:Port 23 is script kiddie heaven

A home router? Block outgoing ports?

I think not. If any home IoT devices are pwned, most people would never know it.

Also I think the article suggestion to shut off telnet on devices like DVRs and such is laughable. Exactly how does the average home user do this?

Frankly, why should they care. If DVR and other device manufacturers are leaving security holes, it's their problem to fix it with a software patch.

Re:Port 23 is script kiddie heaven

Telnet and SSH are two different things regarding the sophistication level of malware. Any device that uses telnet should be considered a trojan penetration device. In 2016 there is absolutely no reason to use telnet. Telnet is the equivalent of leaving your keys in your car in the ghetto. If you use telnet it's just a matter of when you'll get hacked not if. Telnet should be banned. Think home router/firewalls block telnet traffic by default? Think again.

Re:Port 23 is script kiddie heaven

SSH with admin/admin isn't much better

Re:Port 23 is script kiddie heaven

[gweihir]

Aaaaaand, fail! You can run a telnet server on the default port an be completely secure. Depends entirely on what you do with it. The primary problem here is not "telnet", but "default password".

Re:Port 23 is script kiddie heaven

[beanpoppa]

A telnet port isn't vulnerable if it's not used. If it's used locally (as a backdoor console) then it's only vulnerable if your network is already owned.

Re:Port 23 is script kiddie heaven

[Opportunist]

The combination is scary. Even if I don't know the default password, I know it after sniffing the traffic for a while.

Re:Port 23 is script kiddie heaven

IoT devices may also use the cell networks for the initial call home and/or demographics (read as "telemetry").

Re:Port 23 is script kiddie heaven

[arth1]

Telnet and SSH are two different things regarding the sophistication level of malware.

Indeed. You can find dozens of script kiddie programs for attacking ssh, but not a single one I can find for attacking telnet with TLS and SASL.

Any device that uses telnet should be considered a trojan penetration device. In 2016 there is absolutely no reason to use telnet.

Quite a few devices have a serial interface, and on those, ssh is not an option. Good old telnet still rules for that.

And, yes, there are devices out there that can only be reached by modem too. Park forest stations, meteorological equipment and light houses, for example. Sometimes not even pots and 56k, but 9600 bps. You really don't want to run ssh over that.

Re:Port 23 is script kiddie heaven

[gweihir]

And then look at where you actually _can_ sniff passwords today. It is not in many situations. Not secured wireless LAN is basically the only one or it gets pretty expensive and high effort. But I am most certainly not arguing for log-ins from a non-encrypted WLAN on the other side of the world over telnet. There are other scenarios where it still makes sense, for example if you are already in a secure network.

Re:Port 23 is script kiddie heaven

[Opportunist]

Considering that the biggest threats to privacy these days are actually sitting in the data stream and able to take a close look at any and all data transmitted, it's not really comforting that Joe Scriptkid cannot.

Follow the money

[sjbe]

Silly question. Why telnet? Because it is cheap and they don't give a crap if you get hacked. Not their problem if you do.

Re:Follow the money

[dargaud]

Programmers who install telnet servers anywhere should be shot. 15 years ago it was already common knowledge that telnet was completely insecure and only a matter of time before it got owned. So why isn't there a daemon on all linux variants that monitors for the presence of a telnet server and KILLS IT ?!?

Re:Follow the money

So why isn't there a daemon on all linux variants that monitors for the presence of a telnet server and KILLS IT ?!?

There is. If you run systemd, it will eventually bring down your entire machine, including any errant telnet servers.

Re:Follow the money

First of all, there is no legal responsibility for a device maker to make anything secure at all. They could be just fine having bash spawn on the port as root. It is the buyer's responsibility to maintain security. Physically, it would be similar to using a luggage lock versus an Abus U-lock. The lock maker isn't responsible; it is the person who bought and used it.

Plus, IoT makers require agreeing with a ToS or EULA, which also absolves them of responsibility. This is a contract... first semester law school stuff, and even if a device was left open to the world, the buyer waived their rights to sue, and has to go through binding arbitration.

Caveat emptor.

What really is needed is something like UL, but for device security. If you want companies to sit up and take notice, other companies have to step in. Look how PCI-DSS 3.2 has done more for corporate security than anything passed by governments.

Re:Follow the money

[mlts]

One ideal might be having good in and out firewall rules on the machine. It takes time for initial setup and maintaining, but isn't that bad (it can be put in your playbooks or .pp files.) That way, a telnet server will be not accessible by anything.

Re:Follow the money

[dbIII]

Programmers who install telnet servers anywhere should be shot

Some legacy software needs it. I had to use some like that until around ten years ago on some machines that were heavily firewalled off from the rest of the world.
Developers who make their software depend on telnet are the ones that should be shot. All these expected IoT failures are due to software developers out of their depth taking shortcuts and fucking up badly. The fucking MSDOS single user don't give a shit about security mindset is how this shit happens.

Re:Follow the money

[Hognoxious]

Probably. Telnet is text, and systemduh hates text.

Defective Product

[SeattleLawGuy]

In this day and age, a device with telnet and no password is fundamentally a defective product.

Re:Defective Product

[zifn4b]

In this day and age, a device with telnet and no password is fundamentally a defective product.

If you're really a lawyer, you should start a class action lawsuit against the offending companies for gross negligence.

Re:Defective Product

I don't even understand why telnet is on any devices after 2000.

Re:Defective Product

[gweihir]

Indeed. "Gross negligence" seems to be too tame a description for it.

Re:Defective Product

[gweihir]

It has its uses. Some devices cannot support ssh (too small), or ssh cannot get though an internal firewall, for example. Sure, you need to limit usage to secure networks or networks where anybody sniffing passwords is rather unlikely for other reasons, but telnet still has its uses.

Re:Defective Product

[Aqualung812]

It has its uses.

Telnet with NO password has uses outside botnet fertilizer?
I'd love to hear them.

As for your other points, I still argue Telnet is useless. Firewalls that can't pass Telnet are also defective in 2016, along with any device that can't handle a few more bits of ram or storage for SSH.

Re:Defective Product

My first job, I contracted to a communication hardware company. I'm certain that my experience isn't typical of a hardware company, but there is at least one instance. Essentially, the codebase and security were a mess because the company culture prohibited hiring software people for "real engineering projects." I just happened to luck in to seeing how bad things were because I was a contractor.

Re:Defective Product

[gweihir]

And where dis you see me talking about telnet "with no password"? Can you point that out to me? Because I am pretty sure I did not.

Re:Defective Product

[Aqualung812]

My bad. From my POV, you were replying to the GP in defense:

In this day and age, a device with telnet and no password is fundamentally a defective product.

However, I can see now that you were replying to an AC reply to that, which was hidden by default on my settings.

That said, I'd really like to understand why a product made *today* would have any reason for Telnet.

Actually there are millions of such devices

[beda]

"According to the experts, several attacks have been detected in the wild," - well, have a look at this article. It is about more than 6 million devices, 1 million of it being for sure IoT stuff like cameras and the likes. It is very likely they are talking about the same attack described here.

Re:Actually there are millions of such devices

I remain convinced the biggest push for IoT devices come from those who want to exploit shoddy merchandise such as these botnet owners, and from power-hungry small time bureaucrats who see bad sci-fi where people get killed over the internet by "evil hackers" and get an erection lasting more than four hours.

How to test it

[beda]

Here is a website where you can test if your device has such a problem, because it has been observed in Telnet honeypots for quite some time - https://amihacked.turris.cz/

Everything old is new again!

Like the early, early internet, when nearly everything was crazy wide open. Who could have known IoT would be just as nuts? How could anyone guess such a thing would ever happen! Stay in school kids.

Re:Wait, the story is in error

[gweihir]

If the sysadmin is stupid (like you are, for example), then any Unix is less secure than even unpatched Windows. Linux security is what you get when you combine a competent sysadmin and Linux. The same effect exists on Windows, but the results are not nearly as good and that is what makes Linux a secure OS and Windows a problematic one.

Product recall?

[davidwr]

Except for devices where the buyer WANTS this open - say, for use in a honeypot - I would consider this a design defect. Depending on the device, this could cause death.

The feds (in the USA) are probably going to turn the "voluntary" recall of the Samsung Galaxy 7 phone into a "mandatory" recall.

I would recommend they seriously consider doing the same for any device that has security hole like this that can't be fixed by end users, especially for devices that are designed to be used by non-experts.

Re:Product recall?

[Opportunist]

Maybe when you can blow up the devices via telnet. Until then it's unlikely.

Make some IoT makers get an engineering seal

[davidwr]

Some things can hurt people or destroy property if they don't work right.

Maybe it's time to have the makers of HVAC systems and other things that could injure or kill if they become zombies get an engineer to sign off on all designs - including software design - before they are allowed to sell the equipment for its intended purpose, at least if the end user isn't an expert (e.g. thermostats designed for residential or small-office use where they aren't under constant monitoring by HVAC professionals). This would force the engineer to either prove to his own satisfaction that hardware and software, as a system, was safe or design the hardware so that no matter what happened, fatalities would not result (e.g. have a hardware limits on home thermostats, so someone remotely cranking things up to 100F or down to 40F wouldn't kill anyone in the room).

Now, I'm not calling for "locked down firmware" although that would be one way of dealing with the issue. Instead, I'm calling for firmware that is vetted by an engineer and which can only be updated either by an "authorized update" (e.g. signed binary or better yet, signed binary and a temporary "updates allowed=YES" button being pressed on the device) or by a hobbyist making a visible and permanent change to the hardware, such as blowing a fuse or cutting a trace on the motherboard. Failures by devices that had been put into "hobbyist mode" would not be the fault of the engineer unless it could be proven that the firmware was not at fault (e.g. engineers would still be liable for design flaws that would affect non-tampered-with systems, such as a failure in the hardware-limits of the thermostat example above).

Appernet of Apps!

This story isn't about LUDDITE Linux. It's about the Appernet of Apps, the appiest way to app apps while apping other apps!

Apps!

Re:Appernet of Apps!

Typical apper class twat.

Found the LUDDITE!

Aaaaaand, fail! You can run a telnet server on the default port an be completely secure.

Only LUDDITES would think that LUDDITE Telnet is secure! Modern app appers use secure apps by ONLY apping apps, NOT LUDDITE Telnet!

Apps!

Re:Found the LUDDITE!

Where did you go? Glad to see you're back. I was trying to cover for you while you were gone, but I never got the knack of it.

IDIOT == Insecurely Designed Internet Of Things

[knorthern+knight]

Spread the meme

Re:IDIOT == Insecurely Designed Internet Of Things

I like it! IDIOT devices for idiots.

Re:Wait, the story is in error

[mlts]

Linux is nice because one can secure at as they see fit. Someone on the operator level can enable patching at certain times in RedHat and downstreams, Debian, and Ubuntu, with ease. This isn't something you would do in production for obvious reasons, but with modern mainstream Linux distros with their default installs, it actually is more work to not enable patching than to enable it.

An admin that is more versed would be using some sort of patch management system, if only to ensure that SSH, OpenSSL, the kernel, and other critical components are not just patched, but there is validation that things are at that patch level.

Next tier up, the admin would have a CM tool which either gets pushed or runs locally with a stanza like this:

---
- name: Update openssl
    package: name=openssl state=latest

The above stanza would get pushed to all boxes every so often.

Of course, Linux can be horrific if unpatched, because there is so much a blackhat can do on a Linux box, even if root access is unavailable. However, in general, because Linux is open, there are fewer moving parts which are hidden away from the user. For example, when Shellshock came out, and a quick patch had to be done, it wasn't hard to build a static busybox binary as a workaround until a few hours later, bash was patched.

It's always best to start at the beginning

[bobstreo]

Speaking as a slightly paranoid home user.

Every time I add a new device to my network, I do a nmap port scan on it. Something like:
sudo nmap -A -T4 ipaddress

If access to those ports are needed, I'll do some poking on them, depending on what they are and probably some research to determine if they have had any security issues, and do a risk analysis.

Work follows a completely different model. Everything is blocked, there are various levels of approvals needed to open any ports. External access directly to internal systems without proxies/frontends/webheads is almost never granted. Periodic reviews, pen testing and renewals for exceptions are mandatory.

Re:Wait, the story is in error

[Opportunist]

Security is the minimum of the system's capabilities, the integrator's capabilities and the user's capabilities. Granted, the integrator can take away sufficient options from the user to eliminate him from the equation, but if he is already a complete idiot, the system can't compensate for it.

Re: IDIOT == Insecurely Designed Internet Of Thing

It's idiots all the way down.