Slashdot Mirror

← Back to Stories (view on slashdot.org)

Source Code For IoT Botnet 'Mirai' Which Took Down Krebs On Security Website With DDoS Attack Released (krebsonsecurity.com)

Posted by msmash on from the security-woes dept.

As if the state of security wasn't already a headache worldwide, we now may have one more reason to worry about: a hacker has made available the source code that could allow more people to wage the kinds of extraordinary large assaults that recently knocked security news site KrebsOnSecurity offline. Brian Krebs reports:The source code that powers the "Internet of Things" (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices. The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Vulnerable devices are then seeded with malicious software that turns them into "bots," forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline. The Hackforums user who released the code, using the nickname "Anna-senpai," told forum members the source code was being released in response to increased scrutiny from the security industry.

117 comments

  1. Oh great by JustAnotherOldGuy · · Score: 3, Informative

    Oh great, now every dickweasel and conehead in the world will be cranking out malware.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re: Oh great by Anonymous Coward · · Score: 1

      Let's see a list of manufacturers to never buy from. That would be one good thing coming out of this...

    2. Re: Oh great by Archangel+Michael · · Score: 0

      Your problem is that you think that bankrupting one company is going to change anything. The operators will just spin up a new operation (corporation), and create new botnet nodes under another IoT fad.

      THE only way to stop these botnets from forming is to not buy IoT devices. As convenient as they may be, they don't outweigh the inconvenience of a completely broken internet (of things)

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    3. Re: Oh great by mlw4428 · · Score: 4, Interesting

      That's a stupid line of thinking, it really is. Automobiles, as convenient as they may be, don't outweigh the inconvenience of the increased public expenditure on accidents, insurance, infrastructure, and pure risk to persons and property. So we should all just have horses and buggies.

      Here's an idea: hold corporations accountable. Did you follow industry best practices? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did patch your code within a reasonable amount of time after being notified of the issue? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did you take unnecessary design risks and challenges with your product? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did you have a security firm with proper recognized credentialing test your code for flaws? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS.

      It wouldn't even require much more than writing a law that allows the corporate veil to be pierce-able in the event of egregious displays of information security negligence.

    4. Re: Oh great by shadowp157 · · Score: 1

      Or even simpler: No "hidden" backdoors, No default User/Pass, No Jail Time or Fines. If you sell more than 1000 devices you must have your product certified.

    5. Re: Oh great by Archangel+Michael · · Score: 1, Redundant

      You can't blame Ford for the bad driving of the people crashing their cars. You can blame Ford for faulty mechanics. Most of your comparison is based on bad drivers, not Mechanical Problems. For the Most part, cars are relatively safe until people start driving.

      However, just about every IoT device that is faulty is broken by design. And they aren't being made by GE, Samsung or whatever, but by some Chinese fly-by-night cheap manufacturer for some IoT "inventor" who doesn't have the resources to pay out anything. That "massive lawsuit" isn't so massive. And the person you jailed, isn't the crappy manager who said "I don't care" when the engineer said that hard coding the username and password is a bad idea. I have that kind of boss right now, who thinks that convenience outweighs security, and will side with the idiot user against better judgement. After all, if it isn't easy for the average idiot, they won't buy it.

      You really need to put the blame where it belongs ... on the idiot user, who is responsible for their own damn choices.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    6. Re: Oh great by arth1 · · Score: 4, Funny

      Right now I can purchase an IoT appliance that controls my lawn sprinklers for about $250 that adjusts the water output based on the weather in the area.

      Your proposal would probably make that same IoT appliance cost around $250,000. No sane person would ever spend that much money on a device that controls a sprinkler system since that appliance would never pay for itself.

      Well, good. You shouldn't be wasting water on lawns anyhow.

    7. Re: Oh great by SmokeyRobot · · Score: 1

      The code scans across over a dozen architectures so unless someone alters the code to recreate the botnet but echo data about the devices to a central location then you are relying on the good will of companies to commit sepuku.

    8. Re: Oh great by naughtynaughty · · Score: 4, Informative

      Almost all manufactures ship devices with default username and passwords

      Changing them is your responsibility

    9. Re: Oh great by Anonymous Coward · · Score: 0

      Certified by who? Hillary's IT guy?

    10. Re: Oh great by amicusNYCL · · Score: 1

      I think a better use of this botnet would be to flood the manufacturers' websites. Maybe then they'll start caring about security.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    11. Re: Oh great by Anonymous Coward · · Score: 1

      Sure. Used to be in the UK if you bought say, a refrigerator, it didn't come with an electrical plug. Really. Whole fridge works, ready to go but no plug. That would come wrapped separately with just a bare lead on the fridge.

      Obviously every year some number of imbeciles who bought a fridge but struggled to follow instructions that involve knowing the colours of things and operating a screwdriver would wire it up wrong and kill themselves or destroy the integrity of their electrical system (e.g. wiring neutral across earth so that suddenly there's no real earth safety...) but the product makers would just say well, we put clear instructions on it, what do you want?

      And the answer was: Fit the plug at the factory. At the factory people already correctly put wire A in slot A 99.999% of the time, because if they didn't none of the fridges would work, so this is safer. Sure enough, despite moaning from the world's small-C conservatives who've never seen anything change in any way that they didn't hate, this caused accident rates to drop. Selling any consumer electrical item that needs a plug, without the plug fitted, became illegal, the same way it would always have been illegal to supply it pre-wired to explode and burn. "Oh ma civil liberties" Yeah, fuck off now.

      Similarly, we could just legislate that IoT devices with shared default passwords aren't fit for sale. I mean, they're not, are they? This is fixable, just like the electrical plugs in the UK, it's just that nobody wants to spend tuppence to fix it unless they're _forced_ to. So we have to force them.

    12. Re: Oh great by Macdude · · Score: 2

      Almost all manufactures ship devices with default username and passwords
      Changing them is your responsibility

      The device should require the username and password be changed before it will function.

      --
      "Grab them by the pussy" -- President of the United States of America
    13. Re: Oh great by thegarbz · · Score: 1

      It wouldn't even require much more than writing a law that allows the corporate veil to be pierce-able in the event of egregious displays of information security negligence.

      Yes because the law is only a problem for information security negligence and these massive lawsuits, payouts, etc have stopped every other form of short cutting.

      Or not.

    14. Re: Oh great by thegarbz · · Score: 1

      Because over regulation is working so well for you right now. What's the street price of medical gear right now in the USA? 10x that of the rest of the world? 20x? could even be closer to 30x given I can buy an Epipen for $23.99

    15. Re: Oh great by phantomfive · · Score: 1

      And the quality of medical code isn't very good, still.......

      --
      "First they came for the slanderers and i said nothing."
    16. Re: Oh great by St.Creed · · Score: 1

      That's not because of overregulation, but because of a pricing strategy called "what the market will bear". This is quite a bit more for critical drugs and gear than for toys, as pharmaceutical companies have discovered.

      If it was overregulation the price would have gone up everywhere, since pharmacovigilance regulations are pretty similar across the board. Okay, maybe some price disparity would have been there because some regulators require less proof. But still, this can never explain a 30x price differential.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
    17. Re: Oh great by Anonymous Coward · · Score: 0

      Did you take unnecessary design risks and challenges with your product? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS.

      So, you HAVE to take 'unnecessary design risks' not to get sued?

    18. Re: Oh great by MightyDrunken · · Score: 1

      Almost all manufactures ship devices with default username and passwords

      Changing them is your responsibility

      With the source code for Mirai that became a whole lot easier for me to do ;)

      --
      The most dangerous drug
    19. Re: Oh great by Anonymous Coward · · Score: 0

      Oh, ok! Unencrypted and unsecured backdoors, empty admin passwords, no punishment because FREEEEEEDOM it is then.

    20. Re: Oh great by Anonymous Coward · · Score: 0

      "Used to be in the UK if you bought say, a refrigerator, it didn't come with an electrical plug."

      You must be young...
      http://www.electrical-contractor.net/forums/ubbthreads.php/topics/137244/FITALL_plug.html

      There were several plug standards in Britain alone over the decades, fused and unfused, plus several more on the Continent. All of them proprietary. If a manufacturer wanted to sell appliances in a wide market, they either had to supply a bunch of adapters, or just leave the wires bare so that the plug suitable for local conditions could be fitted, usually at the Appliance store. (No Amazon back then.)
      In the US, there was the Edison Standard, using an Edison Lighting Socket and a screw in adapter, which quickly died out, II still have a few...), and various crappy Blade designs which are _still_ with us. Take a look in a Hubbell catalog some time. There are still twist-lock plugs available for 120V single phase 10A, 20A, and 30A service, with and without Ground, and a slew of two and three phase versions. If you want to pay twice as much, check out a Marinco Marine Electrical catalog some time. My dock comes with Twist-Lock 120V 30A Single Phase sockets, and 50A Two Phase. Same connectors, same yellow color, same manufacturer, different labels. The Marina Electrician has to approve all electrical cables, (Minimum 8 Gauge wiring for 50A.), and connections, and they sell inline adapters to our familiar 15A grounded blade sockets at a hideous price.

      My boat came with a little marvel from New Zealand, a weighted little table stand with two switches on one side, one for a light bulb above, and the other for a dual GFCI outlet on the other side, and it comes with a 20 foot cord. It supplies all of the shore-power 120V my boat needs. It _is_ a 120V version, made around 1980, and the Marina Electrician was appalled. The boat also came with a Swan kettle with a Europlug Socket on the body, and a molded Europlug to US standard plug adapter cable. No Ground. To turn the kettle off, I unplug it. The Electrician nearly had a heart attack with the Swan. And then he told me about all the Fires.

      Fires are a Marina nightmare, very difficult to fight from a land based fire truck, and they are almost always due to bad electrical connections these days. Hubbell/Marinco are much to blame here- their fittings are absolute rubbish. They are so bad, that we banned twist-lock Hubbell connectors at work. If it's 240V two phase, it gets hardwired in. The _only_ exception is Experimental gear brought in from overseas, and only for a week or less. (We keep Electricians on site 24/7, and they can hardwire any gear in place in ten minutes or so... for free. It's a Safety thing.)

    21. Re: Oh great by gweihir · · Score: 1

      Actually, making sure you change username and password is their responsibility. The well-established way to do that is that unless you do, the device just displays a page asking you to. So this is indeed a massive screwup on the manufacturer's side.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    22. Re: Oh great by gweihir · · Score: 1

      While it sounds extreme, I completely agree. Without that, nothing is going to change. As soon as anybody that did screw up this badly has to prove they followed best practices and had independent review OR ELSE (and the "ELSE" must be personal for senior management), this problem will mostly go away. One model could be IoT devices this insecure must be recalled and the owners compensated generously. Cannot assure that? No way for your trash to get through customs. Yes, regulation is generally not a good idea, but I do not think there is an alternative here.

      Makers of FOSS would of course not be affected, only manufacturers using FOSS insecurely.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    23. Re: Oh great by Anonymous Coward · · Score: 0

      Need jail time for the engineer responsible for the broken code.  Seen way too many young grasshoppers who over sell their skills.

    24. Re: Oh great by Anonymous Coward · · Score: 0

      Idiot users didn't make the product. That's like Ford not putting breaks into a car, because two pedals is "too complicated" for retards and then retards won't buy their cars. So what? If your design requires a retarded decision to make your product "sellable" then it shouldn't fucking exist. If you have to purposefully design a shit product so that it well sell - then find some OTHER way of making the product so that it isn't retarded. "Too complicated" is why the world laughs at how stupid Americans have become.

    25. Re: Oh great by plover · · Score: 1

      THE only way to stop these botnets from forming is to not buy IoT devices. As convenient as they may be, they don't outweigh the inconvenience of a completely broken internet (of things)

      No, you need to not buy IoT devices that ship with working default passwords and that can't patch themselves. The way we made that happen in the marketplace before with electrical safety issues was with an overpriced certification authority, like UL or CSA, something customers can recognize in the shops today by the shiny holographic label.

      --
      John
    26. Re: Oh great by Anonymous Coward · · Score: 0

      Too simplistic. It's basically the same debate the american public has been having since the financial crisis. The reality is that corporations are already held accountable, but only to a point. You write as if "bam! lawsuit!" were fast, straightforward solution, in reality it is as messy and costly as the design flaws themselves.
      The same goes for "credentials" from security firms, which are a set of rules defined by....what again? And who enforces them?

      Holding corporations accountable only makes sense when you can afford to wait months, sometimes years, and spend thousands (sometimes hundreds of thousands) of dollars.

      This is the route taken by the big banks. They are now beholden to lawyers, law firms, compliance departments etc, which slow things down and suck up huge amounts of resources.

      I lean towards the "no back doors" solution, but I don't know whether it is technically feasible.

    27. Re: Oh great by r2rknot · · Score: 1

      Issue with this: The presumption that product manufacturers can be held liable for how their products are used illegally. This idea is not new (see holding gun manufacturers liable for crimes committed with their products), and will not work.

      Try an alternative route.

      --
      "...whenever any Form of Government becomes destructive...it is the Right of the People to alter or to abolish it..."
  2. just now by Nick · · Score: 1

    It's amazing that is just now becoming a thing. IoT devices and their piss-poor security/default passwords/etc have been out for a while.

    --
    Fuck Ajit Pai
    1. Re:just now by gweihir · · Score: 1

      Quite a few experts have been warning about this problem for years. People never listen until something bad happens....

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:just now by Shane_Optima · · Score: 0

      Maybe it could have something to do with the fact that half of you security "experts" are clearly frauds who do not understand the first thing about information theory. Where do you work, by the way?

      The $1000 is still yours, if you or one of your mental midget followers can manage to demonstrate a flaw in my design.

      Summary here: https://slashdot.org/comments.... The preamble is a loose working definition of hash. My stances and claims are enumerated below.

    3. Re:just now by gweihir · · Score: 1

      Go away, noob. Stalking does make your credibility even lower. As does trying to deride actual experts.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:just now by Shane_Optima · · Score: 1

      Actual experts can succinctly explain why they consider something to be massively flawed.

      And I'm not going to take etiquette advice from someone who uses sock puppets or minions, thanks. I'm performing a useful service; I'll be fact-checking all of your stuff for a little while. Won't take me 5 minutes a day. Don't worry, all other posts will be strictly on-topic from here on out.

      I don't mind losing debates, but I no longer abide frauds. Particularly not frauds who apologize for incompetence.

    5. Re:just now by gweihir · · Score: 1

      Stalking and deriding are not "fact checking". They are just immature revenge for a bruised ego. Your "usefulness" is just going even wider into the negative this way.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:just now by Shane_Optima · · Score: 0

      I'm not stalking you, you pathetic drama queen. I'm temporarily providing a service to the community to make sure you don't spread any more (unchallenged) self-indulgent authoritarian gibberish for a little while. Also, there may be some jokes at your expense if you happen set me up with a good line. Things have been slow lately but I've some upcoming stuff that will require my keenest attention and after that point I'm pretty sure keeping an eye on you will fall far down into the darkest depths of the extended to-do list, never to be seen again.

      Jesus Christ, somebody certainly has a big ego.

      Do you want me to stalk you? I'm going to have to see a picture before I make that kind of commitment. Or at least some measurements.

    7. Re:just now by gweihir · · Score: 1

      Keep kidding yourself. You are doing the "mad stalker" act now. I just checked whether I should return the favor, but your postings are not interesting enough for that. I am simply going to ignore you now, encouraging a petulant child is never a good idea.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    8. Re: just now by iivel · · Score: 1

      If you have that kind of time, I'd welcome a fact checker for all of my posts on /., FB, my personal blog, LinkedIn, etc. Would save me some embarrasement and help me improve my positions and arguments. I don't post much, so it'd be easy & would be good for my persuasive debate skills. Call it a "peer review" :) Now that I think about it, a "post for review" premium option for social platforms (or plugin to other CMS platforms) that sends the content to mechanical turk (or some other service) for review in a normal 3 step publishing workfkow would be awesome. Set up my preferances on what type of errors I want checked, use hLDA and sentiment analysis to provide the reviewer(s) insight and context to my typical answers on a topic to provide insight. Quickly get back an editorial copy. Submit knowing that professional and personal posts are consistent and accurate across all platforms. I could go for that.

    9. Re: just now by gweihir · · Score: 1

      Nice! ;-)

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    10. Re: just now by Shane_Optima · · Score: 1

      Like I said, I'll be devoting something on the order of 5 min/day to this, perhaps 10. You'd have to write on the same complexity level of gweihir, and include similarly glaring errors, for me to be able to scan through all your posts that quickly.

  3. Headline translation by JustAnotherOldGuy · · Score: 1

    Headline translation: "We're Doomed."

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Headline translation by The-Ixian · · Score: 3, Funny

      I fully expect that we are facing nothing less than total apocalypse

      This is the end people!

      Remember y2k? Yeah, just imagine that times 1... you are starting to get the picture...

      --
      My eyes reflect the stars and a smile lights up my face.
    2. Re:Headline translation by Archangel+Michael · · Score: 1

      More like this is the start of Skynet. Just wait until the AI we are creating get a hold of all the IoT devices ...

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    3. Re:Headline translation by arth1 · · Score: 1

      Remember y2k? Yeah, just imagine that times 1... you are starting to get the picture...

      Y2K was a big deal. That most people didn't notice much is a testament to what happens when you take something seriously, and get a lot of skilled people to work on a problem with a non-negotiable deadline. If all the people who worked on it hadn't, it would have been a rather terrible impact.

      Unfortunately, there isn't (yet) an irresistible incentive or imperative to fix the ToI problem. Even for those recognizing it as a problem, there is no deadline nor any good predictions that will sway management to invest large resources into fixing anything.

    4. Re:Headline translation by JustAnotherOldGuy · · Score: 1

      I fully expect that we are facing nothing less than total apocalypse
      This is the end people!

      Start doling out the Kool-Aid and make sure each cup is filled to the brim...bottoms up!

      But seriously, this is likely to make things worse, much much worse.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    5. Re:Headline translation by JustAnotherOldGuy · · Score: 2

      Y2K was a big deal. That most people didn't notice much is a testament to what happens when you take something seriously, and get a lot of skilled people to work on a problem with a non-negotiable deadline.

      This is absolutely true. The reason Y2K wasn't a big deal is because thousands of programmers sat down and fixed stuff. Otherwise, we would have seen all sorts of shit go belly up at the stroke of midnight on December 31st 1999.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    6. Re:Headline translation by St.Creed · · Score: 3, Insightful

      Y2K was a big deal. That most people didn't notice much is a testament to what happens when you take something seriously, and get a lot of skilled people to work on a problem with a non-negotiable deadline.

      This is absolutely true. The reason Y2K wasn't a big deal is because thousands of programmers sat down and fixed stuff. Otherwise, we would have seen all sorts of shit go belly up at the stroke of midnight on December 31st 1999.

      Hell yeah. In our first tests after the bugs were fixed, literally NOTHING worked. They had forgotten to patch the login module and every password valid date was now suddenly in the past. 50 testers went home again that day, after an hour, on a saturday. Much grumbling ensued.

      But... you know, at some point noone who was present at Y2K will be alive, but the people who denied that there ever was a problem will still be in abundant supply. It's saddening to see that if you just deny something happened, no matter what it is and no matter the documentation and witnesses, eventually sheer stupidity and mental inertia will bring you victory. Fighting entropy is *hard*.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
    7. Re:Headline translation by LordWabbit2 · · Score: 1

      noone who was present at Y2K will be alive

      You mean no one who actually worked on the Y2K issue will be alive, and everyone will just think it was media hype.
      I worked for a major bank at the time, we had to work night shifts towards the end for testing, we started making changes about 4 years before Y2K, millions was spent on contractors, people came out of fucking retirement to work on Y2K. But ask anyone who wasn't involved (even other programmers) and they all think it was much ado about nothing.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    8. Re:Headline translation by St.Creed · · Score: 1

      You mean no one who actually worked on the Y2K issue will be alive, and everyone will just think it was media hype

      Yep.

      You mean no one who actually worked on the Y2K issue will be alive, and everyone will just think it was media hype.
      I worked for a major bank at the time, we had to work night shifts towards the end for testing, we started making changes about 4 years before Y2K, millions was spent on contractors, people came out of fucking retirement to work on Y2K. But ask anyone who wasn't involved (even other programmers) and they all think it was much ado about nothing.

      This illustrates what is often said: the person that creates crisis after crisis and then fixes them (just in time to avoid serious disaster) will be appreciated more than the unsung hero who prevents the problems from developing in the first place. Sometimes I think we should have just let Y2K happen and then fixed things. But meh, what's done is done and besides it is our job to keep things running. Leave it to the amateurs to run from one fire to another - engineers are proud to run things so there are no problems.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
  4. Well, that's going to suck by Anonymous Coward · · Score: 0

    Unfortunate this was released. Even more unfortunate the IoT devices have such poor security.

    1. Re:Well, that's going to suck by naughtynaughty · · Score: 2

      Their security was fine, as long as you changed the default password.

      Devices really do need a recovery mechanism from someone losing their password and a hard reset back to a default is fine with me.

      That people buy a security camera and then leave it with its default password is the problem.

    2. Re:Well, that's going to suck by xxxJonBoyxxx · · Score: 1

      >> Their security was fine, as long as you changed the default password.

      Sorry, telnet's just not cool in 2016.

      >> That people buy a security camera and then leave it with its default password is the problem.

      Some manufactures HAVE figured out a better way: a different default password for each device. Any company that still has a single common password for multiple devices these days is asking for a lawsuit.

    3. Re:Well, that's going to suck by Anonymous Coward · · Score: 0

      "Their security was fine, as long as you changed the default password."

      Not always a choice, some devices have a hard coded "service" user/password. I found out a little while back that one of my devices is one of these. Luckily it is behind a decent firewalled router with an odd IP/port so I think it would be rather difficult to get at remotely. I do of course intend to replace it, but it has ran for years without me knowing about this glaring security issue.

    4. Re:Well, that's going to suck by The-Ixian · · Score: 1

      Their security was fine, as long as you changed the default password.

      And, you know, don't connect them directly to the Internet....

      --
      My eyes reflect the stars and a smile lights up my face.
    5. Re:Well, that's going to suck by Anonymous Coward · · Score: 0

      If you're arguing about the protocol when there are plenty of devices with hardcoded default password you should think about killing yourself.

      Some manufactures HAVE figured out a better way: a different default password for each device

      I love how I can get free internet (with no captive portal bullshit) from routers having passwords derived from hardcoded SSID and MAC address.

  5. Good by clonehappy · · Score: 1

    Better that it's out in the open than hidden in the shadows, out of reach of security researchers.

    This will motivate competent admins who, for whatever reason, haven't secured these kinds of devices already to get around to taking care of the issue. As for the incompetent admins and the average home user, they'll figure it out when their bandwidth costs go through the roof and be forced to take action one way or another.

    But long story short, if a tool exists (good or bad) it's better that everyone can access it rather than just the bad guys.

    1. Re:Good by Moof123 · · Score: 2

      Most of these are not on any administrated system. These are baby monitors, home security cameras, "smart" toasters, and similar junk. We are selling piles of internet connected junk to the masses, but with no responsibility for anyone to make them secure after the fact. It is in fact getting harder to find widgets that are NOT internet connected just for the sake of being able to label it "smart".

      Smart toilet paper that tells you when the roll is about empty and automatically re-orders from Amazon will be the next BIG thing!!!

      The hassles with just getting all the connected crap in a typical house to work are too much, getting random fly-by-night electronic gizmo's to be secure against state sponsored hackers with nearly unlimited resources? Fugetaboutit...

    2. Re:Good by Anonymous Coward · · Score: 0

      Then I see a lucrative business opportunity in selling and configuring home router/security appliances to end users.

    3. Re:Good by gtall · · Score: 1

      It will only be smart toilet paper when it wipes me by itself, dumps itself in the toilet, and then flushes itself away.

    4. Re:Good by arth1 · · Score: 1

      Smart toilet paper

      Then I see a lucrative business opportunity in selling and configuring home router/security appliances to end users.

      Or to user ends, as case may be...

  6. Duplicate story by eledill · · Score: 3, Informative

    This is a duplicate of http://m.slashdot.org/story/31...

    1. Re:Duplicate story by xxxJonBoyxxx · · Score: 4, Informative

      Half the editors were too busy fending off a DDOS attack to read their own site. The other half still use a username/password of "admin/admin123" on their home devices and couldn't read their own site because their equipment was currently part of a global botnet.

      More seriously, here's the list of usernames/passwords the bot exploited. Might be worth adding to your personal collection to make sure your scanned notices these.

      root xc3511, root vizxv, root admin, admin admin ,root 888888
      root xmhdipc, root default ,root juantech ,root 123456, root 54321, support support
      root (none) ,admin password ,root root ,root 12345 ,user user ,admin (none)
      root pass ,admin admin1234 ,root 1111 ,admin smcadmin ,admin 1111 ,root 666666
      root password ,root 1234 ,root klv123 ,service service, supervisor supervisor ,guest guest
      guest 12345, , guest 12345, admin1 password ,administrator 1234 ,666666 666666 ,888888 888888
      ubnt ubnt ,root klv1234 ,root Zte521 ,root hi3518 ,root jvbzd ,root anko ,root zlxx. ,root 7ujMko0vizxv ,root 7ujMko0admin
      root system ,root ikwb ,root dreambox ,root user ,root realtek ,root 00000000 ,admin 1111111
      admin 1234 ,admin 12345 ,admin 54321 ,admin 123456 ,admin 7ujMko0admin ,admin 1234 ,admin pass
      admin meinsm ,tech tech ,mother fucker

    2. Re:Duplicate story by Anonymous Coward · · Score: 0

      That is the password to my luggage! (but no spaces)

    3. Re:Duplicate story by xxxJonBoyxxx · · Score: 1

      >> That is the password to my luggage!

      If you can point me to luggage that accepts the username/password "mother fucker" then I'd buy it. (Unless Samuel Jackson bought the last one.)

  7. ISP responsibility as much as anyone else! by Anonymous Coward · · Score: 0

    ISP's have a responsibility to make sure their subscribers aren't using their network for nefarious purposes. That includes unknowingly so.

    Identify the botnets and their traffic, in turn identify offending IOT devices that are doing this, and revoke the access of the subscriber until they are removed.

    DDOS is against the law. If people were connecting child pr0n spamming devices to the internet instead of garbage pingers, might it get some fucking attention?

    1. Re: ISP responsibility as much as anyone else! by Anonymous Coward · · Score: 1

      My ISP says they will not monitor my traffic without my request or a court order. This is part of their Net Neutrality statement in their TOS. Can't have your cake and eat it to.

    2. Re: ISP responsibility as much as anyone else! by ganjadude · · Score: 1

      thats how the ISP i work for operates. As such having this code will be able to better help our customers at the ISP level

      --
      have you seen my sig? there are many others like it but none that are the same
    3. Re: ISP responsibility as much as anyone else! by Anonymous Coward · · Score: 0

      revoke the access of the subscriber

      That's a great way to make millions of subscribers angry, the non-retarded way to do it is just blocking connections to port 23 like they already do with port 25.

    4. Re: ISP responsibility as much as anyone else! by iivel · · Score: 1

      But they will monitor it for you with your consent? Interesting. I'd pay an extra couple bucks a month for a nicely packaged traffic report (as long as I could manage/delete/etc. some of the capture rules). Sure, I could set up my own proxy, or port mirror to a Splunk box, but that could actually be a service a lot of people would buy into out of sheer convenience. Even moreso if it was tied to their IDS for hueristic analysis of both outbound and inbound traffic.

  8. Seriously Good News by Anonymous Coward · · Score: 0

    People need to realize the intrinsically insecure nature of the network.
    Stop using it for critical infrastructure.
    Stop trying to use it as a backbone for monetary systems.
    Stop using it to handle important personal data.
    In most cases, this is being done just to cut jobs and save money.
    If Mirai makes people look in the mirror and wake-up, it's a good thing.

  9. Eye twitch... by Phics · · Score: 0

    This just in: Post Title for Source Code For IoT Botnet 'Mirai' Which Took Down Krebs On Security Website With DDoS Attack Released Deemed 'Not Enough Like That Brain Freeze Feeling' on Slashdot

    --
    There are two types of people in the world; those who believe there are two types of people, and those who don't.
  10. Make the systems appear crappy? by Okian+Warrior · · Score: 3, Interesting

    Reading about this, I was wondering is there isn't some way to mitigate the problem by pre-emptively borking the devices.

    Apparently power cycling the IoT device will reset it to normal, whereupon it can be reinfected.

    Suppose some security group ran the malware and infected as many devices as possible with code that made the device *not work*.

    The owners would have to keep power-cycling the devices, they'd get pissed at the manufacturers for making a poor product, and maybe they'd replace the devices with newer ones.

    This should be simple to do, much less effort than making the code try to contact the owner with "hey - change your password" and such.

    Would just making the products appear crappy work?

    1. Re:Make the systems appear crappy? by Anonymous Coward · · Score: 0

      Force a recall of the defective devices. That's what these devices are, DEFECTIVE!

    2. Re:Make the systems appear crappy? by arth1 · · Score: 1

      Reading about this, I was wondering is there isn't some way to mitigate the problem by pre-emptively borking the devices.

      "Do unto others before they do it to you."

      I don't like that approach, because of the high risk of collateral damage. What if some of the "things" were things like traffic sign controllers or great-grandmother's heating blanket, or also regulated the propane flow in a barbecue grill? Unless you can only take out the bad part and leave the good part intact, I see risks.

    3. Re:Make the systems appear crappy? by timrod · · Score: 1

      The problem there is that the group behind it would probably be liable under the Computer Fraud and Abuse Act - all it would take is a few calls from the managers at the IoT device companies to the FBI and the security group behind it would be arrested and probably jailed for violating it. The CFAA is so wide-reaching that even something as simple as hacking into the devices to display a simple "This device is vulnerable and could be used at any time as part of a botnet to DDoS websites" could be punished by prison time.

      The real problem is that a lot of the IoT companies have no reason to make their systems secure - there's no pressure on their end if someone pwns all of their devices and uses them in a botnet. There are reports of IoT devices that use hardcoded usernames and passwords expecting the owner to take steps (such as blocking off access to the device except by SSH) that most people are not going to have the technical knowledge to do. The only real answer is to regulate IoT devices and their manufacturers, but even that would be difficult given that many of them are headquartered in China.

    4. Re:Make the systems appear crappy? by duke_cheetah2003 · · Score: 1

      "Do unto others before they do it to you."

      I don't like that approach, because of the high risk of collateral damage. What if some of the "things" were things like traffic sign controllers or great-grandmother's heating blanket, or also regulated the propane flow in a barbecue grill? Unless you can only take out the bad part and leave the good part intact, I see risks.

      Given our history with new technology going mainstream, it'll take a few front page level incidents involving these gadgets before people take their security (or lack there of) seriously.

    5. Re:Make the systems appear crappy? by JustAnotherOldGuy · · Score: 1

      ...or also regulated the propane flow in a barbecue grill?

      Holy fuckballs. Anyone stupid enough to allow as IoT device to control something the propane flow in a barbecue grill deserves to have their house blown to bits in a huge fuckin' fireball.

      No, really- there are some things that simply should not be automated unless absolutely necessary. And that goes double if the controlling is done through an IoT gadget.

      It's like trusting your newborn's oxygen supply to some ten-dollar gizmo sourced in China. No. No, NO NO.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    6. Re:Make the systems appear crappy? by thegarbz · · Score: 1

      Suppose some security group ran the malware and infected as many devices as possible with code that made the device *not work*.

      History repeats itself

    7. Re:Make the systems appear crappy? by thegarbz · · Score: 1

      Prior art

  11. 502: And his new DDOS protector is .. by burni2 · · Score: 1

    .. loosing the battle

    1. Re:502: And his new DDOS protector is .. by Anonymous Coward · · Score: 0

      Is that like "let slip the dogs of war"?

      Or did you mean "losing"?

    2. Re:502: And his new DDOS protector is .. by Anonymous Coward · · Score: 0

      Was the battle very tight?

    3. Re:502: And his new DDOS protector is .. by Anonymous Coward · · Score: 0

      No, he meant to appear illiterate and stupid.

  12. I'm just thinking... by Anonymous Coward · · Score: 0

    I'm just thinking... if all these IoT devices are insecure to let a hacker take them over, why doesn't a whitehat group just do the same thing, but instead of using the devices maliciously, they modify the device password to something random to make them more secure? Most folks wouldn't even know, and if they ever needed to change their password they could reset their device and figure it out.

    1. Re:I'm just thinking... by Anonymous Coward · · Score: 0

      If they treat IoT devices the same way they treat computer systems, unauthorized access is the crime. No malicious action required.

      There's a book called "Kingpin" based on the life of a hacker named Max Butler. He wrote a worm which went into systems and patched a vulnerability in BIND. The government prosecuted him for "unauthorized access" to their systems.

  13. Duplicate story by Topwiz · · Score: 1

    The same story was posted yesterday.

  14. Burn it to the ground by GrumpySteen · · Score: 4, Interesting

    Use the source code to create malware that disables the functionality of the insecure devices. When it becomes apparent that massive numbers of them stop working soon after installation, sales will drop through the floor and that is the only thing that will make manufacturers change their behavior.

    1. Re:Burn it to the ground by ThatsNotPudding · · Score: 1

      Use the source code to create malware that disables the functionality of the insecure devices. When it becomes apparent that massive numbers of them stop working soon after installation, sales will drop through the floor and that is the only thing that will make manufacturers change their behavior.

      So they lock themselves out of a *third* sale? Doubtful. Easier to just change brand names; boxes and labels are cheap to make in the Pacific Rim.

    2. Re:Burn it to the ground by rhazz · · Score: 2

      And their new products will also tank. Soon the majority of people will stop buying from random vendors and only buy from reputed ones who have proven products.

      The real problem is how authorities are likely to react to someone breaking these devices. Breaking every hackable IoT device out there is likely to cause much more consumer backlash than the occasional DDOS does. I bet the authorities would expend more against the person breaking the devices than the ones using them in the botnets.

    3. Re:Burn it to the ground by Anonymous Coward · · Score: 0

      Prior art

    4. Re:Burn it to the ground by chispito · · Score: 1

      Use the source code to create malware that disables the functionality of the insecure devices. When it becomes apparent that massive numbers of them stop working soon after installation, sales will drop through the floor and that is the only thing that will make manufacturers change their behavior.

      That sounds ethical. While you're at it, why not have them first DDOS the websites of political entities you find objectionable?

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    5. Re:Burn it to the ground by Anonymous Coward · · Score: 0

      Here's the source and instructions

    6. Re:Burn it to the ground by GrumpySteen · · Score: 1

      why not have them first DDOS the websites of political entities you find objectionable?

      Because manufacturers don't give a shit about someone else being hit with a DDOS from their products.

      Your argument is based on the completely fallacious idea that a manufacturer suffering the consequences of making shoddy products is exactly the same as randomly suppressing someone's political views. It's a stupid argument.

      Until not having real security reduces their profit more than the cost of adding security, nothing will happen. Malware that disables the functionality of devices and makes it obvious to end-users that the devices have no real security is one way of accomplishing that goal.

    7. Re:Burn it to the ground by Anonymous Coward · · Score: 1

      Why not have them first DDOS the websites of their manufacturer?

    8. Re:Burn it to the ground by LordWabbit2 · · Score: 1

      The manufacturers don't give a shit, and I bet the people who haven't secured their own devices give even less of a shit as well. They WILL give a shit if their IoT device gets borked however, even if the intention was altruistic the legal response will put you in jail. I don't feel like doing time to stop Krebs, or Trump or Hillary or anyone else from getting DDOS'd. But hey, it's a good idea, go for it.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
  15. Re:Grey-hat by donaldm · · Score: 0

    We need a grey-hat to take this and use it to "secure" all the insecure IoT devices, be it patching, changing passwords, or bricking them.

    The problem you have here is that if you get caught attempting to crack IoT devices even with the best of intentions you could be charged as a criminal cracker. The only way to legally run network sniffing software which can also include tools like Wireshark is to actually get written permission and therein lies the problem.

    Anyone who has worked in the enterprise should be well aware of the tiers bureaucracy of the organisation and how some departments can be downright antagonistic to others to the point where cooperation is almost impossible. So say you have someone who offers to test IoT in a particular organization but is not a member of the department who should be responsible for the testing the hardware or worse yet there are multiple departments involved. Honestly without written permission from the CEO any well meaning "grey hat" risks a prison term.

    The best solution is for IPS's to be aware and have the ability to pinpoint the sites were these IoT devices have been compromised and submit a report that can't be disputed to a particular body that has the power to fine the organisations responsible for lax security. I am not holding my breath for something like this to occur though.

    --
    There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
  16. This is not a PEBCAK problem? by Anonymous Coward · · Score: 0

    I mean, what would happen if you used a strong passphrase?

    1. Re:This is not a PEBCAK problem? by arth1 · · Score: 1

      I mean, what would happen if you used a strong passphrase?

      Some of the Things on Internet (ToIs) would heat up and catch fire, because hashing algorithms on long strings is the straw that breaks the camel's CPU, busy as it is running looping ajax applications and digesting log files for sending to the mothership.

    2. Re:This is not a PEBCAK problem? by AHuxley · · Score: 1

      The same reason so few had https in the past, most just want to get their brands out. When all the security comes on one cheap chip, they will up sell that in a few years.
      Until then its just getting their brand into each home and online hype about the internet been on their easy to use devices.
      Security is a cost to buy on an another chip, a cost to design, to keep cool, test, add, build, then support.
      When standards change, a device is stranded with a user looking for their passphrase. The box or some paperwork that was once in the devices packaging.
      To the user its the fault of the brand if they have to set anything new up, rather than have instant discovery on any new or old wireless network.
      Consumers don't want to keep a box, read a long unique number stuck on some folded paper and have to press 5-20 keys on a keyboard to get a device seeing a network.
      Or just ship every device with admin, admin and try and ask the user to enter a stronger password?

      --
      Domestic spying is now "Benign Information Gathering"
  17. Yay! A dupe of a story still on the front page! by Anonymous Coward · · Score: 0

    Dupe

    It took me all of 0.5 seconds to spot this dupe. Do editors get paid? How do I apply for this job?

    1. Re:Yay! A dupe of a story still on the front page! by Frank+Burly · · Score: 1

      Send in two résumés

  18. This is good news by Anonymous Coward · · Score: 0

    What happened to hacker ethics? Releasing an exploit (as opposed to selling it to some government agency) used to be good news. It's the only chance that manufacturers and users will start worrying about securing their devices. Making them liable might also help.

    1. Re:This is good news by naughtynaughty · · Score: 1

      I wouldn't really call it an exploit to try a set of default passwords on telnet connections.

    2. Re:This is good news by Anonymous Coward · · Score: 0

      Yup, either they are forced to secure because their products will quickly tank from being rendered worthless from hacks shortly after being turned on, or they are forced to secure because now they are liable. As is always the case the only thing that gets things fixed is money, or potential loss of it.

    3. Re:This is good news by Anonymous Coward · · Score: 0

      1996 called!!

      they want their "remote exploit" back

    4. Re:This is good news by Anonymous Coward · · Score: 0

      i think you will find that the only people who speak of hacker ethics are well out of their angry teen years.

  19. Paid too much by stabiesoft · · Score: 1

    I built my own using a beagle bone and assorted parts (opto-triacs, P/S and xformer) for under a hundred.

  20. Really? by kiviQr · · Score: 1

    ...and somehow houses/cars/etc. get doors with unique keys by default.

    1. Re:Really? by Anonymous Coward · · Score: 0

      Not really. Houses, for one, come with keys that are not unique at all.It's just not possible to know to which other houses you already happen to have a key. But then again, most door locks can be opened even without a matching key anyway.

    2. Re:Really? by Anonymous Coward · · Score: 0

      To be fair, less so than you'd hope. For a typical sub-urban house (not elite anti-pick locks for a high risk inner city estate) there might only be a few hundred thousand of variants of the key to the front door. The key manufacturer wants to sell a LOT of locks for a low price, so they don't bother using precision parts, and maybe there's only 6 pins each having 9 possible positions, with some physical clashes ruled out so that in the end only about 300 000 combinations exist, they sell those locks to 5 million people. But that means everybody in one of those homes shares an exactly matching key with maybe a dozen or so others they've never met.

      Or say you live in an apartment complex. Probably they'll choose better quality locks, but also they want a master system, so that one key opens the front door to your building AND your personal living space for convenience. So there may be 5 million possible keys, but they're carved off into smaller keyspaces issued to particular buildings. This time your key probably really is unique the manufacturer usually undertakes not to sell duplicates to anyone who can't prove they have the originals, so certainly no-one else has the same by default. But on the other hand, it's very, very similar to the one for the apartment down the hall. A decent lock guy could use their key to figure out how to open your door.

      Cars were _awful_ until the turn of the century, much worse than front doors, in a model with 5 million on the road, there might be only 100 000 different keys. It genuinely was possible to have someone forget where they parked, see your car, try their key, it works (or works well enough they can get the door open at least) and then they're surprised it's got all your shit in it ...

    3. Re:Really? by Anonymous Coward · · Score: 0

      Houses, for one, come with keys that are not unique at all.It's just not possible to know to which other houses you already happen to have a key.

      It's also really inconvenient to go around to all the houses in your neighborhood, let alone your city, to see whether your key opens their lock. It's pretty easy to test a know User/Pass combination on a hundred million different IP addresses.

    4. Re:Really? by Etcetera · · Score: 1

      Houses, for one, come with keys that are not unique at all.It's just not possible to know to which other houses you already happen to have a key.

      It's also really inconvenient to go around to all the houses in your neighborhood, let alone your city, to see whether your key opens their lock. It's pretty easy to test a know User/Pass combination on a hundred million different IP addresses.

      And this is precisely the problem with inter-connectivity, and the 'I' in 'IoT': HOBE, or at least Hack Once, Easily Scan For Open Doors.

      The world of physically disconnected systems that can't be defeated without physical presence (or near-physical presence, like a couple of the more esoteric side-channel attacks reading keys from chip EM output) means that having successfully figured out the key to one house is basically useless. There's both a) no quick and easy way to know what other houses you can now get into, and b) no quick and easy way to actually get into those houses without physically walking up to the front doors.

      Massive interconnectivity makes it trivial to scan and trivial to execute the hack once your scan has run (these can be intermingled, but they're distinct).

      --
      Hire a Linux system administrator, systems engineer,
  21. Stop telnet ? by Anonymous Coward · · Score: 0

    How many things of value would fail if ISPs blocked telnet port ?

  22. Sidestep the ethical problem with that by Solandri · · Score: 1

    Bricking the device negatively impacts the end-user, who frequently has zero control over security flaws in the firmware. Instead, the malware should figure out who the manufacturer is of the device it's infected, then start DDoSing that manufacturer's website. Minimal impact to the end-user, but the manufacturer's problem scales with the number of insecure devices they sell and leave unfixed.

  23. Can I use this to get the video feeds? by Anonymous Coward · · Score: 0

    I have a computer program that needs all the video feeds to find people who might be involved in "interesting" incidents.