Slashdot Mirror

← Back to Stories (view on slashdot.org)

Source Code For IoT Botnet 'Mirai' Which Took Down Krebs On Security Website With DDoS Attack Released (krebsonsecurity.com)

Posted by msmash on from the security-woes dept.

As if the state of security wasn't already a headache worldwide, we now may have one more reason to worry about: a hacker has made available the source code that could allow more people to wage the kinds of extraordinary large assaults that recently knocked security news site KrebsOnSecurity offline. Brian Krebs reports:The source code that powers the "Internet of Things" (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices. The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Vulnerable devices are then seeded with malicious software that turns them into "bots," forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline. The Hackforums user who released the code, using the nickname "Anna-senpai," told forum members the source code was being released in response to increased scrutiny from the security industry.

75 of 117 comments (clear)

  1. Oh great by JustAnotherOldGuy · · Score: 3, Informative

    Oh great, now every dickweasel and conehead in the world will be cranking out malware.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re: Oh great by Anonymous Coward · · Score: 1

      Let's see a list of manufacturers to never buy from. That would be one good thing coming out of this...

    2. Re: Oh great by mlw4428 · · Score: 4, Interesting

      That's a stupid line of thinking, it really is. Automobiles, as convenient as they may be, don't outweigh the inconvenience of the increased public expenditure on accidents, insurance, infrastructure, and pure risk to persons and property. So we should all just have horses and buggies.

      Here's an idea: hold corporations accountable. Did you follow industry best practices? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did patch your code within a reasonable amount of time after being notified of the issue? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did you take unnecessary design risks and challenges with your product? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did you have a security firm with proper recognized credentialing test your code for flaws? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS.

      It wouldn't even require much more than writing a law that allows the corporate veil to be pierce-able in the event of egregious displays of information security negligence.

    3. Re: Oh great by shadowp157 · · Score: 1

      Or even simpler: No "hidden" backdoors, No default User/Pass, No Jail Time or Fines. If you sell more than 1000 devices you must have your product certified.

    4. Re: Oh great by Archangel+Michael · · Score: 1, Redundant

      You can't blame Ford for the bad driving of the people crashing their cars. You can blame Ford for faulty mechanics. Most of your comparison is based on bad drivers, not Mechanical Problems. For the Most part, cars are relatively safe until people start driving.

      However, just about every IoT device that is faulty is broken by design. And they aren't being made by GE, Samsung or whatever, but by some Chinese fly-by-night cheap manufacturer for some IoT "inventor" who doesn't have the resources to pay out anything. That "massive lawsuit" isn't so massive. And the person you jailed, isn't the crappy manager who said "I don't care" when the engineer said that hard coding the username and password is a bad idea. I have that kind of boss right now, who thinks that convenience outweighs security, and will side with the idiot user against better judgement. After all, if it isn't easy for the average idiot, they won't buy it.

      You really need to put the blame where it belongs ... on the idiot user, who is responsible for their own damn choices.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    5. Re: Oh great by arth1 · · Score: 4, Funny

      Right now I can purchase an IoT appliance that controls my lawn sprinklers for about $250 that adjusts the water output based on the weather in the area.

      Your proposal would probably make that same IoT appliance cost around $250,000. No sane person would ever spend that much money on a device that controls a sprinkler system since that appliance would never pay for itself.

      Well, good. You shouldn't be wasting water on lawns anyhow.

    6. Re: Oh great by SmokeyRobot · · Score: 1

      The code scans across over a dozen architectures so unless someone alters the code to recreate the botnet but echo data about the devices to a central location then you are relying on the good will of companies to commit sepuku.

    7. Re: Oh great by naughtynaughty · · Score: 4, Informative

      Almost all manufactures ship devices with default username and passwords

      Changing them is your responsibility

    8. Re: Oh great by amicusNYCL · · Score: 1

      I think a better use of this botnet would be to flood the manufacturers' websites. Maybe then they'll start caring about security.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    9. Re: Oh great by Anonymous Coward · · Score: 1

      Sure. Used to be in the UK if you bought say, a refrigerator, it didn't come with an electrical plug. Really. Whole fridge works, ready to go but no plug. That would come wrapped separately with just a bare lead on the fridge.

      Obviously every year some number of imbeciles who bought a fridge but struggled to follow instructions that involve knowing the colours of things and operating a screwdriver would wire it up wrong and kill themselves or destroy the integrity of their electrical system (e.g. wiring neutral across earth so that suddenly there's no real earth safety...) but the product makers would just say well, we put clear instructions on it, what do you want?

      And the answer was: Fit the plug at the factory. At the factory people already correctly put wire A in slot A 99.999% of the time, because if they didn't none of the fridges would work, so this is safer. Sure enough, despite moaning from the world's small-C conservatives who've never seen anything change in any way that they didn't hate, this caused accident rates to drop. Selling any consumer electrical item that needs a plug, without the plug fitted, became illegal, the same way it would always have been illegal to supply it pre-wired to explode and burn. "Oh ma civil liberties" Yeah, fuck off now.

      Similarly, we could just legislate that IoT devices with shared default passwords aren't fit for sale. I mean, they're not, are they? This is fixable, just like the electrical plugs in the UK, it's just that nobody wants to spend tuppence to fix it unless they're _forced_ to. So we have to force them.

    10. Re: Oh great by Macdude · · Score: 2

      Almost all manufactures ship devices with default username and passwords
      Changing them is your responsibility

      The device should require the username and password be changed before it will function.

      --
      "Grab them by the pussy" -- President of the United States of America
    11. Re: Oh great by thegarbz · · Score: 1

      It wouldn't even require much more than writing a law that allows the corporate veil to be pierce-able in the event of egregious displays of information security negligence.

      Yes because the law is only a problem for information security negligence and these massive lawsuits, payouts, etc have stopped every other form of short cutting.

      Or not.

    12. Re: Oh great by thegarbz · · Score: 1

      Because over regulation is working so well for you right now. What's the street price of medical gear right now in the USA? 10x that of the rest of the world? 20x? could even be closer to 30x given I can buy an Epipen for $23.99

    13. Re: Oh great by phantomfive · · Score: 1

      And the quality of medical code isn't very good, still.......

      --
      "First they came for the slanderers and i said nothing."
    14. Re: Oh great by St.Creed · · Score: 1

      That's not because of overregulation, but because of a pricing strategy called "what the market will bear". This is quite a bit more for critical drugs and gear than for toys, as pharmaceutical companies have discovered.

      If it was overregulation the price would have gone up everywhere, since pharmacovigilance regulations are pretty similar across the board. Okay, maybe some price disparity would have been there because some regulators require less proof. But still, this can never explain a 30x price differential.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
    15. Re: Oh great by MightyDrunken · · Score: 1

      Almost all manufactures ship devices with default username and passwords

      Changing them is your responsibility

      With the source code for Mirai that became a whole lot easier for me to do ;)

      --
      The most dangerous drug
    16. Re: Oh great by gweihir · · Score: 1

      Actually, making sure you change username and password is their responsibility. The well-established way to do that is that unless you do, the device just displays a page asking you to. So this is indeed a massive screwup on the manufacturer's side.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    17. Re: Oh great by gweihir · · Score: 1

      While it sounds extreme, I completely agree. Without that, nothing is going to change. As soon as anybody that did screw up this badly has to prove they followed best practices and had independent review OR ELSE (and the "ELSE" must be personal for senior management), this problem will mostly go away. One model could be IoT devices this insecure must be recalled and the owners compensated generously. Cannot assure that? No way for your trash to get through customs. Yes, regulation is generally not a good idea, but I do not think there is an alternative here.

      Makers of FOSS would of course not be affected, only manufacturers using FOSS insecurely.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    18. Re: Oh great by plover · · Score: 1

      THE only way to stop these botnets from forming is to not buy IoT devices. As convenient as they may be, they don't outweigh the inconvenience of a completely broken internet (of things)

      No, you need to not buy IoT devices that ship with working default passwords and that can't patch themselves. The way we made that happen in the marketplace before with electrical safety issues was with an overpriced certification authority, like UL or CSA, something customers can recognize in the shops today by the shiny holographic label.

      --
      John
    19. Re: Oh great by r2rknot · · Score: 1

      Issue with this: The presumption that product manufacturers can be held liable for how their products are used illegally. This idea is not new (see holding gun manufacturers liable for crimes committed with their products), and will not work.

      Try an alternative route.

      --
      "...whenever any Form of Government becomes destructive...it is the Right of the People to alter or to abolish it..."
  2. just now by Nick · · Score: 1

    It's amazing that is just now becoming a thing. IoT devices and their piss-poor security/default passwords/etc have been out for a while.

    --
    Fuck Ajit Pai
    1. Re:just now by gweihir · · Score: 1

      Quite a few experts have been warning about this problem for years. People never listen until something bad happens....

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:just now by gweihir · · Score: 1

      Go away, noob. Stalking does make your credibility even lower. As does trying to deride actual experts.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:just now by Shane_Optima · · Score: 1

      Actual experts can succinctly explain why they consider something to be massively flawed.

      And I'm not going to take etiquette advice from someone who uses sock puppets or minions, thanks. I'm performing a useful service; I'll be fact-checking all of your stuff for a little while. Won't take me 5 minutes a day. Don't worry, all other posts will be strictly on-topic from here on out.

      I don't mind losing debates, but I no longer abide frauds. Particularly not frauds who apologize for incompetence.

    4. Re:just now by gweihir · · Score: 1

      Stalking and deriding are not "fact checking". They are just immature revenge for a bruised ego. Your "usefulness" is just going even wider into the negative this way.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:just now by gweihir · · Score: 1

      Keep kidding yourself. You are doing the "mad stalker" act now. I just checked whether I should return the favor, but your postings are not interesting enough for that. I am simply going to ignore you now, encouraging a petulant child is never a good idea.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re: just now by iivel · · Score: 1

      If you have that kind of time, I'd welcome a fact checker for all of my posts on /., FB, my personal blog, LinkedIn, etc. Would save me some embarrasement and help me improve my positions and arguments. I don't post much, so it'd be easy & would be good for my persuasive debate skills. Call it a "peer review" :) Now that I think about it, a "post for review" premium option for social platforms (or plugin to other CMS platforms) that sends the content to mechanical turk (or some other service) for review in a normal 3 step publishing workfkow would be awesome. Set up my preferances on what type of errors I want checked, use hLDA and sentiment analysis to provide the reviewer(s) insight and context to my typical answers on a topic to provide insight. Quickly get back an editorial copy. Submit knowing that professional and personal posts are consistent and accurate across all platforms. I could go for that.

    7. Re: just now by gweihir · · Score: 1

      Nice! ;-)

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    8. Re: just now by Shane_Optima · · Score: 1

      Like I said, I'll be devoting something on the order of 5 min/day to this, perhaps 10. You'd have to write on the same complexity level of gweihir, and include similarly glaring errors, for me to be able to scan through all your posts that quickly.

  3. Headline translation by JustAnotherOldGuy · · Score: 1

    Headline translation: "We're Doomed."

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Headline translation by The-Ixian · · Score: 3, Funny

      I fully expect that we are facing nothing less than total apocalypse

      This is the end people!

      Remember y2k? Yeah, just imagine that times 1... you are starting to get the picture...

      --
      My eyes reflect the stars and a smile lights up my face.
    2. Re:Headline translation by Archangel+Michael · · Score: 1

      More like this is the start of Skynet. Just wait until the AI we are creating get a hold of all the IoT devices ...

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    3. Re:Headline translation by arth1 · · Score: 1

      Remember y2k? Yeah, just imagine that times 1... you are starting to get the picture...

      Y2K was a big deal. That most people didn't notice much is a testament to what happens when you take something seriously, and get a lot of skilled people to work on a problem with a non-negotiable deadline. If all the people who worked on it hadn't, it would have been a rather terrible impact.

      Unfortunately, there isn't (yet) an irresistible incentive or imperative to fix the ToI problem. Even for those recognizing it as a problem, there is no deadline nor any good predictions that will sway management to invest large resources into fixing anything.

    4. Re:Headline translation by JustAnotherOldGuy · · Score: 1

      I fully expect that we are facing nothing less than total apocalypse
      This is the end people!

      Start doling out the Kool-Aid and make sure each cup is filled to the brim...bottoms up!

      But seriously, this is likely to make things worse, much much worse.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    5. Re:Headline translation by JustAnotherOldGuy · · Score: 2

      Y2K was a big deal. That most people didn't notice much is a testament to what happens when you take something seriously, and get a lot of skilled people to work on a problem with a non-negotiable deadline.

      This is absolutely true. The reason Y2K wasn't a big deal is because thousands of programmers sat down and fixed stuff. Otherwise, we would have seen all sorts of shit go belly up at the stroke of midnight on December 31st 1999.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    6. Re:Headline translation by St.Creed · · Score: 3, Insightful

      Y2K was a big deal. That most people didn't notice much is a testament to what happens when you take something seriously, and get a lot of skilled people to work on a problem with a non-negotiable deadline.

      This is absolutely true. The reason Y2K wasn't a big deal is because thousands of programmers sat down and fixed stuff. Otherwise, we would have seen all sorts of shit go belly up at the stroke of midnight on December 31st 1999.

      Hell yeah. In our first tests after the bugs were fixed, literally NOTHING worked. They had forgotten to patch the login module and every password valid date was now suddenly in the past. 50 testers went home again that day, after an hour, on a saturday. Much grumbling ensued.

      But... you know, at some point noone who was present at Y2K will be alive, but the people who denied that there ever was a problem will still be in abundant supply. It's saddening to see that if you just deny something happened, no matter what it is and no matter the documentation and witnesses, eventually sheer stupidity and mental inertia will bring you victory. Fighting entropy is *hard*.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
    7. Re:Headline translation by LordWabbit2 · · Score: 1

      noone who was present at Y2K will be alive

      You mean no one who actually worked on the Y2K issue will be alive, and everyone will just think it was media hype.
      I worked for a major bank at the time, we had to work night shifts towards the end for testing, we started making changes about 4 years before Y2K, millions was spent on contractors, people came out of fucking retirement to work on Y2K. But ask anyone who wasn't involved (even other programmers) and they all think it was much ado about nothing.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    8. Re:Headline translation by St.Creed · · Score: 1

      You mean no one who actually worked on the Y2K issue will be alive, and everyone will just think it was media hype

      Yep.

      You mean no one who actually worked on the Y2K issue will be alive, and everyone will just think it was media hype.
      I worked for a major bank at the time, we had to work night shifts towards the end for testing, we started making changes about 4 years before Y2K, millions was spent on contractors, people came out of fucking retirement to work on Y2K. But ask anyone who wasn't involved (even other programmers) and they all think it was much ado about nothing.

      This illustrates what is often said: the person that creates crisis after crisis and then fixes them (just in time to avoid serious disaster) will be appreciated more than the unsung hero who prevents the problems from developing in the first place. Sometimes I think we should have just let Y2K happen and then fixed things. But meh, what's done is done and besides it is our job to keep things running. Leave it to the amateurs to run from one fire to another - engineers are proud to run things so there are no problems.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
  4. Good by clonehappy · · Score: 1

    Better that it's out in the open than hidden in the shadows, out of reach of security researchers.

    This will motivate competent admins who, for whatever reason, haven't secured these kinds of devices already to get around to taking care of the issue. As for the incompetent admins and the average home user, they'll figure it out when their bandwidth costs go through the roof and be forced to take action one way or another.

    But long story short, if a tool exists (good or bad) it's better that everyone can access it rather than just the bad guys.

    1. Re:Good by Moof123 · · Score: 2

      Most of these are not on any administrated system. These are baby monitors, home security cameras, "smart" toasters, and similar junk. We are selling piles of internet connected junk to the masses, but with no responsibility for anyone to make them secure after the fact. It is in fact getting harder to find widgets that are NOT internet connected just for the sake of being able to label it "smart".

      Smart toilet paper that tells you when the roll is about empty and automatically re-orders from Amazon will be the next BIG thing!!!

      The hassles with just getting all the connected crap in a typical house to work are too much, getting random fly-by-night electronic gizmo's to be secure against state sponsored hackers with nearly unlimited resources? Fugetaboutit...

    2. Re:Good by gtall · · Score: 1

      It will only be smart toilet paper when it wipes me by itself, dumps itself in the toilet, and then flushes itself away.

    3. Re:Good by arth1 · · Score: 1

      Smart toilet paper

      Then I see a lucrative business opportunity in selling and configuring home router/security appliances to end users.

      Or to user ends, as case may be...

  5. Duplicate story by eledill · · Score: 3, Informative

    This is a duplicate of http://m.slashdot.org/story/31...

    1. Re:Duplicate story by xxxJonBoyxxx · · Score: 4, Informative

      Half the editors were too busy fending off a DDOS attack to read their own site. The other half still use a username/password of "admin/admin123" on their home devices and couldn't read their own site because their equipment was currently part of a global botnet.

      More seriously, here's the list of usernames/passwords the bot exploited. Might be worth adding to your personal collection to make sure your scanned notices these.

      root xc3511, root vizxv, root admin, admin admin ,root 888888
      root xmhdipc, root default ,root juantech ,root 123456, root 54321, support support
      root (none) ,admin password ,root root ,root 12345 ,user user ,admin (none)
      root pass ,admin admin1234 ,root 1111 ,admin smcadmin ,admin 1111 ,root 666666
      root password ,root 1234 ,root klv123 ,service service, supervisor supervisor ,guest guest
      guest 12345, , guest 12345, admin1 password ,administrator 1234 ,666666 666666 ,888888 888888
      ubnt ubnt ,root klv1234 ,root Zte521 ,root hi3518 ,root jvbzd ,root anko ,root zlxx. ,root 7ujMko0vizxv ,root 7ujMko0admin
      root system ,root ikwb ,root dreambox ,root user ,root realtek ,root 00000000 ,admin 1111111
      admin 1234 ,admin 12345 ,admin 54321 ,admin 123456 ,admin 7ujMko0admin ,admin 1234 ,admin pass
      admin meinsm ,tech tech ,mother fucker

    2. Re:Duplicate story by xxxJonBoyxxx · · Score: 1

      >> That is the password to my luggage!

      If you can point me to luggage that accepts the username/password "mother fucker" then I'd buy it. (Unless Samuel Jackson bought the last one.)

  6. Make the systems appear crappy? by Okian+Warrior · · Score: 3, Interesting

    Reading about this, I was wondering is there isn't some way to mitigate the problem by pre-emptively borking the devices.

    Apparently power cycling the IoT device will reset it to normal, whereupon it can be reinfected.

    Suppose some security group ran the malware and infected as many devices as possible with code that made the device *not work*.

    The owners would have to keep power-cycling the devices, they'd get pissed at the manufacturers for making a poor product, and maybe they'd replace the devices with newer ones.

    This should be simple to do, much less effort than making the code try to contact the owner with "hey - change your password" and such.

    Would just making the products appear crappy work?

    1. Re:Make the systems appear crappy? by arth1 · · Score: 1

      Reading about this, I was wondering is there isn't some way to mitigate the problem by pre-emptively borking the devices.

      "Do unto others before they do it to you."

      I don't like that approach, because of the high risk of collateral damage. What if some of the "things" were things like traffic sign controllers or great-grandmother's heating blanket, or also regulated the propane flow in a barbecue grill? Unless you can only take out the bad part and leave the good part intact, I see risks.

    2. Re:Make the systems appear crappy? by timrod · · Score: 1

      The problem there is that the group behind it would probably be liable under the Computer Fraud and Abuse Act - all it would take is a few calls from the managers at the IoT device companies to the FBI and the security group behind it would be arrested and probably jailed for violating it. The CFAA is so wide-reaching that even something as simple as hacking into the devices to display a simple "This device is vulnerable and could be used at any time as part of a botnet to DDoS websites" could be punished by prison time.

      The real problem is that a lot of the IoT companies have no reason to make their systems secure - there's no pressure on their end if someone pwns all of their devices and uses them in a botnet. There are reports of IoT devices that use hardcoded usernames and passwords expecting the owner to take steps (such as blocking off access to the device except by SSH) that most people are not going to have the technical knowledge to do. The only real answer is to regulate IoT devices and their manufacturers, but even that would be difficult given that many of them are headquartered in China.

    3. Re:Make the systems appear crappy? by duke_cheetah2003 · · Score: 1

      "Do unto others before they do it to you."

      I don't like that approach, because of the high risk of collateral damage. What if some of the "things" were things like traffic sign controllers or great-grandmother's heating blanket, or also regulated the propane flow in a barbecue grill? Unless you can only take out the bad part and leave the good part intact, I see risks.

      Given our history with new technology going mainstream, it'll take a few front page level incidents involving these gadgets before people take their security (or lack there of) seriously.

    4. Re:Make the systems appear crappy? by JustAnotherOldGuy · · Score: 1

      ...or also regulated the propane flow in a barbecue grill?

      Holy fuckballs. Anyone stupid enough to allow as IoT device to control something the propane flow in a barbecue grill deserves to have their house blown to bits in a huge fuckin' fireball.

      No, really- there are some things that simply should not be automated unless absolutely necessary. And that goes double if the controlling is done through an IoT gadget.

      It's like trusting your newborn's oxygen supply to some ten-dollar gizmo sourced in China. No. No, NO NO.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    5. Re:Make the systems appear crappy? by thegarbz · · Score: 1

      Suppose some security group ran the malware and infected as many devices as possible with code that made the device *not work*.

      History repeats itself

    6. Re:Make the systems appear crappy? by thegarbz · · Score: 1

      Prior art

  7. 502: And his new DDOS protector is .. by burni2 · · Score: 1

    .. loosing the battle

  8. Duplicate story by Topwiz · · Score: 1

    The same story was posted yesterday.

  9. Burn it to the ground by GrumpySteen · · Score: 4, Interesting

    Use the source code to create malware that disables the functionality of the insecure devices. When it becomes apparent that massive numbers of them stop working soon after installation, sales will drop through the floor and that is the only thing that will make manufacturers change their behavior.

    1. Re:Burn it to the ground by ThatsNotPudding · · Score: 1

      Use the source code to create malware that disables the functionality of the insecure devices. When it becomes apparent that massive numbers of them stop working soon after installation, sales will drop through the floor and that is the only thing that will make manufacturers change their behavior.

      So they lock themselves out of a *third* sale? Doubtful. Easier to just change brand names; boxes and labels are cheap to make in the Pacific Rim.

    2. Re:Burn it to the ground by rhazz · · Score: 2

      And their new products will also tank. Soon the majority of people will stop buying from random vendors and only buy from reputed ones who have proven products.

      The real problem is how authorities are likely to react to someone breaking these devices. Breaking every hackable IoT device out there is likely to cause much more consumer backlash than the occasional DDOS does. I bet the authorities would expend more against the person breaking the devices than the ones using them in the botnets.

    3. Re:Burn it to the ground by chispito · · Score: 1

      Use the source code to create malware that disables the functionality of the insecure devices. When it becomes apparent that massive numbers of them stop working soon after installation, sales will drop through the floor and that is the only thing that will make manufacturers change their behavior.

      That sounds ethical. While you're at it, why not have them first DDOS the websites of political entities you find objectionable?

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    4. Re:Burn it to the ground by GrumpySteen · · Score: 1

      why not have them first DDOS the websites of political entities you find objectionable?

      Because manufacturers don't give a shit about someone else being hit with a DDOS from their products.

      Your argument is based on the completely fallacious idea that a manufacturer suffering the consequences of making shoddy products is exactly the same as randomly suppressing someone's political views. It's a stupid argument.

      Until not having real security reduces their profit more than the cost of adding security, nothing will happen. Malware that disables the functionality of devices and makes it obvious to end-users that the devices have no real security is one way of accomplishing that goal.

    5. Re:Burn it to the ground by Anonymous Coward · · Score: 1

      Why not have them first DDOS the websites of their manufacturer?

    6. Re:Burn it to the ground by LordWabbit2 · · Score: 1

      The manufacturers don't give a shit, and I bet the people who haven't secured their own devices give even less of a shit as well. They WILL give a shit if their IoT device gets borked however, even if the intention was altruistic the legal response will put you in jail. I don't feel like doing time to stop Krebs, or Trump or Hillary or anyone else from getting DDOS'd. But hey, it's a good idea, go for it.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
  10. Re: ISP responsibility as much as anyone else! by Anonymous Coward · · Score: 1

    My ISP says they will not monitor my traffic without my request or a court order. This is part of their Net Neutrality statement in their TOS. Can't have your cake and eat it to.

  11. Re:This is not a PEBCAK problem? by arth1 · · Score: 1

    I mean, what would happen if you used a strong passphrase?

    Some of the Things on Internet (ToIs) would heat up and catch fire, because hashing algorithms on long strings is the straw that breaks the camel's CPU, busy as it is running looping ajax applications and digesting log files for sending to the mothership.

  12. Re:Well, that's going to suck by naughtynaughty · · Score: 2

    Their security was fine, as long as you changed the default password.

    Devices really do need a recovery mechanism from someone losing their password and a hard reset back to a default is fine with me.

    That people buy a security camera and then leave it with its default password is the problem.

  13. Paid too much by stabiesoft · · Score: 1

    I built my own using a beagle bone and assorted parts (opto-triacs, P/S and xformer) for under a hundred.

  14. Re:This is good news by naughtynaughty · · Score: 1

    I wouldn't really call it an exploit to try a set of default passwords on telnet connections.

  15. Re:Yay! A dupe of a story still on the front page! by Frank+Burly · · Score: 1

    Send in two résumés

  16. Re:Well, that's going to suck by xxxJonBoyxxx · · Score: 1

    >> Their security was fine, as long as you changed the default password.

    Sorry, telnet's just not cool in 2016.

    >> That people buy a security camera and then leave it with its default password is the problem.

    Some manufactures HAVE figured out a better way: a different default password for each device. Any company that still has a single common password for multiple devices these days is asking for a lawsuit.

  17. Re: ISP responsibility as much as anyone else! by ganjadude · · Score: 1

    thats how the ISP i work for operates. As such having this code will be able to better help our customers at the ISP level

    --
    have you seen my sig? there are many others like it but none that are the same
  18. Really? by kiviQr · · Score: 1

    ...and somehow houses/cars/etc. get doors with unique keys by default.

    1. Re:Really? by Etcetera · · Score: 1

      Houses, for one, come with keys that are not unique at all.It's just not possible to know to which other houses you already happen to have a key.

      It's also really inconvenient to go around to all the houses in your neighborhood, let alone your city, to see whether your key opens their lock. It's pretty easy to test a know User/Pass combination on a hundred million different IP addresses.

      And this is precisely the problem with inter-connectivity, and the 'I' in 'IoT': HOBE, or at least Hack Once, Easily Scan For Open Doors.

      The world of physically disconnected systems that can't be defeated without physical presence (or near-physical presence, like a couple of the more esoteric side-channel attacks reading keys from chip EM output) means that having successfully figured out the key to one house is basically useless. There's both a) no quick and easy way to know what other houses you can now get into, and b) no quick and easy way to actually get into those houses without physically walking up to the front doors.

      Massive interconnectivity makes it trivial to scan and trivial to execute the hack once your scan has run (these can be intermingled, but they're distinct).

      --
      Hire a Linux system administrator, systems engineer,
  19. Re:Well, that's going to suck by The-Ixian · · Score: 1

    Their security was fine, as long as you changed the default password.

    And, you know, don't connect them directly to the Internet....

    --
    My eyes reflect the stars and a smile lights up my face.
  20. Sidestep the ethical problem with that by Solandri · · Score: 1

    Bricking the device negatively impacts the end-user, who frequently has zero control over security flaws in the firmware. Instead, the malware should figure out who the manufacturer is of the device it's infected, then start DDoSing that manufacturer's website. Minimal impact to the end-user, but the manufacturer's problem scales with the number of insecure devices they sell and leave unfixed.

  21. Re:This is not a PEBCAK problem? by AHuxley · · Score: 1

    The same reason so few had https in the past, most just want to get their brands out. When all the security comes on one cheap chip, they will up sell that in a few years.
    Until then its just getting their brand into each home and online hype about the internet been on their easy to use devices.
    Security is a cost to buy on an another chip, a cost to design, to keep cool, test, add, build, then support.
    When standards change, a device is stranded with a user looking for their passphrase. The box or some paperwork that was once in the devices packaging.
    To the user its the fault of the brand if they have to set anything new up, rather than have instant discovery on any new or old wireless network.
    Consumers don't want to keep a box, read a long unique number stuck on some folded paper and have to press 5-20 keys on a keyboard to get a device seeing a network.
    Or just ship every device with admin, admin and try and ask the user to enter a stronger password?

    --
    Domestic spying is now "Benign Information Gathering"
  22. Re: ISP responsibility as much as anyone else! by iivel · · Score: 1

    But they will monitor it for you with your consent? Interesting. I'd pay an extra couple bucks a month for a nicely packaged traffic report (as long as I could manage/delete/etc. some of the capture rules). Sure, I could set up my own proxy, or port mirror to a Splunk box, but that could actually be a service a lot of people would buy into out of sheer convenience. Even moreso if it was tied to their IDS for hueristic analysis of both outbound and inbound traffic.