DHS Warns of Mirai Botnet Threat To Cellular Modems

chicksdaddy writes from a report via The Security Ledger: The Mirai malware that is behind massive denial of service attacks involving hundreds of thousands of "Internet of Things" devices may also affect cellular modems that connect those devices to the internet, the Department of Homeland Security (DHS) is warning. An alert issued by DHS's Industrial Control System CERT on Wednesday warned that cellular gateways manufactured by Sierra Wireless are vulnerable to compromise by the Mirai malware. While the routers are not actively being targeted by the malware, "unchanged default factory credentials, which are publicly available, could allow the devices to be compromised," ICS-CERT warned. The alert comes after a number of reports identified devices infected with the Mirai malware as the source of massive denial of service attacks against media websites like Krebs on Security and the French hosting company OVH. The attacks emanated from a global network of hundreds of thousands of infected IP-enabled closed circuit video cameras, digital video recorders (DVRs), network video recorders (NVRs) and other devices. Analysis by the firm Imperva found that Mirai is purpose-built to infect Internet of Things devices and enlist them in distributed denial of service (DDoS) attacks. The malware searches broadly for insecure or weakly secured IoT devices that can be remotely accessed and broken into with easily guessed (factory default) usernames and passwords. The report adds: "Sierra said in an alert that the company has 'confirmed reports of the 'Mirai' malware infecting AirLink gateways that are using the default ACEmanager password and are reachable from the public internet.' Sierra Wireless LS300, GX400, GX/ES440, GX/ES450, and RV50 were identified in the bulletin as vulnerable to compromise by Mirai. Furthermore, devices attached to he gateway's local area network may also be vulnerable to infection by the Mirai malware, ICS-CERT warned. Sierra Wireless asked affected users to reboot their gateway. Mirai is memory resident malware, meaning that is erased upon reboot. Furthermore, administrators were advised to change the password to the management interface by logging in locally, or remotely to a vulnerable device."

Chaotic Good

I'm starting to wonder if the attack on Krebs was done specifically to force a response to secure these devices.

Re:Chaotic Good

[houstonbofh]

It is disturbing how many devices have unchangeable root passwords... And that is getting fixed. And OSS firewalls are sure getting a bump!

Cellular?

[Z00L00K]

Whenever I see the term Cell I think of a prison or something else you are locked into.

Here we call it Mobile.

Re:Cellular?

Mobellular?

More than I thought.

[whoever57]

I did not realize that Toyota had sold enough Mirai fuel-cell cars to make a botnet.

DHS

[93+Escort+Wagon]

I remember when those letters stood for the Department of Human Services.

Something actually useful, in other words.

There ought to be a law

[dwheeler]

We can't solve all problems with laws, but some laws could reduce the problem. Here are some ideas: http://www.dwheeler.com/essays...

Re:There ought to be a law

i wonder how the encrypted traffic one would work, considering far from every device is in america

Can we brick them?

[Gravis+Zero]

Yes, we can!

SATAN anyone?

Or SAINT or MetaSploit or whatever you want to call it. Seems like the posterchild use-case, unless you fear a failed basic log in attempt is going to cause more damage to other frail devices than the benefit of discovering your Airlink/SierraWireless device is crap with an open door.

Use the provided locks

[LeftCoastThinker]

How is this even considered a hack? It is basically just scanning for default passwords. Its the equivalent of buying a house with the locks on all of the exterior doors removed after a foreclosure. The seller/bank provides you with new locks in a sack for you to install, but instead, you leave all the doors without locks... So anyone who tries the handle can come in. No one would wonder why they were robbed in that situation, the same is true of any connected electronic device. Change the admin username and password when you buy it or suffer the consequences.

Re:Use the provided locks

[sjames]

Same reason it's still breaking and entering even if the door isn't locked.

Re:Use the provided locks

[LeftCoastThinker]

There have been a number of cases both with cars and homes where the door is left wide open (which is equivalent). It cannot be charged as B&E as there is no lock involved. If the police do it, it is often thrown out as entrapment, if a private citizen does it, it may get charged as trespassing in the home or attempted theft in the car (assuming they didn't actually steal the vehicle, just got in it.) If you have ever seen the show bait car, the cops always wait until the thief actually drives off in the car, as they can't get them on anything for just sitting in a car.

I'm not saying taking control of some IoT devices with default passwords for the purpose of DDoS attacks is not a crime, just that they need to call it something else, like digital trespassing or something.

Re:Use the provided locks

[sjames]

This may clarify.

No Code? No security!

If we can't examine the complete set of source code our devices run on I can't begin to take you [whoever] seriously when you start talking about security. We've got backdoors and malware shipping in the proprietary components of devices across everything from desktop and laptop computers to cell phones, printers, and routers. All Android phones were shipping for years (and maybe still are) pre-infected, when security researchers started investigating industrial routers they discovered multiple backdoors built-in, and we know that Intel/AMD have been compromising our security with bloated functionality that's almost certainly got a backdoor in it. They advertise remote control functionality and its built into every modern desktop and laptop. The US government almost certainly has a gag order on the hidden backdoor functionality. China's known to be compromising home grown laptops as well via keyboard controller firmware and an OS-level driver- and someone involved even openly accidentally revealed this to an outsider after having thought they knew about it and were trying to avoid it.

mobile overage charges?

Maybe now some people will pay attention, once they get the $900 overage charges on their cell bill.

Haha, your ATM is part of a botnet

These gateways are very popular for ATM kiosks. Did you know that many of those machines still use unpatched XP and use older (hacked) secure transmission protocols?

My advice is to never use those kiosks, only use an ATM that is in or is attached to a bank building.

More honestly, it's a "tracker".

[jbn-o]

You're thinking correctly in that, it's right in line with why we commonly call liberating a device to run software the owner wants to run without the approval of the device's proprietor(s) "jailbreaking"—a clear acknowledgement that the device shackles the user. The real harm comes from the inequity making the owner of the computer (typically the user) subservient to whatever proprietors are involved in making and selling the device. But the device's true purpose is spying on the user's movements and discussions, tracking and recording what the user does in real-time.