The deplorable state of IoT security

October 20, 2016 — by Pascal Geenens2

main

DDoSHacksSecurity

The deplorable state of IoT security

October 20, 2016 — by Pascal Geenens2

Following the public release of the Mirai (You can read more about it here) bot code, security analysts fear for a flood of online attacks from hackers. Mirai exposes worm-like behavior that spreads to unprotected devices, recruiting them to form massive botnets, leveraging factory default credentials and telnet to brute and compromise unsuspecting user’s devices.

Soon after the original attacks, Flashpoint released a report identifying the primary manufacturer of the devices utilizing the default credentials ‘root’ and ‘xc3511’. In itself, factory default credentials should not pose an enormous threat, however combined with services like Telnet or SSH enabled by default and the root password being immutable, the device could be considered a Trojan with a secret backdoor, a secret that now has become public knowledge.

It is not unusual, given the economy of IoT devices and its pressure on margins, that IoT device manufacturers source their hardware and software from upstream manufacturers. In the case of Mirai, Flashpoint identified such upstream manufacturers for white-labeled DVR, NVR and IP Camera boards and software used by countless downstream manufacturers in their own products.

Smart city Internet of Things and Information Communication Technology

Most, if not all, of the IoT devices targeted by Mirai run the free software BusyBox that provides stripped-down Unix tools in a single executable file. BusyBox runs in a variety of POSIX environments such as Linux, Android, and FreeBSD providing an excellent and especially cheap (free) choice for command line interfaces on embedded devices with very limited resources.

[You might also like: BusyBox Botnet Mirai: The Warning We’ve All Been Waiting For?]

Flashpoint’s research on the BusyBox-based software from upstream manufacturer XiongMai Technologies, located in Hangzhou, China, showed the default root password ‘xc3511’ to be hardcoded and not able to be changed, not through the web GUI nor by the command line. Moreover, the telnet service is enabled by default and hardcoded into /etc/init.d/rcS (the primary boot startup script), which makes it difficult to disable. Both weaknesses combined, users are pretty much unable to mitigate the Mirai threat.

During their investigations, Flashpoint identified an additional security issue on devices running XiongMai Technologies “CMS” or “NetSurveillance” software. There is a trivial web authentication bypass by navigating directly to the /DVR.htm page without prior login on the /Login.htm page.

Flashpoint filed both vulnerabilities under CVE-2016-1000245 and CVE-2016-1000246 respectively. Altogether Flashpoint estimates over 500,000 devices on public IPs around the world to appear susceptible to the reported vulnerabilities.

Kudos to Flashpoint for uncovering and submitting the CVEs. Hopefully XiongMai will act on them providing downstream manufacturers with instructions and code updates to remediate the weaknesses and mitigate the threat (the sooner the better). Unsuspecting users taking part in a botnet is one thing, having a device in your network that provides an easy attack vector and jump station for further compromising that network and potentially breaching the confidentiality and privacy of the owner is another…

Learn more about cyber-attack detection and trends in the 2016 Global Application and Network Security Report.

Download Now

Pascal Geenens

Recognized Cyber Security and Emerging Technology thought leader with 20+ years of experience in Information Technology As the EMEA Cyber Security Evangelist for Radware, Pascal helps execute the company's thought leadership on today’s security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology and holds a degree in Civil Engineering from the Free University of Brussels. As part of the Radware Security Research team Pascal develops and maintains the IoT honeypots and actively researches IoT malware. Pascal discovered and reported on BrickerBot, did extensive research on Hajime and follows closely new developments of threats in the IoT space and the applications of AI in cyber security and hacking. Prior to Radware, Pascal was a consulting engineer for Juniper working with the largest EMEA cloud and service providers on their SDN/NFV and data center automation strategies. As an independent consultant, Pascal got skilled in several programming languages and designed industrial sensor networks, automated and developed PLC systems, and lead security infrastructure and software auditing projects. At the start of his career, he was a support engineer for IBM's Parallel System Support Program on AIX and a regular teacher and presenter at global IBM conferences on the topics of AIX kernel development and Perl scripting.

2 comments

  • Stravo Lukos

    October 21, 2016 at 2:18 pm

    Your readers aren’t all hackers and geeks. It is poor composition to require the reader to look up abbreviations and such (e.g. Io T, CVE, etc.) Some of us (admittedly) dinosaurs are trying to learn the cyberskills we need to stay current in a world that is escaping us rather quickly.

    If this is a blog for experts only, then please state that plainly. It is cumbersome for ordinary readers to have to go off the page to look up jargon. And yes, I’m a teacher.

    With pinkies out and nose in the air,
    Stravo

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *