The deplorable state of IoT security

October 20, 2016 — by Pascal Geenens2



The deplorable state of IoT security

October 20, 2016 — by Pascal Geenens2

Following the public release of the Mirai (You can read more about it here) bot code, security analysts fear for a flood of online attacks from hackers. Mirai exposes worm-like behavior that spreads to unprotected devices, recruiting them to form massive botnets, leveraging factory default credentials and telnet to brute and compromise unsuspecting user’s devices.

Soon after the original attacks, Flashpoint released a report identifying the primary manufacturer of the devices utilizing the default credentials ‘root’ and ‘xc3511’. In itself, factory default credentials should not pose an enormous threat, however combined with services like Telnet or SSH enabled by default and the root password being immutable, the device could be considered a Trojan with a secret backdoor, a secret that now has become public knowledge.

It is not unusual, given the economy of IoT devices and its pressure on margins, that IoT device manufacturers source their hardware and software from upstream manufacturers. In the case of Mirai, Flashpoint identified such upstream manufacturers for white-labeled DVR, NVR and IP Camera boards and software used by countless downstream manufacturers in their own products.

Smart city Internet of Things and Information Communication Technology

Most, if not all, of the IoT devices targeted by Mirai run the free software BusyBox that provides stripped-down Unix tools in a single executable file. BusyBox runs in a variety of POSIX environments such as Linux, Android, and FreeBSD providing an excellent and especially cheap (free) choice for command line interfaces on embedded devices with very limited resources.

[You might also like: BusyBox Botnet Mirai: The Warning We’ve All Been Waiting For?]

Flashpoint’s research on the BusyBox-based software from upstream manufacturer XiongMai Technologies, located in Hangzhou, China, showed the default root password ‘xc3511’ to be hardcoded and not able to be changed, not through the web GUI nor by the command line. Moreover, the telnet service is enabled by default and hardcoded into /etc/init.d/rcS (the primary boot startup script), which makes it difficult to disable. Both weaknesses combined, users are pretty much unable to mitigate the Mirai threat.

During their investigations, Flashpoint identified an additional security issue on devices running XiongMai Technologies “CMS” or “NetSurveillance” software. There is a trivial web authentication bypass by navigating directly to the /DVR.htm page without prior login on the /Login.htm page.

Flashpoint filed both vulnerabilities under CVE-2016-1000245 and CVE-2016-1000246 respectively. Altogether Flashpoint estimates over 500,000 devices on public IPs around the world to appear susceptible to the reported vulnerabilities.

Kudos to Flashpoint for uncovering and submitting the CVEs. Hopefully XiongMai will act on them providing downstream manufacturers with instructions and code updates to remediate the weaknesses and mitigate the threat (the sooner the better). Unsuspecting users taking part in a botnet is one thing, having a device in your network that provides an easy attack vector and jump station for further compromising that network and potentially breaching the confidentiality and privacy of the owner is another…

Learn more about cyber-attack detection and trends in the 2016 Global Application and Network Security Report.

Download Now

Pascal Geenens

As Cyber Security Evangelist for Radware, Pascal helps execute the company's thought leadership on today's security threat landscape for EMEA, Central and Latin America. Pascal brings over two decades of experience in many aspects of Information Technology and holds a degree in Civil Engineering from the Free University of Brussels, specializing in electronics with a finalization in parallel computing. Prior to Radware, Pascal gained experience working with the largest cloud providers as a consulting engineer for Juniper, as an independent consultant architecting sensor networks, automating and developing PLC systems as well as security infrastructure and software auditing. He was a regular presenter at IBM EMEA conferences for Perl and AIX kernel development.


  • Stravo Lukos

    October 21, 2016 at 2:18 pm

    Your readers aren’t all hackers and geeks. It is poor composition to require the reader to look up abbreviations and such (e.g. Io T, CVE, etc.) Some of us (admittedly) dinosaurs are trying to learn the cyberskills we need to stay current in a world that is escaping us rather quickly.

    If this is a blog for experts only, then please state that plainly. It is cumbersome for ordinary readers to have to go off the page to look up jargon. And yes, I’m a teacher.

    With pinkies out and nose in the air,


Leave a Reply

Your email address will not be published. Required fields are marked *