Linux malware Mirai has over half a million devices connected to the Internet and attacks them on different targets. It is remarkable that it works completely trivially: it simply guesses passwords.
The cameras are attacking. We already know this, it is written by world media because it is a really serious problem. It can generate a stream of over one Tbps, send over one million HTTP requests every second, and place a large DNS service provider and also a large part of the important Internet services. We know this, many have warned them and they finally came.
Surprisingly, how simple it was. It uses a malware called Mirai that focuses on various "smart" devices typically using BusyBox. It searches them over the Internet, tries to attack them, install them in, and then it can commit a variety of attacks. But the crucial thing is that Mirai does not abuse any sophisticated software bug, does not need any "Dirty Cow" or Heartbleed.
Mirai simply guesses default passwords. Since the source code has been released, we know today exactly what passwords are and especially that there are only 60. Sixty! So small and still enough to attack half a million devices around the world.
It is probably a whole range of devices from the mentioned cameras, through routers (ubnt password) to baby nurseries or network drives. However, most of the devices belong to a common category, as people from the Flashpoint point out - credential are also well known for these devices. It turned out to be especially the products of Dahua Technology, which specializes in the production of IP cameras.
However, a number of devices of very diverse manufacturers have been discovered, which at first sight have nothing in common at all. However, it turned out that these manufacturers use hardware and software from XiongMai Technologies, a Chinese company that supplies complete technology for building similar devices - from cameras to video recorders or recording cameras.
The manufacturer then completes his "own" product, fumigates with the supplied firmware and give it immediately to the store. However, XiongMai delivers leaky software that opens the integrated computer to the world and allows its mass infecting. There are talks about half a million attacked devices.
The problem would not be so great if the device was not easily accessible from the Internet. However, the supplied firmware leaves an open telnet interface through which the devices can be controlled remotely. Telnet? Did you think he was dead a long time ago? Big mistake, the embedded device area is unfortunately too widespread.
To make it even worse: telnet is turned on by default, it cannot be turned off and can be logged in with a default password that cannot be changed! This is a paradise for all botnet operators.
This is not all yet, people from Flashpoint have discovered a firmware way to get around signing up completely: instead of login.htm, you just have to get DVR.htm. In addition, Shodan's scanning service shows that devices suffering from these errors are over half a million in the world. And that's just one particular dilettante manufacturer with bad firmware. Estimates talk about millions of similarly leaking devices connected to the Internet.
Among the countries with the most vulnerable devices are Vietnam (80,000), Brazil (62,000), Turkey (40,000), Taiwan (29,000), China (22,000), South Korea (21,000) , India (15,000) and United Kingdom (14,000).
Flashpoint notes that most of the Dahua devices are, but XiongMai's XiongMai firmware is also a big part of it. It also depends on specific countries and the representation of individual products. Dahua may need 65 percent of the attack in the United States, but XiongMai is responsible for almost 70 percent of infected devices in countries like Turkey or Vietnam, where most of the attacking operations come.
Using default passwords is like having no passwords. Users should therefore be more careful about configuring similar devices that will be turned on once and not usually covered. However, the butter on the head is mainly made by producers who are still making the same mistakes that have been pointed out many years ago. But it's futile.
The best solution is to have no default passwords at all. Ideally, the device should ask for a password at the first start of the user and do not let it go further without this action. Obviously, we would not solve all the problems of the world, but at least nobody could catch us with the trousers down running.
EUR 10 / Month
EUR 139 / Month