In-brief: A common, China-based supplier of management software is the common thread that ties together the myriad digital video recorders, IP-based cameras and other devices that make up the Mirai botnet, according to analysis by the firm Flashpoint.
A common, China-based supplier of management software is the common thread that ties together the myriad digital video recorders, IP-based cameras and other devices that make up the Mirai botnet, according to analysis by the firm Flashpoint.
Weak, default credentials associated with software made by XiongMai Technologies was abused by cyber criminals to install the Mirai software on hundreds of thousands of DVR, NVR (network video recorder) and IP cameras globally, Flashpoint said in an analysis published on Friday. The credentials are written into the software used by over five-hundred thousand devices on public IPs around the world, meaning they cannot be changed and make the devices susceptible to trivial compromise, the firm said.
The Mirai botnet is one of a number of networks of compromised devices that launched crippling denial of service attacks against a number of organizations in Europe and North America. Among the more prominent targets were the French hosting firm OVH and Krebs On Security, an independent cyber security blog that often exposes the deeds of cyber criminals operating distributed denial of service (DDOS) scams. Those attacks were the largest denial of service attacks, measured by the volume of bogus Internet traffic used to cripple their targets. Attacks on Krebs on Security topped 600 Gigabits per second (Gbps) and discrete attacks on OVH tipped the scales at more than 700 Gbps.
According to the Flashpoint analysis, cyber criminals abused the default username and password combination for Xiongmai’s Netsurveillance and CMS software. Those credentials – a user name root and password xc3511 allow anyone to gain access to the administrative interface of the device running the software, typically using the Telnet protocol.
The use of default credentials is a common feature of many, different Internet-connected devices. Often device makers fail to prompt (let alone require) customers to update those credentials upon activating and configuring a new device, meaning the credentials are still in place after a device is deployed and Internet accessible.
In August, 2015, for example, DSL routers sold under the ASUS, DIGICOM, Observa Telecom and Philippine Long Distance Telephone (PLDT) brands were found to run firmware that contained a hard-coded password allowing an attacker who can remotely connect to the devices to log in with administrator credentials, according to Carnegie Mellon’s CERT.
But XiongMai complicates even that common problem: hard-coding the default credentials into the firmware, which prevents customers from ever-changing them. Further, the web interface is not aware that these credentials even exist – meaning they are invisible to administrators at customer sites. Adding insult to injury, the Telnet service is also hardcoded into the device’s primary startup script, making it difficult to edit or disable.
The issue with the XiongMai has been assigned a CVE number: CVE-2016-1000245 and is being registered with the Distributed Weakness Filing Project.
Finally, Flashpoint said that during its investigation it discovered another vulnerability affecting XiongMai’s software: an authentication bypass vulnerability that allows anyone with knowledge of the IP address of a device running the NetSurveillance or CMS software. The flaw allows anyone to forego logging in at all, presuming they know the URL of the management page. Any DVR, NVR or Camera running the web software “uc-httpd,” especially version 1.0.0 is potentially vulnerable to these “attacks,” though using the term “attack” to describe accessing an administrative interface that is, essentially, unprotected is a stretch.
The problems with the XiongMai devices underscores a general lack of security in the supply chain for devices that are currently being sold globally, said Jamison Utter of the firm Senr.io.
“Manufacturers really have no guidance on what is good or bad or what they should be doing. It might seem obvious to us that you don’t build devices with unchangeable default administrator account names and passwords, but from their standpoint, there’s no checklist or guidance on what industry best practices are.”
He notes that guides like the recently published Cloud Security Alliance guidance on developing secure IoT products or similar guidance from OWASP are well-intentioned, but rarely reach the right audience.
That leaves it to consumers of the products to address security issues that may lurk deep in hardware and software components from the device maker’s suppliers. Behavioral analysis and micro segmentation of networks, which greatly constrain device behavior, may be short-term solutions to prevent the worse outcomes for now, Utter said.