Last month, the first recorded 1-Terabyte Distributed Denial of Service (DDoS) attack was recorded. The attack involved a massive botnet called Mirai, which consisted of hundreds of thousands of IoT devices, mostly security cameras and DVRs.
The rapid growth of the Mirai botnet has occurred due to a lack of security controls in a range of IoT devices. Many Internet enabled devices contain default usernames and passwords which can be easily guessed. Scans are performed for vulnerable devices and default passwords are used to access the devices and add them to the botnet.
According to security researcher Brian Krebs, whose website was taken down as a result of a massive DDoS attack of 600 gigabits per second last month, the source code of the Mirai botnet includes 68 pairs of default usernames and passwords. Those credentials can be used to attack the devices made by dozens of manufacturers.
While the exploited vulnerabilities have not been linked to a single device manufacturer, Zachary Wikholm, a researcher from Flashpoint, discovered a link between the compromised devices and a Chinese technology firm. Hangzhou-based XiongMai Technologies (XM) makes white-label boards and software for VR, NVR and IP Cameras.
Wikholm found that “a very large percentage” of compromised IoT devices used in the latest mega DDoS attacks contained flawed XM code. There are more than half a million vulnerable devices, many of which have been added to the Mirai botnet.
The use of default credentials is not a problem in itself; however, if default credentials are used for devices that connect to the Internet it leaves them vulnerable to attack. As Wikholm explained, “When combined with other defaults, such as web interfaces or a remote login services like Telnet or SSH, default credentials may pose a great risk to a device.”
Wikholm discovered that a flaw in the XM web app made the devices ridiculously easy to attack. While the XM’s NetSurveillance portal requires a username and a password to be entered, it was possible to bypass the security controls by using the IP address of the targeted device and adding “DVR.htm” to the end. This enables anyone with an Internet connection to take control of one of the security cameras or DVRs containing the vulnerability.
Unfortunately, correcting the vulnerability is not an easy task. While it would be possible to change the passwords to make them less easy to guess, the Telnet login credentials are hard-coded. That means a firmware upgrade is required to resolve the issue. The upgrade would need to be performed on all XM devices, including those of the company’s partners. That process could take a considerable amount of time.
Until that happens, it is unlikely that the size of the Mirai botnet cannot be significantly reduced, which means that further massive DDoS attacks are likely to occur.