The deplorable state of IoT security
Following the public release of the Mirai (You can read more about it here) bot code, security analysts fear for a flood of online attacks from hackers. Mirai exposes worm-like behavior that spreads to unprotected devices, recruiting them to form massive botnets, leveraging factory default credentials and telnet to brute and compromise unsuspecting user’s devices.
Soon after the original attacks, Flashpoint released a report identifying the primary manufacturer of the devices utilizing the default credentials ‘root’ and ‘xc3511’. In itself, factory default credentials should not pose an enormous threat, however combined with services like Telnet or SSH enabled by default and the root password being immutable, the device could be considered a Trojan with a secret backdoor, a secret that now has become public knowledge.
It is not unusual, given the economy of IoT devices and its pressure on margins, that IoT device manufacturers source their hardware and software from upstream manufacturers. In the case of Mirai, Flashpoint identified such upstream manufacturers for white-labeled DVR, NVR and IP Camera boards and software used by countless downstream manufacturers in their own products.
Most, if not all, of the IoT devices targeted by Mirai run the free software BusyBox that provides stripped-down Unix tools in a single executable file. BusyBox runs in a variety of POSIX environments such as Linux, Android, and FreeBSD providing an excellent and especially cheap (free) choice for command line interfaces on embedded devices with very limited resources.
Flashpoint’s research on the BusyBox-based software from upstream manufacturer XiongMai Technologies, located in Hangzhou, China, showed the default root password ‘xc3511’ to be hardcoded and not able to be changed, not through the web GUI nor by the command line. Moreover, the telnet service is enabled by default and hardcoded into /etc/init.d/rcS (the primary boot startup script), which makes it difficult to disable. Both weaknesses combined, users are pretty much unable to mitigate the Mirai threat.
During their investigations, Flashpoint identified an additional security issue on devices running XiongMai Technologies “CMS” or “NetSurveillance” software. There is a trivial web authentication bypass by navigating directly to the /DVR.htm page without prior login on the /Login.htm page.
Flashpoint filed both vulnerabilities under CVE-2016-1000245 and CVE-2016-1000246 respectively. Altogether Flashpoint estimates over 500,000 devices on public IPs around the world to appear susceptible to the reported vulnerabilities.
Kudos to Flashpoint for uncovering and submitting the CVEs. Hopefully XiongMai will act on them providing downstream manufacturers with instructions and code updates to remediate the weaknesses and mitigate the threat (the sooner the better). Unsuspecting users taking part in a botnet is one thing, having a device in your network that provides an easy attack vector and jump station for further compromising that network and potentially breaching the confidentiality and privacy of the owner is another…