The Hunt for IoT: So Easy To Compromise, Children Are Doing It
- by nlqip
Poor security is another clue that young novices are operating botnets. The Owari authors left their command and control (C&C) MySQL database wide open (port 3306), “protected” with both the username and password of “root.” Control of IoT devices is a highly competitive market, where rivals commonly DDoS each other. In one case, a competing attacker took over 29 IoT bots that were offering DDoS-for-hire services by brute forcing weak usernames and passwords—the very same method attackers use to compromise IoT devices from which they launch the DDoS attacks. It’s a novice mistake not to protect yourself from the very attacks you launch.
One 13-year-old bragged about building several IoT bots, expressing little concern about prosecution. He’s right; it’s unlikely he’ll get caught, and if he did, the resulting hacker celebrity almost guarantees a high paying cybersecurity job down the road. Even if the risk of indictment were high, the types of sentences handed out to cyber criminals (over the age of 18) is so laughable, it’s not a deterrent. The Mirai authors were prosecuted in both Alaska and New Jersey. In both cases, they were handed out 2,500 hours of “community service,” defined in the sentencing memorandum as “continued work with the FBI on cybercrime and cybersecurity matters.” In Alaska, they received no jail time, 5 years’ probation, and $127,000 in fines. In New Jersey, they were sentenced to 6 months house arrest, and $8.6 million in fines (based on Rutgers incident response costs from their DDoS attacks). The prosecutors in the Alaska case actually argued favorably for one of the defendants, stating that jail would “disrupt a remarkable transformation,” considering he had turned over a new leaf, was attending school again, and had landed a new job at a cybersecurity company.
APTs and Nation States
On the other hand, it is clear that some sophisticated and well-resourced threat actors and nation-states are building IoT thingbots, as well. There is ample motive for it; why not control a bunch of IP cameras, surveillance systems, and wearables that give you visibility and access to targets of interest? This has also created a niche business opportunity for companies that specialize in crafting zero-day exploits, as government spy agencies have now added the compromise of IoT to their offerings. In the case of Jamal Khashoggi, the top advisor to Saudi Arabia’s Crown Prince contracted with an Israeli company called the NSO Group to use its surveillance tools throughout the Middle East and Europe. It was through this relationship that they were able to determine Mr. Khashoggi’s whereabouts, which led to his assassination. This same group is allegedly behind the WhatsApp remote spyware that is being used by governments to track journalists, activists, and human rights workers around the world.
China has widely deployed surveillance systems to control their population. They are tracking their Muslim population, sending jaywalking tickets in the mail, and feeding a social scoring system that impacts credit scores and a citizen’s ability to travel. One could argue this entire system is a nation-state spy-bot.
Building a ThingBot
How easy is it? Well if 13-year-olds can do it, the bar is set too low!
Go Get Some Code
Getting some open-source thingbot code is really, really, easy. A simple Google, Pastebin, or Github search will do it. We found 178 references to Mirai source code while searching in Pastebin, which led to many tutorials with step-by-step instructions and chat servers offering technical support.
Default Credentials
IoT devices commonly use SSH or Telnet for remote administration, protected by vendor default credentials. It’s very easy to find vendor default credentials. Not only are there lots of published lists (we’ve been publishing the top 100 attacked SSH credentials for the past 2.5 years), but Google searches of a vendors’ name and “port forward” typically leads you to deployment guides that provide the vendors’ default credentials, and which port to find them on. The screenshot below is from Dahua, a popular NVR manufacturers’ wiki describing how to set up remote access.
Source link
lol
Poor security is another clue that young novices are operating botnets. The Owari authors left their command and control (C&C) MySQL database wide open (port 3306), “protected” with both the username and password of “root.” Control of IoT devices is a highly competitive market, where rivals commonly DDoS each other. In one case, a competing…
Recent Posts
- The complexities of cyberattack attribution – Week in security with Tony Anscombe
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability
- HACKING 101 Humble Bundle — Between The Hacks
- The U.S. IoT Cybersecurity Improvement Act Becomes Law — Between The Hacks
- BTH News 13December2020 — Between The Hacks