The Mirai Botnet and My Old Advice

Security expert and writer Brian Krebs was the victim of a distributed denial of service attack that used the Mirai botnet. His site discusses the source code used on the compromised computers. Others have provided analysis of the code. The software is used to infect Internet of Things or IoT devices. Examples include webcams, DVRs, and other connected devices that don’t have obvious computer interfaces.

Mirai botnet

The malware accesses victim computers through services such as telnet that have often unchangeable default passwords. I guess the manufacturers are neither reading this blog nor taking Learning Tree’s System and Network Security Introduction. Both are routine topics on this blog and in the course.

I have written about default passwords here repeatedly. My frequent suggestion is to change them immediately. Unfortunately, it appears that isn’t always an option. Some manufacturers have hard-coded the passwords into the devices to simplify configuration to make devices easier to install and use. That’s a tradeoff we often see in cyber security: ease of use vs. security.

[I had planned on posting a link to the list of passwords Mirai used to compromise its targets, but one reported pair – actually in use or not – is comprised of inappropriate language, so it is left as an exercise for the interested reader to search out the list.] Interestingly, in the list of passwords checked, there are passwords matching usernames, empty passwords, and passwords from lists of commonly discovered ones (e.g. ‘12345’ and ‘password’).webcam-295440_640

I have no idea about the success rate of the passwords tried by the software. Some may be defaults, and some may be user-set – there is no way to tell.

Most of the compromised IoT devices seem to have been webcams. That’s not necessarily because webcams are the easiest devices to attack, but rather because they are often exposed directly to the Internet without the protection of a firewall. We are back to the security vs. convenience tradeoff. Multiple websites link to unsecured webcams. Insecam is a popular one. I’m not one to spend time watching webcams at laundromats or windmills, but people like to watch pubs and such. Insecam does not include home cams or classroom cams, but some other sites do. I can understand making the camera of a spinning windmill open access, but not one of a child’s room. And those that are open to watching (and some that are not) probably have unsecured access that could be compromised by malware such as Mirai.

Some lessons from the Mirai DDoS on KrebsOnSecurity:

  1. Don’t use default passwords, particularly for devices directly connected to the Internet.
  2. Manufacturers – don’t create devices with unchangeable passwords.
  3. Manufacturers – try to encourage (or force) users to change IoT passwords.
  4. Put devices behind firewalls or at least behind NAT. Similarly, don’t open direct “holes” in firewalls for those devices.

You can probably think of more. If you do, please share them with me on twitter @jjmcdermott

To your safe computing,
John McDermott

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.