Attack of the Killer Cameras
By now, you will be aware that the Internet of Things is a thing and that it is an ever-growing network made up of disastrously insecure appliances, vehicles, cameras, and other devices connected to the Internet. What you may not be aware of is that this shadow network is now being used as a weapon to attack web sites with DDoS floods with some of the highest volumes ever seen.
These attacks are coming courtesy of a large, but poorly defined, botnet of devices infected with the Mirai malware. So far there have been at least two high-profile attacks attributed to this botnet, one of which knocked Brian Krebs’s news site offline, while the other targeted OVH, a hosting provider. The volume of traffic in these attacks is staggering; Krebs’ site was hit with a peak flood of 620 Gbps, and OVH saw as much as 1.1 Tbps. But aside from the sheer size of the attacks, what’s really generating interest in Mirai’s activities is the fact that the botnet comprises Internet of Things devices rather than desktops PCs or servers.
The Mirai malware is somewhat similar to other types of malware used to assemble botnets, with the main difference being that it specifically targets devices running Telnet and BusyBox, a set of embedded Linux tools.
“Mirai propagates by bruteforcing Telnet servers with a list of 62 horribly insecure default passwords, starting with the infamous admin:admin. Although Mirai could technically infect any box upon successful login, it uses a BusyBox specific command which causes the infection to fail if BusyBox is not present. Once inside a box, the malware will attempt to kill and block anything running on ports 22, 23, and 80, essentially locking out the user from their own device and preventing infection by other malware,” an analysis by the folks at MalwareTech says.
The size of the botnet is somewhat in dispute, with some estimates putting it at 1.5 million devices, while others say it’s less than 10 percent of that number. But the number of devices isn’t all that important, honestly. If the Mirai botnet isn’t 1.5 million devices strong, just wait a few weeks and it, or another one, will be. It’s impossible to know exactly how many new IoT devices are connected to the Internet every day, but it likely falls somewhere between Oh Come On and Aw Hell No. What’s easy to know is how many of those devices are insecure: virtually all of them.
The manufacturers building these devices and rushing them onto shelves are paying little or no attention to security, and why should they? History has shown them that most consumers don’t care all that much about security and don’t want to pay more for it, so it’s not really worth the time and expense to add defensive measures to their IoT devices. People just want their refrigerators to send emails without all the hassle of authentication.
And so what you get is the situation we’re in now, with attackers expending minimal effort – default Telnet passwords! – to build a botnet of compromised IoT devices and pointing it at whatever target they choose. And what kind of devices are in the Mirai botnet?
“From fingerprinting some of the devices we were able to determine what type of software they were running and came to the same conclusion as everyone else: that the botnet is made up mostly of CCTV cameras running Dahua firmware or a generic management interface called “NETSurveillance”. In a lot of cases the camera login panels or RTSP (Real Time Streaming Protocol) feeds were exposed to the internet and could likely be remotely viewed using the same default passwords as were used by Mirai to infect the device,” MalwareTech’s analysis found.
Cameras. Cameras are now rising up and attacking us. This is where we are at the apex of human evolution and technological development. We’ve built devices that are being turned against us in huge numbers. And we’re only at the beginning of this story. If you’ve seen any sci-fi movie in the last 40 years, you know how this ends. Spoiler alert: The machines win.