Home Automation and Cryptography Expert on DDoS Attack: Don’t Blame IoT – CEPro
The widespread Internet outage last week has been traced to the infection of some 500,000 IP cameras and DVRs made by a single company in China â€“ Hangzhou Xiongmai Technology â€“ that shipped devices with weak default passwords.
But donâ€™t indict the entire category of smart-home devices and the Internet of Things, says Will Price, founder of the home automation developer Simple Control (Roomie Remote) and an expert cryptographer who co-founded PGP, the company behind the most widely used email encryption software in the world (ultimately acquired by Symantec).
â€œA popular meme is that this [DDoS attack] is related to the â€˜Internet of Things,â€™ but that’s just a marketing buzzword,â€ Price tells CE Pro. â€œVery specific network camera DVRs and camera firmware was involved in this particular attack. The budding Internet of Things has no more to do with this than the advent of the Internet caused Windows XP security problems. It is the vendors releasing products not properly secured that are at fault.â€
In this case, a botnet scoured the Internet for easy targets, trying 68 combinations of user names and passwords, such as â€œadminâ€ and â€œ12345,â€ depositing â€œMiraiâ€ malware on vulnerable devices and then commanding the devices to flood the Web.
The hackers have released the source code used in the attack, so copycat crimes are inevitable.
â€œThis is an infrastructure attack,â€ Price notes. â€œRegular users are not threatened by this.â€
Even so, the disruption was a stark reminder to consumers that factory-set passwords need to be changed for all connected devices and a wake-up call to manufacturers to quit enabling hackable credentials.
How to Find Default Passwords: Online User Manuals
Security expert Brian Krebs of the eponymous site performed a quick online review of devices with pre-set usernames and passwords, simply by looking for the information in the manufacturersâ€™ installation guides.
His list of potentially vulnerable devices include a Samsung Camera (admin/1111111), Ubiquiti AirOS Router (ubnt/ubnt), Axis IP cameras (root/pass), Panasonic printer (root/00000000) and numerous cameras and DVRs from Dahua, HiSilicon and others.
Price suggests, â€œInformation on patching or even disconnecting vulnerable devices by specific models from the Internet needs to be more available â€“ the equivalent of the airlines now announcing on every flight that Galaxy Note 7 devices are not allowed.â€
Manufacturers should be publicly flogged for shipping smart devices with dumb defaults â€“ or something like that.
â€œVendors that continue to release products unpatched and vulnerable to these kinds of issues must be named and openly identified (usually end users have no idea this is even happening on their network) and for repeat offenders, shamed,â€ Price says.
Thwarting DDoS and other network attacks should be a national priority, he adds.
â€œDDoS is the primary attack mechanism in use today and defending against it requires needs nation-level oversight over routing and automatic DDoS detection and defense,â€ according to Price. â€œThis infrastructure does not exist today so each of these events requires effectively a one-off solution.â€
As it happens, the attack coincides with the U.S. governmentâ€™s surrender of the Domain Name System (DNS) to an international body, ICANN. The target of the attack was Dyn, a major DNS provider.
â€œThe U.S. is now in a much more precarious position than it was previously relative to DNS attacks,â€ Price says.
He warns that this most recent attack was just a practice run, like the test fire of a missile â€“ â€œa warning that we need to get our infrastructure in place to defend in the future against significantly improved versions of this attack.â€
In the meantime, change those usernames and passwords, people.
Write a Reply or Comment:
You must be logged in to post a comment.