The Internet of Things (IoT)-based botnet that recently made headlines appears to have taken advantage of a default password in one company's embedded management software — a password users can't change, according to a blog posting today by security firm Flashpoint.
The vulnerability appears to apply to more than 500,000 devices around the world that are using public IP addresses.
The botnet, named Mirai, was used to conduct distributed denial-of-service (DDoS) attacks on the KrebsOnSecurity website and the hosting provider OVH last month. About a week ago, someone claiming to be the perpetrator published the code for the botnet, possibly as a safeguard against getting caught. (If the code is available to everyone, then ownership of the code isn't necessarily incriminating.)
The attacks came mostly from Internet-connected video devices such as surveillance cameras. Flashpoint dug a little deeper and found that a common thread among many of the devices was the use of management software from Hangzhou Xiongmai Technology Co. in China.
Flashpoint is not accusing Xiongmai of anything malicious, nor was Xiongmai necessarily any more careless than countless other embedded-software vendors. The problem of default passwords pervades industries whose devices didn't used to have Internet connections — medical equipment comes to mind. Note also that devices other than Xiongmai's participated in the attack; Mirai is programmed to go on the prowl for easily-accessed IoT devices to add to its armada.
Here's the fun part: Changing the passwords on IoT devices won't necessarily solve the problem. Users can change the password that's used for accessing the device from the web, but devices often have a separate login to grant administrators access through common protocols such as SSH and Telnet. These credentials are sometimes factory-installed and not changeable by the user.
This appears to be the case with the Xiongmai-based devices. "The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist," writes Flashpoint researcher Zach Wikholm in the company's blog entry.