The release of the Mirai source code demonstrates just how easy it has become to hijack poorly-protected Internet of Things devices into botnets.
Mirai has become infamous in recent weeks after blasting the website of security blogger Brian Krebs off the internet with a massive distributed denial-of-service (DDoS) attack, powered by compromised internet-enabled DVRs and IP cameras.
What can you on an individual basis do about this at home or in the office to make sure you’re not contributing to the problem?
Well, you can make sure that your IoT devices aren’t “protected” by dumb default usernames and passwords, such as the following which are hardcoded into Mirai’s source code:
As Security Week reports, many of the vulnerable devices which have made up the Mirai botnet contain software and hardware manufactured by a Chinese company called XiongMai Technologies:
XiongMai ships vulnerable software that has ended up in at least half a million devices worldwide.
The fact that these devices can be accessed with default credentials should not pose a major risk as long as they are not accessible from the Internet. The problem is that the firmware provided by the Chinese manufacturer also includes a telnet service that is active by default and which allows easy remote access to the devices.
To make matters even worse, the default credentials cannot be changed as they are hardcoded in the firmware and there are no options for disabling them. The telnet service is also difficult to disable.
Not changing a default username and password on an internet-enabled device is as good as having no password at all.
Be a responsible member of the community, change your passwords to something which is non-obvious, hard to crack, unique and not the password the device shipped with. And don’t buy technology from firms who don’t appear to have given a second’s thought to security.
Manufacturers could clearly play their part, forcing users to choose a different password rather than allowing them to stick with reckless combinations like admin:password.
But as long as there is a demand for cheap IoT devices, there will be plenty of manufacturers happy to cut corners and put the internet community at risk.