The Mirai worm has compromised thousands of IoT devices that were subsequently used in several recent, massive DDoS attacks, including one against the web site of Brian Krebs, well-known security researcher and blogger.
In an appropriately-lengthy post, Krebs describes the process by which he tracked down the identity of the author of the Mirai worm. It’s a fascinating read.
Krebs has published the results of similar investigations in the past, which is why he’s become a target for DDoS attacks, Swatting, and other despicable acts. It remains to be seen whether he will be the target of any new attacks in the wake of his Mirai investigation.
I applaud Krebs’ persistence and dedication in the face of these attacks. Here’s hoping he keeps fighting the good fight, for the benefit of Internet users everywhere.
A new version of alternative web browser Vivaldi fixes a load of bugs, improves reader mode, and adds the ability to control home lighting.
Wait, what? Home lighting control? That’s right, Vivaldi 1.5 sports a feature that’s unlikely to have been on anyone’s wish list for their web browser. From the announcement: “Selecting which lights Vivaldi should control, the browser will synchronize your physical surroundings with the color of the web. This opens the door to a thrilling direction.” Apparently the Vivaldi developers are oblivious to the many serious security issues related to IoT devices, including the Philips Hue light bulbs on which this feature depends.
More usefully, Vivaldi 1.5 makes big improvements to tab and bookmark functionality, which in previous versions were at least partially broken in various, random ways. Version 1.5 seems to have addressed all of the remaining tab and bookmark issues.
Vivaldi 1.5 also includes changes to its update mechanism, and will now only download changes (not the entire browser) when updating itself. Presumably the Vivaldi developers noticed Microsoft was doing this for Windows 10 and decided to follow along. It’s a welcome change, but not exactly groundbreaking.
The official announcement post for Vivaldi 1.5 includes a list of all the changes. None of them seem to be related to security.
If you use Twitter, reddit, Amazon, Tumblr, Spotify or Netflix, you may have noticed that they were slower than usual for parts of yesterday. That’s because the affected sites and services use Dyn, a DNS service provider, and Dyn was hit by two huge DDoS attacks yesterday.
The attacks lasted for a few hours, and while they certainly affected a lot of people, they were no more than an inconvenience for most. Still, the surge in the number and size of these attacks is troubling.
Analysis of the attacks shows that they were made possible by the Mirai botnet, which uses a huge network of poorly-secured (and now compromised) DVRs and security cameras. Those are the same tools used in the recent krebsonsecurity.com and OVH DDoS attacks. The source code for Mirai was released to the public recently, which means just about anyone could have caused the Dyn attacks.
Brian Krebs has more.
Update 2016Oct24: Dyn has released a statement about the attack on their systems, in which they clarify the timeline, and confirm that the Mirai botnet was involved. Meanwhile, security expert Bruce Schneier doesn’t believe that the recent attacks were perpetrated by a state actor such as China. He also doesn’t think they were related to the probing attacks he reported earlier. But he is concerned that the attacks will continue to grow in size and frequency, because nobody involved is motivated to fix the problem.
Chinese device maker Hangzhou Xiongmai has issued a recall for several of its webcam models that were used in the attacks. However, they are only one company out of hundreds (maybe thousands?) of companies producing poorly-secured IoT devices.
Update 2016Oct25: According to Brian Krebs, Xiongmai has also made vague legal threats against anyone issuing ‘false statements’ about the company. This is presumably part of a PR effort to improve the company’s image in the wake of the attacks, but it’s hard to see how this will help anyone. The company’s main objections apparently relate to statements by Brian Krebs and others about users’ ability to change passwords. Testing has shown that back-door, unchangeable passwords exist on some of the affected devices.
At this point it’s clear that thousands of poorly-secured IoT devices were used in the recent large-scale DDoS attacks against krebsonsecurity.com and OVH. Ongoing analysis points to devices manufactured by a Chinese company called XiongMai Technologies, which makes generic Digital Video Recorder (DVR) and Internet camera devices that are sold to vendors who use them in their own products.
Chinese vendor Dahua sells products that use these vulnerable devices. Dahua products appear several times in the list of affected devices published by Brian Krebs, and Flashpoint Intel also identifies Dahua devices as being involved.
Companies like XiongMai Technologies and Dahua share the blame for flooding the Internet with these easily-co-opted devices. XiongMai Technologies created devices that are inherently insecure and unsuitable for direct connection to the Internet. Dahua either failed to comprehend the danger, or chose to ignore it, producing deeply flawed consumer devices and – as Brian Krebs puts it – dumping toxic waste onto the Internet. These devices are spread around the globe, most to be plugged in and forgotten for years, ready to be abused by whoever can find them. Some of these devices can’t actually be fixed, since their vulnerabilities exist in firmware that can’t be updated.
Dahua’s response to all this isn’t likely to reduce concerns, since it tries to shift the blame onto users who failed to change default passwords, while ignoring the fact that these passwords cannot be changed in some cases.
What can be done about this? Beyond locating and removing the current crop of vulnerable devices – a difficult task in itself – how can we avoid this situation in the future? Preventing poor quality products from entering the market is ultimately the responsibility of governments. Until authorities get involved, this is likely to keep happening. If they fail to act now, the attacks will continue to get worse until commerce is affected, at which point it will no longer be possible for governments to ignore the problem. Bruce Schneier shares this view.
The good news is that the European Union is already taking action. The EU is planning to upgrade its telecommunications laws, which are now expected to include requirements for labeling IoT devices that are secure and approved for Internet connection. This kind of labeling already works well for showing the energy usage of electrical appliances.
Kudos to the European Commission for recognizing that the ongoing flood of crappy IoT devices is a major contributor to Internet-related problems, including the recent, massive DDoS attacks. Let’s hope that other governing bodies wake up soon.
Another week, another huge DDoS attack, this time against French web hosting provider OVH.
Analysis by security experts has now confirmed that these attacks used a huge network of compromised devices, mostly security cameras and Digital Video Recorders (DVRs). These devices are typically vulnerable out of the box, and unless they are configured properly, they remain vulnerable. Most of the devices in question run a version of BusyBox Linux.
Brian Krebs posted a list of manufacturers that produce hardware known to be affected, based on his research. But his list is only a starting point, and much more work is needed.
Adding to this nightmare is the news that the source code for Mirai, the botnet used for the recent, massive attacks, has been released to the public. We can (and should) expect more attacks in the coming weeks and months.
What can be done to stop this? The best solution would be to complete the work of identifying vulnerable hardware (make and model), and contact the owners of all affected devices with instructions for securing those devices. In practical terms, the first part is relatively straightforward work. The second part is problematic. Who is responsible if a device is being co-opted in DDoS attacks? The user? The service provider? The manufacturer? Many owners of these devices have no idea they are being used like this.
Eventually, the current crop of IoT devices being used in these attacks will be secured. But more new ‘smart’ devices are being manufactured and connected to the Internet every day. Until manufacturers stop shipping unsecure-by-default devices, we’re going to keep seeing these huge attacks.
Noted writer and technology analyst Cory Doctorow just posted a new article on the Locus Online web site: “The Privacy Wars Are About to Get A Whole Lot Worse.”
In case you hadn’t guessed, we are talking about the Internet of Things. Despite plenty of warnings from privacy advocates, and numerous real-world examples of the consequences to privacy of poorly-designed devices, the current move toward ‘smart’, connected devices continues apace. And these devices won’t ask for your consent, they’ll just compromise your privacy by default.
Doctorow is worried about this, and so am I.