6

My understanding of worms like Mirai is the following:

  1. Try to telnet/ssh into random IPs using default user/pass credentials from various router/IoT manufacturers
  2. If you get in, do Bad Things™.

It seems the targets are generally home/consumer devices, which would be on a home LAN. From Wikipedia:

[Mirai] primarily targets online consumer devices such as remote cameras and home routers.

So here's what I don't get. Why would a remote camera/printer/whatever ever have a public facing IP? They would only be accessible by NAT through the gateway, right? So a telnet request on port 23 would never reach it!

For example. Suppose I bought a camera with telnet credentials "root:123456". I then connect it to my wifi. Why would it matter to a Mirai worm outside the network that I have this vulnerable camera? If the worm tried to telnet to my public IP, it would only be able to try to telnet into my router, not the camera!

Elliot Gorokhovsky
  • 496
  • 3
  • 12
  • 2
    See my answer http://security.stackexchange.com/questions/143231/how-does-malware-get-past-nat-routers/143232#143232 – multithr3at3d Dec 04 '16 at 02:10
  • @korockinout13 Thanks. How would this work for telnet specifically, though? Since Mirai uses telnet, exploiting default camera credentials. UPnP would forward port 5000 or whatever to the camera, right? So then how would telnet on port 23 get to it? – Elliot Gorokhovsky Dec 04 '16 at 02:35
  • The camera could request port forwarding on port 23 using the IGD protocol over UPnP. – multithr3at3d Dec 04 '16 at 17:34
  • @korockinout13 Why would the manufacturer forward port 23 though? It's so stupid! I get why they'd want telnet locally for debugging, but exposing 23 with default credentials? – Elliot Gorokhovsky Dec 04 '16 at 22:45
  • @korockinout13 It seems the cameras Mirai took over are those old industrial cameras you see in gas stations and whatever that are connected directly to modems without any NAT: https://www.wired.com/2016/10/internet-outage-webcam-dvr-botnet/ – Elliot Gorokhovsky Dec 04 '16 at 22:59

2 Answers2

2

Whilst such devices shouldn't be directly exposed, it can happen and not just through sloppy setup or UPnP.

A compromised router, internal malware, driveby malvertising, etc. could all create a gap into the internal network.

In addition, it may happen occasionally that changes made to otherwise secure networks may inadvertently expose internal resources. This is especially likely when people start experimenting with IoT.

Finally, it is possible that consumer devices come with a vendor supplied Internet service to get a "secure" remote connection and that may not be properly secured. For example, many NAS's come with a way to access them remotely without having to create inbound firewall rules. The NAS connects to a vendor server and you also connect to that when remote via some web service or app. Many consumer IoT devices come with similar services that allow access from mobile phones (remote lights, heating controls, etc).

Julian Knight
  • 7,092
  • 17
  • 23
  • IMHO the last paragraph points to the wrong direction: If every consumer device would follow that, we would have had much less vulnerabilities. Has there been attacks against this approach? Its much less dangerous because the vendor can easily patch/shield all devices and do it faster, too. In essence, routing the traffic over a central server is as secure (or in-secure) as any other internet service. – Stefan Vaillant Dec 04 '16 at 18:48
  • 1
    The vendor *could* patch but may not. The vendor *may* be secure but may not. There are vast numbers of examples of vendor web failures to reference. Worse, this is in reference to typically ultra-cheap hardware - follow the money - margins are miniscule so money for security all but non-existent. This isn't an imaginary issue. – Julian Knight Dec 04 '16 at 20:48
1

The problem results from people wanting to be able to access their camera from the internet. Instead of using a more secure strategy, they expose it to the internet via a port forward (or uPnP does it). Since these devices are often poorly maintained by the manufacturer and rarely receive updates, this presents a major hazard. It is not just default passwords, there are probably several antique zero day attacks too.

By definition a router is connected directly to the internet, so any vulnerability in that device is ready for a drive by attack.

trognanders
  • 2,925
  • 1
  • 11
  • 12