IoT Devices With Default Telnet Passwords Used As Botnet

Slashdot reader stiebing.ja writes: IoT devices, like DVR recorders or webcams, which are running Linux with open telnet access and have no passwords or default passwords are currently a target of attacks which try to install malware which then makes the devices a node of a botnet for DDoS attacks. As the malware, called Linux/Mirai, only resides in memory, once the attack has been successful, revealing if your device got captured isn't so easy, and also analyzing the malware is difficult, as it will vanish on reboot.
Plus the malware lays low at first, though "it is obvious that the main purpose is still for a DDoS botnet," according to MalwareMustDie, and it's designed to spread rapidly to other IoT devices using a telnet scanner. "According to the experts, several attacks have been detected in the wild," according to the article, which warns that many antivirus solutions are still unable to detect the malware, and "If you have an IoT device, please make sure you have no telnet service open and running."

Re: Wait, the story is in error

[Anonymous Coward]

Sorry and unimaginative trolling

Re:Wait, the story is in error

[gweihir]

If the sysadmin is stupid (like you are, for example), then any Unix is less secure than even unpatched Windows. Linux security is what you get when you combine a competent sysadmin and Linux. The same effect exists on Windows, but the results are not nearly as good and that is what makes Linux a secure OS and Windows a problematic one.

Re:

[mlts]

Linux is nice because one can secure at as they see fit. Someone on the operator level can enable patching at certain times in RedHat and downstreams, Debian, and Ubuntu, with ease. This isn't something you would do in production for obvious reasons, but with modern mainstream Linux distros with their default installs, it actually is more work to not enable patching than to enable it.

An admin that is more versed would be using some sort of patch management system, if only to ensure that SSH, OpenSSL, the

Appernet of Apps!

[Anonymous Coward]

This story isn't about LUDDITE Linux. It's about the Appernet of Apps, the appiest way to app apps while apping other apps!

Apps!

Re:

[Opportunist]

Security is the minimum of the system's capabilities, the integrator's capabilities and the user's capabilities. Granted, the integrator can take away sufficient options from the user to eliminate him from the equation, but if he is already a complete idiot, the system can't compensate for it.

Follow the money

[sjbe]

Silly question. Why telnet? Because it is cheap and they don't give a crap if you get hacked. Not their problem if you do.

Re:

[dargaud]

Programmers who install telnet servers anywhere should be shot. 15 years ago it was already common knowledge that telnet was completely insecure and only a matter of time before it got owned. So why isn't there a daemon on all linux variants that monitors for the presence of a telnet server and KILLS IT ?!?

Re:

[Anonymous Coward]

So why isn't there a daemon on all linux variants that monitors for the presence of a telnet server and KILLS IT ?!?

There is. If you run systemd, it will eventually bring down your entire machine, including any errant telnet servers.

Re:

[Hognoxious]

Probably. Telnet is text, and systemduh hates text.

Re:

[mlts]

One ideal might be having good in and out firewall rules on the machine. It takes time for initial setup and maintaining, but isn't that bad (it can be put in your playbooks or .pp files.) That way, a telnet server will be not accessible by anything.

Re:

[dbIII]

Programmers who install telnet servers anywhere should be shot

Some legacy software needs it. I had to use some like that until around ten years ago on some machines that were heavily firewalled off from the rest of the world.
Developers who make their software depend on telnet are the ones that should be shot. All these expected IoT failures are due to software developers out of their depth taking shortcuts and fucking up badly. The fucking MSDOS single user don't give a shit about security mindset is how

Re:

[sjames]

Why so complicated? The problem is automated remote access. Just use ssh and a unique password set at the factory and printed on a sticker.

Bonus points for avoiding lockout, a jumper inside the unit allows password-less access.

Alternatively, a user accessible button. Pressing it opens a 5 minute window for login. Otherwise, no access.

Re:

[gweihir]

Simple: The design was done by the cheapest morons available. This is so obviously completely incompetent, that the ones responsible must be management for hiring the wrong people.

Damn millennials

[Anonymous Coward]

Are all of those IOT devices designed by millennials ??

Re:

[Anonymous Coward]

IOT === Idiots or Twats.
IMHO that describes the designer of pretty well all IoT devices released so far.

Re:

[gweihir]

Well, yes, security is hard, but these people are not even trying.

Re:

[SeriousTube]

Any sane firewall will have all ports blocked except the ones you need.

Re:

[Anonymous Coward]

A home router? Block outgoing ports?

I think not. If any home IoT devices are pwned, most people would never know it.

Also I think the article suggestion to shut off telnet on devices like DVRs and such is laughable. Exactly how does the average home user do this?

Frankly, why should they care. If DVR and other device manufacturers are leaving security holes, it's their problem to fix it with a software patch.

Re:

[arth1]

Many devices have a telnet or ssh listener on different ports, precisely because they tend to be blocked.

Re:

[beanpoppa]

A telnet port isn't vulnerable if it's not used. If it's used locally (as a backdoor console) then it's only vulnerable if your network is already owned.

Re:

[arth1]

Telnet and SSH are two different things regarding the sophistication level of malware.

Indeed. You can find dozens of script kiddie programs for attacking ssh, but not a single one I can find for attacking telnet with TLS and SASL.

Any device that uses telnet should be considered a trojan penetration device. In 2016 there is absolutely no reason to use telnet.

Quite a few devices have a serial interface, and on those, ssh is not an option. Good old telnet still rules for that.

And, yes, there are devices out there that can only be reached by modem too. Park forest stations, meteorological equipment and light houses, for example. Sometimes not even pots and 56k, but 9600 bps. You really don't want to run ssh over that.

Re:

[gweihir]

Aaaaaand, fail! You can run a telnet server on the default port an be completely secure. Depends entirely on what you do with it. The primary problem here is not "telnet", but "default password".

Re:

[Opportunist]

The combination is scary. Even if I don't know the default password, I know it after sniffing the traffic for a while.

Re:

[gweihir]

And then look at where you actually _can_ sniff passwords today. It is not in many situations. Not secured wireless LAN is basically the only one or it gets pretty expensive and high effort. But I am most certainly not arguing for log-ins from a non-encrypted WLAN on the other side of the world over telnet. There are other scenarios where it still makes sense, for example if you are already in a secure network.

Re:

[Opportunist]

Considering that the biggest threats to privacy these days are actually sitting in the data stream and able to take a close look at any and all data transmitted, it's not really comforting that Joe Scriptkid cannot.

Defective Product

[SeattleLawGuy]

In this day and age, a device with telnet and no password is fundamentally a defective product.

Re:

[zifn4b]

In this day and age, a device with telnet and no password is fundamentally a defective product.

If you're really a lawyer, you should start a class action lawsuit against the offending companies for gross negligence.

Re:

[gweihir]

It has its uses. Some devices cannot support ssh (too small), or ssh cannot get though an internal firewall, for example. Sure, you need to limit usage to secure networks or networks where anybody sniffing passwords is rather unlikely for other reasons, but telnet still has its uses.

Re:

[Aqualung812]

It has its uses.

Telnet with NO password has uses outside botnet fertilizer?
I'd love to hear them.

As for your other points, I still argue Telnet is useless. Firewalls that can't pass Telnet are also defective in 2016, along with any device that can't handle a few more bits of ram or storage for SSH.

Re:

[gweihir]

And where dis you see me talking about telnet "with no password"? Can you point that out to me? Because I am pretty sure I did not.

Re:

[Aqualung812]

My bad. From my POV, you were replying to the GP in defense:

In this day and age, a device with telnet and no password is fundamentally a defective product.

However, I can see now that you were replying to an AC reply to that, which was hidden by default on my settings.

That said, I'd really like to understand why a product made *today* would have any reason for Telnet.

Re:

[gweihir]

Indeed. "Gross negligence" seems to be too tame a description for it.

Actually there are millions of such devices

[beda]

"According to the experts, several attacks have been detected in the wild," - well, have a look at this article [blog.nic.cz]. It is about more than 6 million devices, 1 million of it being for sure IoT stuff like cameras and the likes. It is very likely they are talking about the same attack described here.

How to test it

[beda]

Here is a website where you can test if your device has such a problem, because it has been observed in Telnet honeypots for quite some time - https://amihacked.turris.cz/ [turris.cz]

Product recall?

[davidwr]

Except for devices where the buyer WANTS this open - say, for use in a honeypot - I would consider this a design defect. Depending on the device, this could cause death.

The feds (in the USA) are probably going to turn the "voluntary" recall of the Samsung Galaxy 7 phone into a "mandatory" recall.

I would recommend they seriously consider doing the same for any device that has security hole like this that can't be fixed by end users, especially for devices that are designed to be used by non-experts.

Re:

[Opportunist]

Maybe when you can blow up the devices via telnet. Until then it's unlikely.

Make some IoT makers get an engineering seal

[davidwr]

Some things can hurt people or destroy property if they don't work right.

Maybe it's time to have the makers of HVAC systems and other things that could injure or kill if they become zombies get an engineer to sign off on all designs - including software design - before they are allowed to sell the equipment for its intended purpose, at least if the end user isn't an expert (e.g. thermostats designed for residential or small-office use where they aren't under constant monitoring by HVAC professionals). This

IDIOT == Insecurely Designed Internet Of Things

[knorthern knight]

Spread the meme

It's always best to start at the beginning

[bobstreo]

Speaking as a slightly paranoid home user.

Every time I add a new device to my network, I do a nmap port scan on it. Something like:
sudo nmap -A -T4 ipaddress

If access to those ports are needed, I'll do some poking on them, depending on what they are and probably some research to determine if they have had any security issues, and do a risk analysis.

Work follows a completely different model. Everything is blocked, there are various levels of approvals needed to open any ports. External access directly to in