Brian Krebs has lately been writing a lot about DVRs and cameras made by XiongMai Technologies. He reports that they are terribly insecure and many have been hacked and herded into botnets where they participate in Distributed Denial of Service (DDoS) attacks such as the one that brought down his site.
Poor security is standard practice with IoT, but these devices are especially bad. Even if their web interface is used to change the default password, the devices have hard coded Telnet and SSH passwords that can not be changed.
Part of yesterdays DDoS attack against DYN came from the Mirai botnet, composed of assorted hacked devices that were using default passwords.
Unlike pretty much every other article on this subject, I am not going to quote a spokesperson from a security firm saying that things are really really bad. Instead, I have some hopefully useful advice, a way to test if devices in your home (or office or wherever) are vulnerable to software attacks similar to the Mirai malware. It’s far from perfect, but it’s a step in the right direction.
The Telnet service uses TCP/IP port number 23. This being Computerworld, I’ll skip the explanation of TCP/IP and ports. To see if any device in your home is accepting unsolicited commands from Telnet-abusing bad guys, just click this link www.grc.com/x/portprobe=23 while in your home.
The device you click the link on, should not be connected to either a VPN or the Tor network when the link is clicked.
This uses Steve Gibson’s ShieldsUp! service, which normally does more than test a single port, but requires more than one click.
When the probe completes, look for the “Status.” A status of “Stealth” is the most secure, “Closed” is probably OK (it’s a debatable point) and “Open” is bad news.
This test is not specific to hardware from XiongMai Technologies. The Telnet port being open only means that some device in your home is willing to accept and process commands from assorted bad guys. This test, by itself, does not pinpoint the specific vulnerable device. It may not even be an Internet of Things device, the router itself may be what’s listening for Telnet commands.
The SSH service uses TCP/IP port number 22 which can be tested by clicking on this link www.grc.com/x/portprobe=22.
Another common problem are routers that can be configured remotely via their web interface, a feature known as either Remote Administration or Remote Management. The secure approach is to disable this feature. You can test if a router is enabled for Remote Administration by clicking this link to test port 80 (for HTTP) and this one to test port 443 (for HTTPS).
There is no simple solution for these, or any, TCP/IP ports being open. The router needs to be re-configured to close them.
These four tests are just the tip of the iceberg. There are over over 65,000 TCP ports and a matching number for UDP. Links to more thorough tests are available on the Test Your Router page of my RouterSecurity.org site.
From my Defensive Computing standpoint, any open TCP/IP port is a security vulnerability.
- – – – –
UPDATE: October 24, 2016. According to a MalwareTech.com article dated October 3, 2016, the Mirai software “… will attempt to kill and block anything running on ports 22, 23, and 80, essentially locking out the user from their own device and preventing infection by other malware.” Thus, the tests in this blog can only detect networks that have a vulnerable device. Once a device is hacked, the tests for these ports will turn up nothing but good news. All bets are off however, if it’s the router, not an IoT device, with the open TCP/IP ports.