Video Cameras: No Service for You

In the late 1970s, most scientific computing was done on digital equipment (DEC) Vax 11/780 computers. The operating system came with a couple of default accounts so that you could log in and configure things when you first got the machine. One was the password for the user SYSTEM, what we would call the root password in Unix-speak. Since that account was actually used for logging in regularly, it was pretty obvious that the password should be changed. One of the other accounts was the user FIELD with password SERVICE. Unless you knew it existed, you wouldn't necessarily discover it, and so often that password was never changed. If you logged in using it, you could do anything from reading any file, to creating new users, to rebooting the machine. Even as late as the early 1980s, I could often log in to VLSI Technology's customers' computers using that password (before I told them to change it, rather than changing it myself, which I had full privilege to do).

Today, weak passwords are everywhere. With the Internet of Things (IoT), there are even more devices out there just waiting to be compromised. Depending on whose numbers you take, there are 10s of billions of IoT devices expected by 2020. How many of them are configured with long passwords, containing upper and lower case and digits, and not containing dictionary words?

One common device is the wireless security camera. Almost all of us have another device at home, a WiFi router. Both of these require passwords. Early WiFi routers allowed you to pick your own username and password, but my latest one seems to come with a complex username and password that can't be changed and is long enough to be secure. There are millions, probably hundreds of millions, of cameras and WiFi routers. What would happen if you could take control of a small percentage of them?

There is a form of Internet attack on a website known as distributed-denial-of-service, usually just called DDoS. This usually requires a known bug in a common operating system, typically Windows-based PC. With the bug it is possible to plant malware on a bunch of machines, making it possible for the bad guys to take partial control of the machines. These machines are known as "bots" (short for "robots" if you can say "short for" when the bit you take off is at the beginning). When the bad guys have a lot of bots, then it is known as a "botnet."

A DDoS attack works by taking a botnet and arranging for a lot of machines, perhaps 100,000 of them, to access the victim's website. Even ignoring packets, let alone attempting to respond to them correctly, takes some computer resource, and with enough packets flooding the site, there isn't enough computer power left, nor network bandwidth, for genuine requests to get through and get responded to. The site is effectively taken down. Unless you are an IT professional, you probably don't have any way of even detecting that your computer is infected and is playing a small role in a botnet, and there are techniques that can be used (known as "rootkits") that make it hard even if you are a security professional since the malware alters all the tools you might use to detect that this has happened to hide itself.

But what if you don't even need to go to the trouble of discovering (or purchasing) a bug that allows you to plant malware? What if so many devices still had the default or just a weak password? When passwords are analyzed after one of these dumps, it always turns out that the most common password is 12345.

Over the last few weeks there has been one of the biggest DDoS attacks ever. It was an attack on the website of a well-known security researcher called Brian Krebs. The malware, known as Mirai, searches the Internet for devices with weak or default passwords, such as "root" and "12345" or "admin" and "password". It has a long list of pairs to try. But it turns out that lots of IoT devices are set up like this and users either cannot or don't know how to change the passwords. The attack on Krebs used 1.5 million devices, mostly video cameras and routers, compromised just by having easy-to-guess passwords. This isn't attacking passwords using high-powered servers and rainbow tables, or building FPGA password crackers. This is just guessing passwords from a limited list.

The reason so much is known about the attack is that someone, presumably the author, published it on GitHub. Apparently the usual reason for doing this is to provide deniability of authorship. Once the code is published, thousands of people download it, and so finding the source code on any individual's computer doesn't prove guilt.

As Krebs himself said:

The source code has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders, and other easily hackable devices.

I said above that "unless you are an IT professional" you have no chance of discovering that your machine has been compromised, assuming that the malware doesn't deliberately reveal itself by doing something like encrypting your disk and then demanding a ransom to decrypt it. You may need to be more than a regular IT professional, you may need to be a security specialist. I have a PhD in computer science but I haven't a clue how to poke around in the guts of a Windows PC. The archetypal "man on the street" has even less chance, and probably doesn't even know how to change the password on the WiFi router sitting beside the TV.

With the Mirai malware, an infected machine can be cleaned up simply by rebooting it. But there is so much scanning going on that without changing the password, IoT devices can be re-infected again...within minutes. People who develop IoT devices know very little about security. Even if the device itself is designed to the highest standard, it will be easily compromised if the password is set to "12345" by a user who doesn't know any better. This is a problem that is only going to get worse.

To be even more scary, Mirai is described by security professionals as "mediocre." This is not Stuxnet, presumed to be developed by one or both of the NSA and the Israeli security services. If we only had to worry about malware with that level of investment and expertise we would be in good shape. But we have to worry about the mediocre stuff that "anyone" can create. OK, not anyone, but anyone who is a moderately competent programmer. I remember reading that there are about 100 million programmers. Start worrying.

UPDATE: It looks like the DDoS attach that took down Netflix, Airbnb, Reddit and more last Friday was similar, powered by millions of devices like cameras, baby monitors, and home wireless routers. Unclear whether Mirai was used, or something similar. The legal counsel of Dyn, the company running the DNS server under attack, said that "tens of millions of IP addresses" were being used.

Next: DVCon Europe, What You Missed

Previous: MemCon: Memory for the Next Five Years