SANS Technology Institute researcher shows that a DVR with default settings can be compromised within minutes of going online.
Despite the Mirai botnet bringing into focus the need for better security in IoT devices, many can still be hacked in under two minutes, according to security researchers.
In an experiment carried out by Johannes Ullrich, dean of Research at SANS Technology Institute, an Anran DVR system he bought and left connected to the internet was hacked in a matter of minutes.
Ullrich left the device in its default state, with its network ports open, and able to accept ‘root’ logins with the well-known password ‘xc3511’. He said that many worms infecting these devices will disable telnet after a successful infection, to prevent others from exploiting the weak credentials. To allow for continuous infections, he connected his DVR to a remote-controlled power outlet, and power cycled it once every five minutes. He also logged all traffic to and from the DVR.
In examining the logs over two days, he found that the system was compromised by someone or something logging in using the correct credentials every two minutes.
Read more: Amnesia malware turns DVRs into botnet slaves
DVR dangers come from “usual suspects”
Of the 1,254 attacking IP addresses logged over 45 hours and 42 minutes, IoT search engine Shodan had information for 592 of them. Ullirch said that the logs revealed that the “usual suspects” among the attackers. Most of the IPs of logins could be traced back to IoT devices from TP-Link, AvTech, Synology, and D-Link.
“While I am calling the activity ‘Mirai’, dozens of variants hit the DVR. The geographic distribution of these systems matches what we saw early on with Mirai, only counting the hosts that had Shodan information,” he said.
The demonstration showed that the issue hasn’t been dealt with properly by IoT vendors and Ullrich added that the problem “isn’t going away anytime soon.”
“If people haven’t heard yet about vulnerable DVRs and default passwords, then they will not read this article either. Variants like ‘Brickerbot’, which supposedly attempted to break vulnerable devices, are ineffective because most of these devices cannot be ‘bricked’ by overwriting a disk with ‘dd’,” he said.
“They may become temporarily unresponsive, but will be fine after a reboot. Many of these devices are buggy enough, where the owner is used to regular reboots, and that is probably the only maintenance the owner will perform on these devices.”
Read more: Search Lab finds numerous flaws in AVTech cameras and DVRs