allheart55 (Cindy E)
Administrator
The release of the Mirai source code demonstrates just how easy it has become to hijack poorly-protected Internet of Things devices into botnets.
Mirai has become infamous in recent weeks after blasting the website of security blogger Brian Krebs off the internet with a massive distributed denial-of-service (DDoS) attack, powered by compromised internet-enabled DVRs and IP cameras.
What can you on an individual basis do about this at home or in the office to make sure you're not contributing to the problem?
Well, you can make sure that your IoT devices aren't "protected" by dumb default usernames and passwords, such as the following which are hardcoded into Mirai's source code:
Username Password
666666 - 666666
888888 - 888888
admin - (none)
admin - 1111
admin - 1111111
admin - 1234
admin - 12345
admin - 123456
admin - 54321
admin - 7ujMko0admin
admin - admin
admin - admin1234
admin - meinsm
admin- pass
admin - password
admin - smcadmin
admin1 - password
administrator - 1234
Administrator - admin
guest - 12345
guest - guest
mother - ******
root - (none)
root - 00000000
root - 1111
root - 1234
root - 12345
root - 123456
root - 54321
root - 666666
root - 7ujMko0admin
root - 7ujMko0vizxv
root - 888888
root - admin
root - anko
root - default
root - dreambox
root - hi3518
root - ikwb
root - juantech
root jvbzd
root - klv123
root - klv1234
root - pass
root - password
root - realtek
root - root
root - system
root - user
root - vizxv
root - xc3511
root - xmhdipc
root - zlxx.
root - Zte521
service - service
supervisor - supervisor
support - support
tech - tech
ubnt - ubnt
user - user
As Security Week reports, many of the vulnerable devices which have made up the Mirai botnet contain software and hardware manufactured by a Chinese company called XiongMai Technologies:
XiongMai ships vulnerable software that has ended up in at least half a million devices worldwide.
The fact that these devices can be accessed with default credentials should not pose a major risk as long as they are not accessible from the Internet. The problem is that the firmware provided by the Chinese manufacturer also includes a telnet service that is active by default and which allows easy remote access to the devices.
To make matters even worse, the default credentials cannot be changed as they are hardcoded in the firmware and there are no options for disabling them. The telnet service is also difficult to disable.
Not changing a default username and password on an internet-enabled device is as good as having no password at all.
Be a responsible member of the community, change your passwords to something which is non-obvious, hard to crack, unique and not the password the device shipped with. And don't buy technology from firms who don't appear to have given a second's thought to security.
Manufacturers could clearly play their part, forcing users to choose a different password rather than allowing them to stick with reckless combinations like admin
assword.But as long as there is a demand for cheap IoT devices, there will be plenty of manufacturers happy to cut corners and put the internet community at risk.
Source: Graham Cluley
