nav search
Data Center Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
Today the web was broken by countless hacked devices – your 60-second summary

Silver badge

Maybe..

..just maybe this will finally spur TPTB into taking some action.

For a start oblige the manufacturers of IoTs to stop selling vulnerable devices until they're fixed.

At the same time, put out a recall for all those currently installed to be upgraded - or do over the net upgrades if for kit that supports that.

And then make it illegal to run a vulnerable device if it's connected to the net.

The second item might well cost vendors more than the profit they made in the first place - good, it's time vendors were exposed to the costs of cutting corners.

33
4
Silver badge

Re: Maybe..

Nice thought, but I think most manufacturers will just shut down the product line rather than do fixes. Profit and all that. As for "illegal".. that part would be ignored as any fines will be relatively miniscule and that's only if a law can get past the corporate lobbyists.

21
0
Silver badge

Re: Maybe..

'As for "illegal".. that part would be ignored as any fines will be relatively miniscule and that's only if a law can get past the corporate lobbyists.'

Fines can be whatever legislation and the courts make them. There's also the possibility of raising sanctions against ISPs who continue to permit their customers to continue to use such devices.

As to lobbying, recent events have resulted in some large corporations having incentives to lobby for action.

In general history shows that eventually potentially bad stuff does get regulated but unfortunately governments traditionally don't operate at internet speed.

5
3
Silver badge

Re: Maybe..

governments traditionally don't operate at internet speed

Unless it is to exploit a moral panic to increase control in unsustainable ways for no good reason expect that "something must be done".

38
1
Silver badge

Re: Maybe..

I doubt any legislative action will actually be all that effective. The average Congress critter is not noted for critical thinking skills but emotional pandering.

Security is hard to do even when users are reasonably proactive. To many IoT devices ignore proper security because they make it difficult to update the device even for proactive users. This could be fixed, possibly without any new legislation. Use the existing defective product recall laws on the books since these are defective devices. After a certain period of time and genuine effort then nail the manufacturers with fines for selling and refusing to fix defective products.

9
2
Silver badge

Re: Maybe..

A class action law suit by users of these devices would cover older models just fine. My non-lawyer thinking suggests that being put at risk without any warning labels would make a case. I want to see these socially irresponsible companies put out of business. I'm sure there are others willing and able to take their place.

3
2

Re: Maybe..

"...only if a law can get past the corporate lobbyists." and the Republican Party.

8
2
Silver badge
Black Helicopters

Re: Maybe..

The "TPTB" would not take the action you require simply because Twitter and Netflix were down for a while. No, you need a DDOS attack on a bank, a hospital network, an ATC centre or anything that can seriously scare them.

2
0

But it was secure yesterday

n/t

0
0
Silver badge

Re: Maybe..

There is actually no solution to this.

2
0
Silver badge
Stop

Re: Maybe..

"And then make it illegal to run a vulnerable device if it's connected to the net."

Another fine law to make criminals out of ordinary people.

I have an IPCAM. I wanted it mostly as a toy, but it is useful for keeping an eye on things when I'm not around. See what the cat is up to, etc.

Out of the box, it uses uPNP to punch a hole in the router for itself. It announces its presence to several foreign servers, and it has a default telnet login of root/123456.

I've hacked the startup script (luckily writeable) to replace the hosts file numerous times at boot to direct all of the domains that the camera uses to localhost (obtained by connecting the camera to network sharing on my PC and wiresharking what happened during boot). The uPNP failed as I've disabled that on the router. There's a STUN to an IP address that I can't do anything about (my router is an Orange Livebox so it doesn't do fancy things like blocking individual IP addresses). The default password cannot be changed. I can use chpasswd but the next time the thing is rebooted, the firmware writes a new passwd file with the root/123456 combination. I also very much doubt the online firmware upgrade is in any way secure. I will, some day, make a binary hack to the main program file to replace the firmware cgi filename with gibberish (to disabled that) and change the baked in password to something else. I tried a sleep 60 in the boot script, but the thing overwrote it with the default. It's of lower importance as you'd need to be in my local network to access it.

I'm a nerd. I could play with this and fiddle with it. I'm sure many people will just buy the device, plug it in, and expect it to work with "the app". If that's all it takes to be a criminal, there's no hope.

42
0
Bronze badge

Re: Maybe..

"Another fine law to make criminals out of ordinary people."

It would be illegal to hack into someones network and spy on them. It ought to be illegal to create a Trogan program to do that. Is it illegal to sell a device like an IP cam that does that?

There is a IP cam with a web interface that Google has spidered into it's search. You can find them and view the video. You could probably also upload new firmware to someone elses camera. They did this to UBIQUITI wireless kit earlier this year and those things had passwords.

1
0
Silver badge

Re: Maybe..

Problem is proving that the USERS/Owners suffered at all.

0
0
Silver badge

Re: Maybe..

" it uses uPNP to punch a hole in the router for itself. It announces its presence to several foreign servers, and it has a default telnet login of root/123456.

I've hacked the startup script (luckily writeable) to replace the hosts file "

Disable uPNP on your firewall / router.

Setup a VPN (properly) to your home network if you want to remotely access stuff on it.

3
5
Silver badge
FAIL

Re: Maybe..

Maybe some smart developer should make a free tool so that people can at least check out their local network for compromised devices.

Not me.

I'm too busy: https://www.youtube.com/watch?v=VASywEuqFd8

2
0
Silver badge

Re: Maybe..

"Disable uPNP on your firewall / router."

That was the second thing I did (after changing the router's default password). I spotted the uPNP requests in wireshark. As for uPNP itself - horrendous idea. Anything that needs to receive incoming data can fail nicely and/or ask for permission.

But letting IoT devices grant themselves authorisations? Ain't gonna happen.

[Bootnote: Orange sets the Livebox do support uPNP by default. People can buy stuff, plug it in, and "it just works". I wonder how many even understand what this process entails?]

8
0
Silver badge
Unhappy

Re: Maybe..

> Nice thought, but I think most manufacturers will just shut down the product line rather than do fixes.

and nothing of value will be lost

4
0

Re: Maybe..

What unadulterated bollocks.

How do you outlaw the Chinese makers that flood ebay, gearbest, aliexpress and the like?

Do you guys think that some army of standards enforcers will land in China and start shutting factories down?

The Chinese manufacturers neither know nor care about these things; mostly the same stands for their customers.

8
0
Silver badge

Re: Maybe..

Stuff the routers/firewalls supplied by the ISP's.

Make your own Firewall box that sits between the ISP router and your network devices. Then you can control everything and these crap devices can't get out and create links to the mothership.

Also make them on a separate subnet to your printers and computers and you know, good stuff.

None of these devices will get on my network even though I already have my own Firewall made from a fanless NUK.

We need to make the stores and online tat shops like Amazon and Ebay stop selling this crap. Only then might we get somewhere before it is too late.

Getting the politicians to act before we loose a country from the internet for say a week will be impossible I'm sad to say but we the more informed amongst us can do our bit and make sure that we are not part of the problem.

0
0
Silver badge

Re: Maybe..

"The Chinese manufacturers neither know nor care about these things; mostly the same stands for their customers."

<tinfoil hat mode>

Or, just maybe, it's all part of "The Plot"

</tinfoil hat mode>

3
0
Silver badge

Re: Maybe..

"We need to make the stores and online tat shops like Amazon and Ebay stop selling this crap."

Since both Amazon and EBay were affected by this outage, one wonders if either or both of them will take any notice. Did it hit their bottom line in sales? Chances are, no, it didn't. Sales may have dropped short term but most people trying to buy will simply try again later, so over all, the bottom line was barely touched, if at all.

Now, if we can get some non-thinking US Congress Critter to jump on a band wagon and scream from the rafters that the US economy lost $billions in trade because of this....

2
0

Re: Maybe..

Well maybe it would be excessive to actually prosecute end users, but running insecure devices could be made illegal indirectly via ISPs. I think it would be perfectly reasonable for ISPs to be required to identify customers whose devices are part of these botnets and then warn those customers. With the legal stick being that if the customer doesn't fix or disconnect the offending device in a reasonable period (say a couple of months) then they get cut off until they do.

1
6
Silver badge

Re: Maybe..

'Problem is proving that the USERS/Owners suffered at all.'

Apparently it took down GitHub, Twitter, Reddit, Netflix, AirBnb so the world actually got smarter.

4
0
Anonymous Coward

Re: Maybe..

There is actually no solution to this

You could be right, but I think that this will spur the rise of a closed "internets" owned by Farcebook and Google. They can apply controls on these kinds of bots as well as controlling free speech. Dytopian future draws nearer.

2
2
Bronze badge
FAIL

Re: Maybe..

This is obvious clickbait, it suggests all IOT devices are vulnerable,biy the reality is, its a single manufacturer (XiongMai Technologies) that had a default password and login.

Worse still, this company only makes IP cameras, so to suggest this ddos was caused by routers, thermostat and toasters is just pure clickbait Horsecrap.

It's however fashionable this month to hate anything IOT, so let's just ignore that....

2
6
Silver badge
Linux

Re: Maybe..

And then make it illegal to run a vulnerable device if it's connected to the net.

That'd mean kicking all them Windows users off the net.

And all Macs.

<unreadably small font>And for that matter, my Linux machines probably have some vulnerabilities in them that haven't been discovered... Yet... </unreadably small font>

Seriously though.. That would kill all sorts of development work. Who would write and test code knowing that if they didn't find a security flaw, they or their customers could end up having to pay some sort of fine or worse? I hate Windows insecure crap as much as anyone, but there has to be some limits in here..

(really must stop posting at 3am too..)

4
0
Silver badge

Re: Maybe..

"I doubt any legislative action will actually be all that effective. The average Congress critter is not noted for critical thinking skills but emotional pandering."

I think a few large corporations being exposed to risk like this will be able to apply as much emotional pressure as is needed to produce results.

1
0
Silver badge

Re: Maybe..

The "TPTB" would not take the action you require simply because Twitter and Netflix were down for a while.

Can't Neflix and Twitter afford to buy a few politicians do any lobbying?

0
0
Silver badge

Re: Maybe..

"Another fine law to make criminals out of ordinary people."

Dunno where you live but hereabouts if you're running an unsafe car on the roads you can get a conviction however ordinary you are.

0
2
Silver badge

Re: Maybe..

"Problem is proving that the USERS/Owners suffered at all."

No It's the suffering that users/owners are causing to others that's the problem.

1
0
Silver badge

Re: Maybe..

"mostly the same stands for their customers."

It's the customer end that you start with. Does the kit meet UL/CE standards? If not then it becomes illegal to put it on the 'net in the relevant country or, even better, it becomes illegal for the ISPs to route it. It also becomes illegal to offer it for sale so if it's on sale from a local vendor then they get a visit from Trading Standards or whatever in that particular jurisdiction. If it's being offered for sale on eBay from China or wherever then eBay gets a visit.

The manufacturers will get the message without direct action - they want to sell stuff, they meet the standards.

Make no mistake, something will be done, the only questions are what and when.

2
0
Silver badge

Re: Maybe..

"This is obvious clickbait, it suggests all IOT devices are vulnerable,biy the reality is, its a single manufacturer (XiongMai Technologies) that had a default password and login."

The answer lies somewhere in between. It might be a single manufacturer in this case and not everything is necessarily vulnerable but there have been enough reports of routers with telnet ports open on the internet side etc. You don't need to look back very far in el Reg to pick up these.

0
0
Silver badge
WTF?

Re: Maybe..

"Dunno where you live but hereabouts if you're running an unsafe car on the roads you can get a conviction however ordinary you are."

And cars have garages than can grant MOTs. What non-God-Tier-Entity do you have in mind that can in good faith assert that a given device is "safe"? It's exceedingly rare to discover major faults in an existing car which is why recalls work at all; with computing, it's the daily norm. So do please tell me you intend to equate "safe" with "all patches issued as of today being applied" so I can laugh all next week.

2
0
Silver badge
Headmaster

Re: Maybe..

the reality is, its a single manufacturer (XiongMai Technologies) that had a default password and login.

That's a definition of 'reality' of which I was not previously aware.

The Mirai code contains a list of default username/password combos for a number of devices of varying functionality, not just IP cams.

2
0
Silver badge

Re: Maybe..

"With the legal stick being that if the customer doesn't fix or disconnect the offending device in a reasonable period (say a couple of months) then they get cut off until they do."

Aaaaand.... how long until somebody goes running to their lawyer because the compromise that did the damage in the first place came from.... yup, you guessed it. The Internet. Provided by the same ISP now making "fix it or else" threats.

2
0
Anonymous Coward

The horse is already out of the barn and the barn's burned down

But you blokes want a law to "fix it"

Brilliant! Ain't no law gonna fix this problem. Massive bot armies are rampaging.

We'll need a technical solution that ignores their requests. We'll basically have to turn them into millions of dead devices.

And let the class action lawsuits on behalf of the consumers proceed at that point.

1
0
Silver badge

Re: Maybe..

I think the pretty useless FCC and CE certification standards should be expanded to include security standards and pen tests for connected devices. That will exclude the craprouter manufacturers from most of the world markets unless they improve their toys.

1
0

Re: Maybe..

"The default password cannot be changed"

Dear God.

It's almost like the manufacturers (or somebody...) wanted that device to be insecure and remotely compromisable.

OK, I'll take off my tinfoil hat now.

1
0

Re: Maybe..

" It also becomes illegal to offer it for sale so if it's on sale from a local vendor then they get a visit from Trading Standards or whatever in that particular jurisdiction. If it's being offered for sale on eBay from China or wherever then eBay gets a visit."

In the UK, Local Authorities run Trading Standards departments. Also in the UK, central government (i.e., taxpayer) funding of Local Authorities dwindles year on year -- as do the number of staff employed as Trading Standards officers. Quite how this ever-diminishing number of consumer protection specialists is meant to visit every vendor of unsafe cheap Chinese tat, whether sold on a real-world market stall in hundreds of towns throughout the country, or the virtual auction house of eBay, is beyond me. Using Denial of Commonsense as an approach to the issue of Denial of Service ain't going to help at all.

1
0

Re: Maybe..

Knowingly, yes...

...but I'll wager that 99.9% of the compromised device owners even knew they were involved.

(I await the botnet running on (mandated) "smart" energy meters with interest...)

4
0

Re: Maybe..

The devious cracker break-in technique? "...logging into devices using their default, factory-set passwords". Something comes to mind along the lines of "you can lead a horse to water..."

0
0
Silver badge

Re: Maybe..

'Dunno where you live but hereabouts if you're running an unsafe car on the roads you can get a conviction however ordinary you are.'

There's a difference between running a car on the roads that you have knowingly allowed to become unsafe, as opposed to one that was manufactured unsafe but you bought on the not unreasonable assumption that the manufacturer knew their business.

There's always some dick-wit who tries to compare to cars, isn't there?

1
0
Silver badge

Re: Maybe..

"(I await the botnet running on (mandated) "smart" energy meters with interest...)"

Here in France there is a somewhat hated new smart meter called "Linky". It is not legal to refuse to accept it, and if you persist then EDF will back down and just bill €€€€s call out charge for each time the meter is read.

I don't know how it talks to the mothership, but it'll be interesting if they think it is going to talk to my wifi. I can use my crappy IP camera as a good reason to say "either I audit the source code of this thing or you find some other method of communication".

As an aside - a newspaper article quotes EDF as saying that the Linky does not catch fire. It's just incorrectly installed. Wait, remind me, exactly who installs meters? I also await with interest the first time this thing gets hit with lightning. We have overhead three phase to the house. It gets directly hit once every two or three years, and proximity hit several times a year. Our old meter predates me but takes this stuff in its stride. Is it optimistic or just silly to expect the Linky to be as reliable? What's worse - if there is a really bad storm, I can throw the breakers and turn everything off. Well, you can't take the meter out of circuit. Hmm.

0
0

Standards Bodies need notice

In North America, you can't sell your electronic wares unless you have either a Canadian Standards Association (CSA), United Laboratories (UL), and possibly Federal Communications Commission (FCC) certifications to make sure they meet certain quality, safety, and in the case of FCC, RF emission standards.

Perhaps it's time those bodies also include network safety standards being met? Companies need to be held to a high standard on these things, and they're clearly not.

At the minimum, when things like this happen, there needs to be an investigation, and laws in place where corporations who cheap out on proper locking down of their devices are held to account.

29
2
Silver badge

Re: Standards Bodies need notice

"Perhaps it's time those bodies also include network safety standards being met? Companies need to be held to a high standard on these things, and they're clearly not."

Agreed. This is something I've been saying for some time. Also it should be added to CE requirements in Europe.

The trouble is the existing deployed fleet. Those need to be fixed or taken off-line if they're not fixable.

15
2
Bronze badge

Re: Standards Bodies need notice

That's just silly. How would you test for not yet known httpd or OpenSSL vulnerability ?

You can hold anyone to any standard you want but you can't make a company that sold million routers with exploitable vulnerability and went out of business year later to fix anything.

9
1
Silver badge

Re: Standards Bodies need notice

That's just silly. How would you test for not yet known httpd or OpenSSL vulnerability ?

There is a precedent - you cannot sell a car unless you guarantee that you will accept it for recycling and unless you provide spare parts for X years. While the laws which combine to form these reqs are different in Eu and US the net effect is the same.

In any case, most of the insecure crap is resold with "brand labels" like Belkin, Dlink, etc and those are not going anywhere. In fact, let's hope that this incident contributes towards the reduction of "outsourcing your incompetence and putting a brand label on it".

13
0
Bronze badge

Re: Standards Bodies need notice

I just wonder if you notice subtle difference between $30K car and $50 electronic device and how differently both industries regulated.

The only solution for this particular issue is a protocol that can stop traffic towards victim at originating ISP level. Not that hard to do really.

4
3
Silver badge

Re: Standards Bodies need notice

CE requirements would be useless, CE is crap, it's the manufacturer which self-certifies.

The manufacturer should pay for tests by an independent body before going to market. No pass or no testing means fines for the manufacturer if they bring it to market and fines for the retailer who stocks it.

Yes, this will drive up the overall price of goods, but, guess what, security costs.

(I did say a few days ago that a 'not certified' sticker would warn the customer not to buy the tat and choose some tat with 'certified' sticker instead, but in the light of recent events that obviously isn't going to work.)

6
1
Silver badge

Re: Standards Bodies need notice

Just enforcing a standard that all devices need a unique admin password of certain length structure and randomness ought to be a good start and not that hard for a device manufacturer to implement.

9
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing