These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet

Always change your device’s default password.

Graham Cluley

These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet

These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet

The release of the Mirai source code demonstrates just how easy it has become to hijack poorly-protected Internet of Things devices into botnets.

Mirai has become infamous in recent weeks after blasting the website of security blogger Brian Krebs off the internet with a massive distributed denial-of-service (DDoS) attack, powered by compromised internet-enabled DVRs and IP cameras.

What can you on an individual basis do about this at home or in the office to make sure you’re not contributing to the problem?

Well, you can make sure that your IoT devices aren’t “protected” by dumb default usernames and passwords, such as the following which are hardcoded into Mirai’s source code:

UsernamePassword
666666666666
888888888888
admin(none)
admin1111
admin1111111
admin1234
admin12345
admin123456
admin54321
admin7ujMko0admin
adminadmin
adminadmin1234
adminmeinsm
adminpass
adminpassword
adminsmcadmin
admin1password
administrator1234
Administratoradmin
guest12345
guestguest
motherfucker
root(none)
root00000000
root1111
root1234
root12345
root123456
root54321
root666666
root7ujMko0admin
root7ujMko0vizxv
root888888
rootadmin
rootanko
rootdefault
rootdreambox
roothi3518
rootikwb
rootjuantech
rootjvbzd
rootklv123
rootklv1234
rootpass
rootpassword
rootrealtek
rootroot
rootsystem
rootuser
rootvizxv
rootxc3511
rootxmhdipc
rootzlxx.
rootZte521
serviceservice
supervisorsupervisor
supportsupport
techtech
ubntubnt
useruser

As Security Week reports, many of the vulnerable devices which have made up the Mirai botnet contain software and hardware manufactured by a Chinese company called XiongMai Technologies:

XiongMai ships vulnerable software that has ended up in at least half a million devices worldwide.

The fact that these devices can be accessed with default credentials should not pose a major risk as long as they are not accessible from the Internet. The problem is that the firmware provided by the Chinese manufacturer also includes a telnet service that is active by default and which allows easy remote access to the devices.

To make matters even worse, the default credentials cannot be changed as they are hardcoded in the firmware and there are no options for disabling them. The telnet service is also difficult to disable.

Not changing a default username and password on an internet-enabled device is as good as having no password at all.

Be a responsible member of the community, change your passwords to something which is non-obvious, hard to crack, unique and not the password the device shipped with. And don’t buy technology from firms who don’t appear to have given a second’s thought to security.

Manufacturers could clearly play their part, forcing users to choose a different password rather than allowing them to stick with reckless combinations like admin:password.

But as long as there is a demand for cheap IoT devices, there will be plenty of manufacturers happy to cut corners and put the internet community at risk.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

5 Replies to “These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet”

  1. Hi Graham, I accept that advising people to change the password on IoT devices is something we should do (and I do this after being in this I.T. business for 40 years). But in the case of 99% of these devices the Telnet / SSH passwords cant be changed due to being hard coded into the firmware. So even if the users change the password on the Web interface the device is still vulnerable. An additional problem is that these low cost devices and a fair percentage of the upcoming 2 biliion devices Gartner predict will be on the IoT by 2020 are likely to be connected to the IoT for a minimum of five years.

    As I see it there are only two possible solutions to the existing 500,000 devices out there that have this problem.

    1) Get users to stop using them and replace them (and how likely is that to happen ?)

    2) Get ISP's to shutdown a users connection if the user has one of these devices participating in a DDOS attack. And the ISP to not reconnect the users until the device is secured or removed. (And I can't see this solution being implemented either – can you ?)

    These devices are already out there and 99.999% of the users who have them on their LANs have no idea what the bad guys are doing with their IoT devices.

    Pandoras box is already open !!

  2. Thanks for posting. How would someone know if their devices are affected? What's the best way to check? Thanks

  3. 'Not changing a default username and password on an internet-enabled device is as good as having no password at all.'

    In some ways? Yes. In other ways? It's worse because many would think it 'secure'. After all, people use such stupid passwords by choice. No comment on those in particular.

    As for TELNET? Absolutely unacceptable. No option of disabling it? Also unacceptable. Making it harder but still possible is also unacceptable as is making it impossible or hard to change the passwords. Is the SSH service using proper configuration? Would be surprised but in any case the only solution in this problem is not having everything connected to the Internet. I don't see that happening so the next best thing is as usual awareness. But there is no fix here.

    I don't buy into the idea of accusing China (for example) of breaking into computer networks; I especially don't like it when there is little proof and worse is when the accuser is actually a perpetrator (esp looking at the USA but I know they aren't the only ones; they are however with what is arguably the loudest mouth). But I do find it ironic and amusing; it could be a conspiracy theory: the company works for the state and therefore deliberately has these vulnerabilities in so they can more easily exploit the devices in the world….

    But even if it was probable speculation and accusations aren't helpful but harmful.

  4. Default passwords are not necessarily an issue if they are both strong and random. I am working on an IOT device in which the only way to get the password is from the MQTT frame (why didn't they allow encryption from the start?) and every unit has a unique, long strong password. CPU has secure storage and the password isn't able to be changed or viewed (this is a sensor type device, no user access at all). My beef is the lack of thought in protocols, sure I could use TLS or SSL but this is an 8-bit controller with 16k of FLASH, no user access, one button startup. All it would have taken is some extra salt within the protocol to make it more secure so that passwords are never sent clear text and never sent the same.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.