Nothing is secure!: IoT botnet, Owari, exposed using default credentials - Sensationalist Headlines

Nothing is secure!: IoT botnet, Owari, exposed using default credentials

6 replies, posted
In This Thread

https://www.securityweek.com/oops-botnet-operators-use-default-credentials-command-and-control-server https://www.theregister.co.uk/2018/06/06/pwn_goal_botnet/ https://blog.newskysecurity.com/hacker-fail-iot-botnet-command-and-control-server-accessible-via-default-credentials-2ea7cab36f72?gi=6a93a602709a A bit of a funny finding. The one thing that the botnet has that keeps it from being captured is its constantly changing IPs. Though it's not surprising they're utilizing IoT devices. Still a humorous read

How hard is it to just change the default password and username at the factory for these units. Hell just do a private key system. Keep a private key at the factory and XOR it with the unit's serial number to get the password. Even something as basic as what I described is smarter than basic default password shit.

That would be extra work. Just let the users change it if they feel like it, we don't want to force people to change the default login on first setup. Seriously though, it would be as simple as forcing people to set a custom password before you can use your device.

But if we start forcing people into good password habits then we won't get these amazing stories.

I've got some experience with this so far and a primary problem with IoT is that a solid chunk of IoT products have very little user interaction. For example, most bluetooth IoT devices use the Just Works pairing paradigm which requires no typing in a pin #, no out-of-band sharing of the private key, nothing. Simply because there's no physical or software mechanisms in place to input a PIN or some other safeguard that mitigates MiTM attacks or bruteforcing. Hell a simple way for this (on Just Works style devices) is to again not have the same default password for each device, change it at the factory be a random subset of the serial number or something else. A moving target is a solid way to mitigate this at the bare minimum.

Tbh, this is a great time to be a computer criminal probably

Pre-2000s: The Golden Age of Cyber Insecurity 2000 to 2010: Dark Ages of Relative Security 2010 onwards: Glorious Renaissance of the Internet Of shiT

Sorry, you need to Log In to post a reply to this thread.