Security Experts:

Over 500,000 IoT Devices Vulnerable to Mirai Botnet

Researchers have identified more than 500,000 vulnerable Internet of Things (IoT) devices that could easily be ensnared by Mirai or similar botnets.

Mirai and at least one other botnet were recently responsible for massive distributed denial-of-service (DDoS) attacks against the website of journalist Brian Krebs and hosting provider OVH. The attack on OVH was said to have exceeded 1Tbps.

Several security firms determined that these attacks were powered by a large number of compromised IoT devices, mainly cameras and DVRs, that had been protected by weak or default credentials.

The author of Mirai decided to release the source code of the malware, claiming that he had made enough money from his creation. The source code includes a list of 60 username and password combinations that the Mirai botnet has been using to hack IoT devices.

One of these credential sets is root/xc3511 and researchers from Flashpoint have determined that the devices associated with this username and password combination actually make up a significant portion of the Mirai botnet.

Experts reported that video surveillance products from Dahua Technology accounted for the highest percentage of compromised devices. However, Flashpoint traced many of the other hacked devices, which might not appear to be related at first sight, to a single vendor.

Many DVR, NVR and IP camera manufacturers get their hardware and software components from a China-based company called XiongMai Technologies. XiongMai ships vulnerable software that has ended up in at least half a million devices worldwide.

The fact that these devices can be accessed with default credentials should not pose a major risk as long as they are not accessible from the Internet. The problem is that the firmware provided by the Chinese manufacturer also includes a telnet service that is active by default and which allows easy remote access to the devices.

To make matters even worse, the default credentials cannot be changed as they are hardcoded in the firmware and there are no options for disabling them. The telnet service is also difficult to disable.

An Internet scan conducted by Flashpoint using the Shodan search engine revealed that more than 500,000 devices are plagued by both vulnerabilities, making them an easy target for Mirai and other botnets.

The countries with the highest number of vulnerable devices are Vietnam (80,000), Brazil (62,000), Turkey (40,000), Taiwan (29,000), China (22,000), South Korea (21,000), Thailand (16,000), India (15,000) and the United Kingdom (14,000).

Flashpoint noted that while the Mirai botnet has ensnared many Dahua devices, a significant number of the IPs used in the recent DDoS attacks were traced back to XiongMai-based products.

Lead researcher Zach Wikholm told SecurityWeek that while Dahua accounted for 65 percent of infections in the United States, XiongMai devices accounted for nearly 70 percent in countries such as Turkey and Vietnam, where a lot of the attack traffic originated.

Wikholm also pointed out that the root/xc3511 credentials are first in Mirai’s list, which indicates that cybercriminals are aware that these devices are very popular.

Related: 150,000 IoT Devices Abused for Massive DDoS Attacks on OVH

Related: Weak Credentials Fuel IoT Botnets

Related: The IoT Sky is Falling - How Being Connected Makes Us Insecure

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.