Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/31/2016
02:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Do Gooder Worm' Changes Default Passwords In Vulnerable IoT Devices

A security researcher has proposed an unusual approach for protecting Internet of Things devices against Mirai-like threats. It's not likely to see the light of day, either.

The challenge involved in securing millions of vulnerable home Internet of Things (IoT) devices like digital video recorders, routers, and IP cameras against threats like Mirai has prompted one security researcher to suggest a somewhat unusual approach to the problem.

Leo Linsky, a software engineer with network monitoring firm PacketSled, has released code on GitHub for a worm he developed that is capable of infiltrating IoT products protected only with default credentials and changing those weak passwords.

He describes this anti-worm worm as a nematode that is purely an academic research project and only intended to show proof-of-concept. "The idea is to show that devices can be patched by a worm that deletes itself after changing the password to something device-specific or random," he wrote.

"Such a tool could theoretically could be used to reduce the attack surface," he said, cautioning that the code be tested only in closed research environments.

The likelihood that Linksy’s code will actually be used to secure IoT systems protected only with default credentials is remote to non-existent.

"This is the cybersecurity equivalent of vigilante justice," says Jonathan Sander, vice president of product strategy at Lieberman Software. "People love a vigilante while what they are doing works. The moment a vigilante does something wrong, however, the public tends to turn against them."

He points to the issues that are sure to arise if the worm starts messing up and locking people out of their devices, or if a bad actor uses it to take over devices. "This person's heart is in the right place. But that won't save them if their actions go to a very bad place," Sander says.

There are some practical issues as well that such behavior entails, says Scott Tenaglia, a security researcher for Invincea Labs, who recently exposed flaws in the Mirai malware that theoretically could be used by DDoS mitigation services to thwart the botnet.

"My immediate question is, how does the owner of the device know the new login credentials that the worm has set?" he says. "Locking the user out of a service on their own device without their knowledge for the sake of security sounds like a great example of why end users don't like security people."

And anyone using the code to remediate devices will likely be operating well outside the law, Tenaglia cautions.

"Vulnerability scanners – bots that look for security issues like weak credentials – would be a boon to home users and small businesses that lack the technical skills to actively manage their own security," says Ofer Gayer, product manager at Imperva. Even so, they could violate laws and compromise personal privacy, he says.

The better approach is for users to take a more proactive role in securing their IoT devices: "Though a drudgery, the consequences of inaction should be enough to compel someone to spend a few hours on the task," Gayer says.

Linsky’s code is not the first time that someone has proposed a "do-gooder" worm capable of proactively fixing vulnerable IoT devices so they cannot be exploited by malware like Mirai.

Last year, Symantec blogged about a worm it dubbed Linux.Wifatch that compromised tens of thousands of home routers and other Internet-connected consumer products and applied patches on any security vulnerabilities that it discovered in them.

The worm was also designed to shut down telnet on devices it infected so other malware could not take advantage of the service to break into the system.

Linux.Wifatch included one module that appeared designed specifically to protect Dahua brand DVRs and CCTV systems by getting them to reboot once every week to flush out malware that might be running on them.

It even left messages on infiltrated systems informing the owners about shutting down telnet and urging them to implement strong passwords to prevent further compromise.

Such efforts appear to be the result of growing concerns over vulnerable IoT devices and the huge challenge involved in protecting them against malicious takeover and misuse.

A wave of distributed denial-of-service (DDoS) attacks on Domain Name Service provider Dyn that disrupted services at multiple major web properties including Twitter, Reddit, CNN, and others earlier this month hammered home just how effectively threat actors can use vulnerable IoT devices to cause widespread havoc.

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

In fact, the attacks on Dyn were the third in the last few weeks involving the use of Mirai—an IoT botnet compromised of tens of thousands of devices protected only with default usernames and passwords. That same botnet had been used to launch DDoS attacks that were magnitudes greater in size that anything seen before, against the KrebsOnSecurity website and on OVH, a French ISP.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lorraine89
0%
100%
lorraine89,
User Rank: Ninja
11/1/2016 | 8:59:43 AM
Cyber security
Well enough, as if the world of cyber security had not recovered from the Heartbleed or most recent Ransomware, here comes again the Do gooder password hacker. Where the cyber world's security is heading right now with these dangers. It has become important to secure your connection from the dangers of online hacks and other such malicious incidents so it is better to secure your IP connections with the best vpn servers, like PureVPN or Ivacy servers, Th vpn server that offers encrypted online connections are always the safest and most reliable. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...