DVR unpatched two years after first hack, easily infected with Mirai malware

Cybersecurity awareness month kicks off underlining a valuable lesson about IoT security – it”s critical to build trust in the internet of things, which is definitely not where it should be. The recent attack on KrebsOnSecurity is an example of how easy to breach IoT devices are and how they can be turned into weapons for large-scale hacks.

Debates over IoT security show the need for improvement in key areas, like who has access to what, but also for post-attack security standards because companies underestimate the consequences a breach may have on their infrastructure in the long run.

Following the biggest DDoS attack known to date, Johannes B. Ullrich, a researcher for SANS, connected a DVR to the internet to find out how easy it is to hack. He had already proven how in the past DVRs were easily taken over through “an open telnet server with a trivial default password.” Although manufacturers were advised to release a patch, not all reviewed their devices, resulting in “more than 100,000-devices-strong Botnets launching attacks exceeding 1TBps.”

When he connected the same DVR from the previous test, it was instantly attacked and taken over by Mirai, the malware strain in the KrebsOnSecurity attack. Many connection attempts failed because the passwords were not a match, but some were successful a few times an hour.

“The IP address is hit by telnet attempts pretty much every minute. Instead of having to wait for a long time to see an attack, my problem was that the DVR was often overwhelmed by the attacks, and the telnet server stopped responding,” explained Ullrich. “I had to reboot it every few minutes.”

Other users were unaffected by the experiment and there were no pursuits for password resets on the device. Now that the source code for Mirai malware has been revealed, we expect to see large-scale DDoS attacks launched by script kiddies.

Be it sophisticated malware schemes or a leak of account information for various providers, data breaches prejudice private users, businesses and government infrastructures alike. Before declaring everlasting love for IoT devices, understand the risks and thoroughly investigate what you are buying. When you do buy, immediately change the default password to a strong one and regularly update the software on the device and router to keep a safe infrastructure.