Technology is hard. So companies try to make it as easy as possible. But sometimes their attempts to make it easy for consumers mean making it easy for hackers, ultimately resulting in consumers’ devices being used in unexpected ways. For example, they might be harnessed into a botnet such as the one used in the attack on internet infrastructure Friday that deprived us all for a short time of Netflix, Spotify, Twitter, and other beloved online time-wasters.
When I bought a new router last year, I saw firsthand how people wind up buying devices primed to be future botnet slaves. Last fall, my home internet was terrible so, after consulting Wirecutter, I got a new router from Netgear. It has, for the record, worked great, but while I was setting it up, I discovered something disturbing in the instructions:
The internet-facing device was programmed with “admin” as its username and “password” as its password, just like the thousands, or millions, of other routers that the company has sold to consumers. Not only is that an incredibly easy combo to guess, it’s included in the user manual posted online.
To make things worse, another part of the instructions suggested I not change that password from “password”: “Netgear recommends that you use the preset WiFi settings because you can check the product label if you forget them.”
Once again, the trade-off is convenience and ease of use at the cost of security. (I went against Netgear’s recommendation and changed the credentials.)
“It’s very common and very sad that we still have that in 2015,” Candid Wueest, principal threat researcher at Symantec, told me last year. “With routers, most people just hit next, next, next, and once they get WiFi they never touch the box again. It’s pretty common that you’re not forced to change the password.”
In case it’s not clear, you should DEFINITELY be prompted to change that password. Netgear did not respond to a press inquiry, but with botnets in the news, it added a help page to its website earlier this month on how to change the admin password on its routers.
One way that hackers enlist internet-connected devices—cameras, smart fridges, smart TVs, and yes, routers—into botnets is by knowing or guessing the credentials for those devices, accessing them remotely and then installing malware onto them so that the devices will do the bidding of a commander. And lots of companies make that easy by making those credentials some terrible default like “admin” and “password.”
That’s how the botnet that wreaked havoc on the internet on Friday worked. It’s been linked to malware called Mirai that, as security journalist Brian Krebs notes, was “spread to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords.” The Mirai malware targeted 68 different internet-connected cameras, printers and routers, and it found a bunch of vulnerable ones.
According to Dyn, the internet infrastructure company that was targeted on Friday, the DDoS attack rained upon it involved just 100,000 of those enslaved devices. (The attack was then magnified by legitimate users going to downed sites and trying to load them over and over again.)
“Dyn is collaborating in an ongoing criminal investigation of the attack and will not speculate regarding the motivation or the identity of the attackers,” said the company in a blog post. Some are speculating that amateur hackers just did it for the lulz, as opposed to trying to get paid off or because they hate how much time people spend binging on Netflix.
The upside of the attack is that we’re finally talking about the problems posed by botnets, which until now were treated kind of like a fruit fly invasion in your kitchen—annoying but not that big a deal. After the attack, one Chinese company whose webcams were used by the botnet announced a recall and the U.S. Department of Homeland Security said that it’s going to start taking seriously the threat posed by default usernames and passwords on IoT devices.
Not all hackers that go crawling the internet looking for devices with default credentials have terrible intentions. Last year, a white-hat vigilante hacker or group of hackers created software that found vulnerable routers and then prompted their owners to change their passwords. Technically, it was illegal. But damn, it was cool.
It was a “curious kind of malware… that not only cleans the device of other infections but even encourages users to update their passwords,” wrote Forbes’ Thomas Fox-Brewster at the time.
Too bad the companies that make these devices aren’t doing the same thing.