The Mirai Botnet Is Proof the Security Industry Is Broken

As I said previously, someone needs to bring negligence suits against some IoT vendors, wholesalers, and retailers. Start with the retailers, like Amazon. They&#x27;ll find the supply chain for you as they try to pass the buck. It worked with hoverboards.<p>There&#x27;s a problem at the China end with crap low-end devices driving out the good ones. Here&#x27;s a good example: solid state relays, useful little devices for safely switching AC power with a logic level signal. Look at this Fotek solid state relay on Amazon.[1] That&#x27;s a counterfeit. Fake manufacturer name. Fake UL and CE marks. Here&#x27;s UL&#x27;s warning notice on counterfeit Fotek solid state relays, and how to recognize fakes.[2] There are lots of unhappy customers; the fake ones have been reported to overheat, melt, or stick in the ON condition. <i>Every Fotek relay on Amazon that I can find is fake.</i><p>The fakes are real solid state relays with grossly exaggerated power ratings. For real ones, cost goes up with power. The fakes all cost about the same regardless of nameplate power rating. Here&#x27;s an especially bad one: a &quot;100 amp&quot; version.[3] The real Fotek, in Taiwan, doesn&#x27;t even make a 100 amp version in that form factor - the terminals aren&#x27;t big enough for 100 amps.<p>The result is that nobody is selling legit solid state relays on Amazon. They exist; you can buy them through Digi-Key or Mouser. They cost about 2.5x the fake price. But Amazon has been totally conned. (The ones on eBay are fake, too.) Worse, if you&#x27;re a legit solid state relay maker in China, you have a hard time selling. The counterfeits have pushed the price down too far.<p>Back to hoverboards. There are now UL-approved hoverboards. They don&#x27;t catch fire. Heavy pressure on China suppliers worked. That needs to happen with insecure IoT devices.<p>[1] <a href="https:&#x2F;&#x2F;www.amazon.com&#x2F;Frentaly-24V-380V-Solidstate-Arduino-Raspberry&#x2F;dp&#x2F;B017A1QUGO&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.amazon.com&#x2F;Frentaly-24V-380V-Solidstate-Arduino-...</a> [2] <a href="http:&#x2F;&#x2F;www.ul.com&#x2F;newsroom&#x2F;publicnotices&#x2F;ul-warns-of-solid-state-relay-with-counterfeit-ul-recognition-mark-release-13pn-52&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.ul.com&#x2F;newsroom&#x2F;publicnotices&#x2F;ul-warns-of-solid-s...</a> [3] <a href="https:&#x2F;&#x2F;www.amazon.com&#x2F;Industrial-FOTEK-Protective-SSR-100DA-control&#x2F;dp&#x2F;B017W7N7F8" rel="nofollow">https:&#x2F;&#x2F;www.amazon.com&#x2F;Industrial-FOTEK-Protective-SSR-100DA...</a>

I wish more people would talk about the economics of why netsec is such a garbage industry. It&#x27;s a few honest people screaming to be heard above the din of snake-oil salesmen, but there&#x27;s an economic reason that goes beyond &quot;dumb users, incompetent programmers and CTOs who just look and speeds and feeds&quot;. The problem is there&#x27;s weak correlation, or at least very difficult-to-see correlation, between the amount of effort you put in on security and the results you get.<p>You could have no security and just get lucky and never get hacked. Or you could have great security and just get really unlucky and have a determined hacker. Or you could be spending uselessly and still getting lucky, although you (and your vendor!) attribute your good fortune to the product. This kind of information failure makes it really hard to have a functional and efficient market, even when everyone involved is honest.<p>I don&#x27;t have a good solution for this, which I why I hope someone smarter than me brings it up.

It&#x27;s not the failure of the security industry, it&#x27;s the success of market forces over the security industry.<p>Normal folk want to consume new gadgets because that&#x27;s the culture we have. So it&#x27;s a race to put new gadgets with new features in front of people. Sure, as a customer I could insist on my manufacturer having taken security seriously and having their products thoroughly tested and reviewed and hardened and patchable and all that good stuff, but then I&#x27;m going to have to pay <i>more</i> money for my gadget than my buddy here who just wants to be able to flush his toilet from his smartphone.<p>There is literally no consequence for manufacturers of poor quality products where the impact isn&#x27;t directly impacting their own consumers, and so there&#x27;s no market force that is going to address this.<p>When viewed this way, it&#x27;s a classic case of where we need government&#x2F;legislature involvement.

This is not a failure of the security industry - the security industry is targeted at the enterprise, largely not the host of the vulnerable IoT devices involved.<p>Don&#x27;t get me wrong, there are tons of ways in which the security industry fails (the biggest IMHO is buying&#x2F;selling things that only get implemented in a half-@$$ed manner or not at all), but this is like blaming the Airline industry for a train wreck.<p>Perhaps the real problem is that for home users there really is no security industry to speak of? A handful of features on WiFi APs that get turned off if they break your XBOX games, and maybe some desktop AV. That&#x27;s pretty much it - and I&#x27;m not sure we can ever expect much more..

Completely incorrect claim, the IoT industry doesn&#x27;t spend a penny on security, and therefore will be vulnerable to these type of attacks.<p>If anything this is proof that the security industry does work, these attacks are happening on devices where there is no security budget - not on servers with large investments in security.

My toaster has to be certified that it meets certain minimum safety standards. It really seems that IoT and safety critical software&#x2F;firmware should be required to pass a similar (bare minimum) certification.

I work in the infosec field and I think it is unfair to blame the whole industry. I think the whole technology field is to blame here (although I really don&#x27;t like to play the blame game). By the way, I have been around the security industry for around 10 years, and the same exact conversation has been going on. 10 years ago it was the Web, then around 7 years ago it was Mobile, now it is IOT, several years from now, we are going to have the same conversation regarding a different technology unless we do something regarding the root causes.<p>The root causes are the following: 1- Security more often than not is an afterthought. When you are trying to go to market, under tight deadlines, burning the night oil, nobody has time, energy or money to think about security. 2- The lack of security education by most of the stakeholders (upper management, product managers, engineers, etc) does not help and keep security a taboo, in most organization, nobody has the title of making the software secure. So it falls into nobody&#x27;s lap 3- While, I have all the respect to the profession of honest sales, some salesmen ruined it for all of us, feasting on the lack of education mentioned above. Trying to sell tools&#x2F;services as the silver bullet to the security problem, an idea that is very well received by someone who does not understand the problem and really looking for a silver bullet 4- At the end of the day, the real issue is that security is a cost center, there is no ROI for the business for doing security other than avoiding problems that &quot;could&quot; happen in the future.<p>That being said, there are three classes for clients I have seen doing security: 1- Heavy losses: for banks for example, the risk of losing money is quiet real and tangible. Besides they (at least in the U.S) under heavy regulations to do so. But their real motivation is risk mitigation. 2- Regulations (worst reason to do security): such as the PCI industry, they have to do security checks to avoid fines. This category usually try to do the minimum to get by. 3- Proactiveness: hats off to this category, as they don&#x27;t really have to do it other than they think that this is something that must be done.<p>Solutions: 1- More education 2- More education 3- More education 4- Implement more security controls natively into frameworks (output encoding, entity frameworks, etc) and browsers (such as CSP policy, etc) 5- More fines for companies that don&#x27;t really take the minimum amount of steps to ensure data confidentiality and integrity.

Apparently the author of Mirai leaked the source code and even provided comments and build instructions. I found this a bit baffling.<p>He seems immature and vain, because his motive is apparently to taunt someone with how smart he is, but the code is indeed pretty awesome and educational. It&#x27;s a little sad that commercial software is so ugly and that black hat software is elegant (though I guess it has to be, because it&#x27;s under rather severe &quot;environmental pressures&quot;).<p><a href="https:&#x2F;&#x2F;github.com&#x2F;jgamblin&#x2F;Mirai-Source-Code&#x2F;blob&#x2F;master&#x2F;ForumPost.md" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jgamblin&#x2F;Mirai-Source-Code&#x2F;blob&#x2F;master&#x2F;Fo...</a><p>At first, I was also kinda shocked that it had this simplistic list of hard-coded user names and passwords (mentioned in the article). But I guess I&#x27;ve worked in the software industry long enough that it makes sense. Computers are so ubiquitous and on reflection it&#x27;s not a surprise that you can pull down hundreds of thousands of machines with this technique!!!<p>Can anyone shed light on the economics of releasing source code? I would think this would make your botnet much less valuable. Apparently someone found a vulnerability in his HTTP parser, which I don&#x27;t think would have happened without the source code.<p>So did the author shoot himself in the foot for reasons of pride, or is there something else going on?<p><a href="https:&#x2F;&#x2F;github.com&#x2F;jgamblin&#x2F;Mirai-Source-Code&#x2F;blob&#x2F;master&#x2F;mirai&#x2F;bot&#x2F;scanner.c#L124" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jgamblin&#x2F;Mirai-Source-Code&#x2F;blob&#x2F;master&#x2F;mi...</a><p><pre><code> &#x2F;&#x2F; Set up passwords add_auth_entry(&quot;\x50\x4D\x4D\x56&quot;, &quot;\x5A\x41\x11\x17\x13\x13&quot;, 10); &#x2F;&#x2F; root xc3511 add_auth_entry(&quot;\x50\x4D\x4D\x56&quot;, &quot;\x54\x4B\x58\x5A\x54&quot;, 9); &#x2F;&#x2F; root vizxv ...</code></pre>

The security industry has been &quot;broken&quot; for as long as there has been a security industry. When I left Network Associates in 1999 to start a chat company, leaving the security industry to do something non-security was already a cliche.<p>It&#x27;s true, the 1U rackmount netsec industry does virtually nothing to prevent consumer electronics vendors from shipping terribly insecure code. I don&#x27;t like the netsec industry either. But: so what?<p>The reality is, very few companies are buying 1U rackmount snake oil (or Nth generation antivirus products like endpoint protection tools) to stop things like Mirai. We&#x27;re not even talking about the same budget. The &quot;security industry&quot; is not in fact chartered with stopping things like Mirai. So Mirai is a weird complaint to level at it.

The &quot;security industry&quot; was never significantly involved in improving product security and software quality. They have roots in profiting from the deplorable state of PC security. Centralised firewalls, &quot;intranets&quot;, and anti-virus products are not sustainable solutions to any of these problems - they&#x27;re just so ingrained in the mindset of IT profiessionals that they self-perpetuate.

I like how the author complains about cyberpocalypse conference talks then goes on to say the security industry is broken...<p>Hard coded creds and the allowance of default creds isn&#x27;t the security industry, it&#x27;s the manufacturer.

This could be fixed by legalizing purely destructive hacking of IoT devices. To gain immunity from prosecution the hacker would need to demonstrate that the device is completely bricked and no remote access is possible. IoT manufacturers would then be able to post bounties for destruction of competitor&#x27;s products and the free market would solve the problem very quickly.<p>This will result in harm to third parties who did not act maliciously, but that&#x27;s already happening now. With this change in law the total harm will probably be less because the problem will be solved for real, which will dramatically reduce or eliminate the possibility of &quot;black swan&quot; events causing very serious harm (eg. shutdown of critical infrastructure).

I don&#x27;t understand why the lack of security in embedded devices is an indictment of.a &#x27;security industry.&#x27; That&#x27;s like &#x27;drunk driving proves failure of the seatbelt industry.&#x27;

The Moral botnet doesn&#x27;t have anything to do with the &quot;security industry&quot;, largely because the vendors involved ignored each and every recommendation made by said industry since at least the 90&#x27;s if not earlier.<p>The blame for this debacle falls squarely on the heads of the vendors who produced these trusting (if not downright gullible) devices in the first place.

&gt; The major botnet of 2016 is <i>simpler</i> than the botnet of 1988.<p>That, right there, is a damning indictment not only of our industry but also of our culture. We <i>know</i> how to secure systems. It&#x27;s not magic. But — unlike for example physical hygiene — we haven&#x27;t made the decision to make computer hygiene part of our culture. We look down on people who don&#x27;t wash their hands, but we don&#x27;t look down on people who use poor passwords. We teach children to cover their mouths when they cough, but we don&#x27;t teach children not to plug a Windows machine into a network.

Yeah, no.<p>Mirai doesn&#x27;t have shit to do with the security industry. The security industry are the people who you hire to secure your things, victims of Mirai did not take advantage of the services provided by the security industry.<p>More like, The Mirai Botnet Is Proof the Security Industry Is Going To Be Doing Fucking Great

On the very sub topic of &quot;we don&#x27;t know how to write secure code&quot;; yes, we actually do.<p>Of course we know how to write secure code, code that meets a rigorous and well engineered design that eliminates invalid outcomes as a result. The problem is such code is slow and expensive to produce.<p>Good, Fast, Cheep; pick (at most) two. Security cameras optimize for Cheep first and fast second, so of course we see issues like this.

&quot;Seatbelts don&#x27;t work!&quot; Says widow of man killed in car crash while not wearing a seatbelt.

Maybe we need liability for software vendors? With exemption for those who provide full source code.

How about a law that requires computerized devices to be shipped with unique passwords.<p>That would be a start.<p>Second, any computerized device must pass FTC&#x2F;FCC&#x2F;UL (pick one) tests for computer security before going on sale.<p>There&#x27;s more that can be done, but let&#x27;s go after the simple stuff first.

The success of Mirai is hardly the fault of the security industry. The security industry has been howling about lax default device security for decades, and how dumb it is to put your TV directly on the Internet, much less your refrigerator or your lightswitch. The electronics industry is the correct target.<p>The only way out of this mess is regulation of what types of devices can be sold and how they must be secured. The electronics industry and online retailers need to get together and figure this out and come up with a UL for IoT, or the government will step in and make them all a lot more unhappy.

Great example of how to promote your company. Provide genuinely insightful and useful information that will help people even of they don&#x27;t use your product. It&#x27;s almost like good karma.

It&#x27;s actually proof that internet architecture in general is broken. Well, not broken; it was broken, and then healed in a weird way so there&#x27;s extra cartilage sticking out causing annoyances and won&#x27;t move as easily anymore.<p>The security industry has absolutely nothing to do with the existence of a botnet that can take down massive internet infrastructure. The security industry just puts bandaids on shitty products. It&#x27;s the internet architects&#x2F;designers that are responsible for botnets.<p>In order to make the internet very simple, very compatible, and decentralized and distributed, the design allows a baby monitor to send arbitrary traffic to any device on the global network. There is no good reason for this. The reason is, anything else would be complicated, and complicated things become expensive and troublesome. But that&#x27;s not a good reason to allow baby monitors to take down internet services.<p>The solution would be to segregate critical equipment address and protocol by function, and to put in strict controls in all routers to prevent illegitimate traffic from reaching the wrong equipment. This would not only improve security, it would make allocation of address space and application ports make some kind of practical sense, and allow for improvements in the way applications communicate over the internet, to say nothing of improved management of traffic.<p>But nobody&#x27;s going to change the design, so whatever.

I don&#x27;t see this as a failure of the &quot;security industry&quot; (I put that in quotes as it&#x27;s very hard to say who is and is not part of that group)<p>The simple fact is that there are very limited economic incentives for a company in the IoT space to spend money on security, and as a result they don&#x27;t.<p>It&#x27;s not easy for an ordinary consumer to differentiate between a company who just says &quot;security is our top priority&quot; and one who puts meaningful effort behind that (e.g. there is a strong market for lemons here).<p>Also there&#x27;s no effective regulation which could substitute for that information. In other markets (property, consumer goods, food and drink) we have safety regulations as it was recognised that consumers can&#x27;t effectively differentiate. In IoT and other areas of IT this doesn&#x27;t exist, so there&#x27;s nothing to stop insecure devices being sold.<p>As to the &quot;security industry&quot; well there have been enough practitioners warning about this, to limited effect. Realistically there&#x27;s a limited amount that can be done without some form of top-down intervention.

Speaking of a voice in the wilderness, any way we can stop saying stuff &quot;is broken?&quot; It&#x27;s glib, imprecise, far too easy to say, and is becoming cliché. It&#x27;s provocative kind of like clickbait. And it&#x27;s self-evident - Everything exists on a continuum of &quot;brokenness&quot; a.k.a. entropy and is therefore at least partly &quot;broken&quot; at all times.

I suspect we&#x27;ve already lost at &quot;Security Industry&quot;.<p>Obviously defence in depth and dedicated security tools have their place in a networked environment, but you can&#x27;t just outsource the problem or fix it with some bolted on extra.<p>Some concerns simply have to be addressed as an integral part of whatever software or device is being made. If we don&#x27;t do that, well, we&#x27;ve just seen the result.

Maybe someone with a public level of accountability--say the government--should start an adversarial inspection and certification program. Think about how we don&#x27;t let cars on public roads unless they pass inspection, to verify that they aren&#x27;t a ticking time-bomb in the middle of the highway--or no more so than usual.<p>Unlike vehicle registration, it wouldn&#x27;t require you to have to do anything other than keep your system maintained. If you want to put your computer on the internet, be prepared to get port-scanned by the US Digital Service once a year&#x2F;month&#x2F;week&#x2F;whatever, attempting to take your computer off the &#x27;net. If it succeeds, then that&#x27;s one machine that could have been--but now won&#x27;t be--part of a botnet.<p>ChoasMonkey as a public works project.

Im not a security guru, but I&#x27;ve thought of a couple solutions to the problem of botnets.<p>1) A consortium of manufacturers of IoT devices banding together and signing an &quot;autopatch&quot; or &quot;autohack&quot; agreement. This would be an open source, public hack-and-patch society that freezes out any manufacturers that don&#x27;t agree to it. All customers would simply sign in their EULA that their devices are authorized to be &quot;patched&quot; by any means necessary if found to be insecure by the auto-hackers.<p>2) As botnets at the Mirai scale are now a matter of national security, make the NSA do its job and do roughly what is outlined in 1. Controversial, sure, but you can be damn sure that they already know about these unpatched devices and how to exploit them.

But is IS dumb programmers (or more likely, dumb programmer management) causing this problem. Every IoT company has the same workflow: you take thing out of the box, hook up thing, use your smartphone to connect to thing with some app, and then it works. Everyone expects this experience and it&#x27;s stupid because somewhere there is a hardcoded password.<p>This is made more asinine by the fact that we&#x27;ve had extremely easy to use methods of establishing trust between devices on a permanent basis, but because that would add three steps to the setup process the marketing people refuse to let it happen.<p>Nobody wants to spend the money to do it right, and nobody wants to spend the money on devices that do it right so here we are and I see no way out of this situation.

What &quot;security industry&quot;? In how many companies nowadays is sitting and thinking things through an encouraged approach? It goes against the current economical values. The problem are not IoT vendors, the problem is money-driven economics.

Just remember how Feynman described how he was opening military safe during los alamos project (one of the most super highly sensitive project of WWII) : 25% of the safe where having default combinations.<p>I guess we can draw a conclusion here: security assumptions about who the users are is not in sync with human nature.<p>Security is failing the same way as architects would fail making the assumption stairs with one meter high steps are okay.<p>IT security is failing because their model of human beings is plain and flat wrong, hence, computer security as designed by our brightest mind is wrong.<p>Don&#x27;t force feed to human requirements of fuck given they don&#x27;t have.

The security industry? Try the software industry. We produce software and systems that are insecure. Until someone assigns a cost to failing to provide secure software and systems it will continue to happen.

I have observed that &quot;proof&quot; should be translated as &quot;evidence&quot;, and I generally think such article titles lead to pointless look-at-me hyperbole. Authors who fail to understand the important difference between those words will likely have nothing critically interesting to add to most discussions.

If someone reputable was testing all these devices for such basic flaws and published the results, then IT managers could use that to back their buying decisions. That would actually cause vendors to listen. I don&#x27;t think it is impossible to do, or even monetize such service.

I think it&#x27;s erroneous to blame the security industry wholesale, tempting as it may be.<p>Let&#x27;s set blame aside for now. What caused this botnet?<p><pre><code> - The tendency of IoT&#x2F;smart-device vendors to eschew engineering discipline - The tendency of _all_ companies to eschew security as an optional extra rather than the cost of admittance to the marketplace - The historical tendency of big companies &#x2F;not&#x2F; being burned to the ground after a massive hack makes security a lower priority to many businesses - The lack of a secure automatic update infrastructure (which also led to a recall), for which the vendor could have mitigated the vulnerabilities used - General ignorance about the risks associated with default&#x2F;weak&#x2F;hard-coded security credentials (e.g. passwords) </code></pre> Now let&#x27;s look at each line item and discuss possible solutions:<p><pre><code> + Regulation could help here. Require third party security assessments on IoT&#x2F;smart devices to be sold? It&#x27;s not the most elegant solution, but it would be a vast improvement over the current state of affairs. + This is a cultural problem that makes application security painful in every business vertical. It takes a lot of one-on-one communication to resolve. Seeing large companies lose their shirts over security negligence might change the conversation. + This is a huge problem for all software. (See link below.) + Education. </code></pre> Regarding secure automatic updates: <a href="https:&#x2F;&#x2F;paragonie.com&#x2F;blog&#x2F;2016&#x2F;10&#x2F;guide-automatic-security-updates-for-php-developers" rel="nofollow">https:&#x2F;&#x2F;paragonie.com&#x2F;blog&#x2F;2016&#x2F;10&#x2F;guide-automatic-security-...</a><p>Now let&#x27;s circle back to blame. What is the security industry responsible for? In my view:<p><pre><code> - Failure to communicate with other industries and professions, such as electrical engineering. - Failure to communicate with developers in general. - Failure to educate people outside the industry of our own conventional wisdom. - Failure to learn the challenges that others are trying to overcome so security can be on the same team rather than yet another obstacle. </code></pre> Through the blog posts on my company&#x27;s website and a concerted effort to clean up Stack Overflow, I&#x27;ve been trying to educate PHP developers about better security practices for the past couple of years. It pays forward in spades. The rest of the security industry could do a lot of good if they did the same for their own respective communities.<p>The only problem with doing that is: There&#x27;s no effective and ethical way to monetize it. I make more money from helping e-commerce sites recover from being hacked by easily preventable mistakes than I ever have from making the software that powers 30% of the Internet more secure. <a href="https:&#x2F;&#x2F;paragonie.com&#x2F;blog&#x2F;2015&#x2F;12&#x2F;year-2015-in-review" rel="nofollow">https:&#x2F;&#x2F;paragonie.com&#x2F;blog&#x2F;2015&#x2F;12&#x2F;year-2015-in-review</a><p>Solving the core problems is good for society, but society doesn&#x27;t reward this behavior.<p>The security industry is broken because society is broken.

The way i see it is that we are using general purpose computers to do the job of single purpose electronics.<p>But a GPC will always remain a GPC, and thus they are susceptible to being re-purposed no matter the number of &quot;safeguards&quot; we put in place to prevent it.

The basic idea of the state distributing policing to public vendors, who should apply it as they see it fit, after the customer-trader relationship already ended is broken.

Everyone seems to be making money to me?

The free market has decided security of IoT doesn&#x27;t matter.

LANGSEC

There is no cure for weak passwords.

So many devices are now connected to the Internet and potentially vulnerable. The basics definitely matter – changing default passwords, ensuring our internet is hosted on DDoS protection servers, etc. But who was going to warn the traffic engineer that their security camera is vulnerable or the new parents whose IP-connected baby monitor gets scanned by foreign hackers. We just want things to work and don’t realize that we’re at risk – even if our device is the target and not ourselves.<p>Have you checked out this Mirai vulnerability scanner? Something everyone should do – whether a random home user or a large enterprise (and how many have CISOs?). It scans your IP and can pinpoint vulnerable devices: <a href="https:&#x2F;&#x2F;www.incapsula.com&#x2F;mirai-scanner.html" rel="nofollow">https:&#x2F;&#x2F;www.incapsula.com&#x2F;mirai-scanner.html</a>

&gt; The major botnet of 2016 is simpler than the botnet of 1988. There’s something wrong in how we do security, and at Appcanary, we think it’s a complete lack of focus on the basics.<p>Or a complete focus on making money. Capitalism has refined itself over 30 years, and firms realize that security is expensive, making products is a lot cheaper than it used to be, and even if you invested in security, there could still be something unforeseen that compromises your system.<p>Nobody wants to be Sony or Microsoft and their litany of security woes.