ZDNet recently reported that security researchers at Vulnerability-Lab uncovered a pair of serious vulnerabilities in Telestar Digital GmbH Internet of Things (IoT) radio devices, which are popular models of DAB and internet radio. The devices are based on the lightweight BusyBox Debian Linux toolset, which researchers found to have three security flaws that could allow attackers to easily hijack them:
- Undocumented Telnet service on Port 23;
- Lax password security;
- Two open ports (80 and 8080).
The Need for Better Security Architecture
This potential new source of DDoS attacks highlights how important it is for manufacturers to build better security architectures into their IoT devices. There are over one million Telestar Internet-connected radio devices that could be vulnerable to hijacking and infection with malware that enslaves them into a botnet that can launch damaging distributed denial of service (DDoS) attacks. In this era of increasingly frequent and sophisticated DDoS attacks, it is imperative that manufacturers self-regulate to close security loopholes. The good news is that this can often be achieved by simply applying basic security principals that have been best practice for many years. Unfortunately, many manufacturers are driven primarily by time to market, leading them to choose the easy path, rather than the right path. Hence, many IoT devices are poorly architected from a security perspective, making them easy to take remote control of, for nefarious purposes.
In this case, Telestar had to react after the fact. According to ZDNet, “The telnetd service is being changed and the lax password use has been revised. Automatic updates via Wi-Fi are now available and can be implemented by setting impacted devices back to factory settings and accepting downloads of the latest firmware version.” Now the onus to implement those recommendations falls upon the end users, which some—but certainly not all—will do.
The Third Anniversary of the Mirai Botnet
Telestar Digital GmbH was not, at the time of writing, aware of any examples of the vulnerabilities being exploited in the wild, but security researchers fear they could enable a Mirai-style botnet to create even larger DDoS attacks than previously seen. The Mirai botnet first came upon the scene exactly three years ago, on September 21, 2016, when it was used to launch historically large DDoS attacks that grabbed the headlines. The malware scans the Internet for IoT devices that are poorly protected with factory default or hard-coded usernames and passwords. It was first used, publicly, to crash the website of noted security researcher Brian Krebs, with an attack that registered 640 gigabits per second in size; then, just one month later it was used to bring down DYN, a domain name service (DNS) provider, with an attack of 1.2 terabits per second. In the three years since the Mirai source code was unleashed into the Dark Web, it has been modified to enslave more and more types of vulnerable IoT devices, to wreak havoc with DDoS attacks.
How You Can Help Stop DDoS Attacks
Organizations should lock down their IoT assets by selecting IoT products from reputable vendors, who are committed to delivering secure products, and by performing regular firmware upgrades and auditing IoT systems to ensure they are not compromised. More importantly, to protect your networks from botnets sourced from the IoT devices of others, who have been less diligent, it's essential to have real-time DDoS protection, that stops DDoS attacks before they have a chance to cause you any damage.
For over a decade, Corero has been a leader in real-time, high-performance, automated DDoS defense solutions for enterprise, hosting and service provider customers around the world. Our award-winning SmartWall DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments, with comprehensive visibility, analytics and reporting. If you’d like to learn more, please contact us.