[bitmage]

Has anyone seen an explanation of how the telnet port on these devices is getting exposed to the internet to be exploited? I would think that most home users are behind a NAT device. Even with UPnP, why would the manufacturer have that port set to be forwarded?

[stevetrewick]

It's UPnP [0]. It was always going to be UPnP. UPnP is the wrong set of trade offs and always was. And even making it 'off by default' won't solve the problem because the standard instructions for getting any multiplayer game or IoT gizmo to work are 'turn on UPnP'.

Not that this in any way absolves the OEM for the utter idiocy of including the telnet port in their forwards at all and the absolute negligence of having it active by default and 'secured' by a single or small combination of well known auth tuples.

But yeah, that's really what they did. Here's the section of Mirai's scanner.c that sets up the destination port. [1]

    // Set up TCP header
    tcph->dest = htons(23);
    tcph->source = source_port;
    tcph->doff = 5;
    tcph->window = rand_next() & 0xffff;
    tcph->syn = TRUE;

They really did just forward port 23. Tempting to call malfeasance but at best massive incompetence.

[0] https://www.us-cert.gov/ncas/alerts/TA16-288A

[1] https://github.com/jgamblin/Mirai-Source-Code/blob/master/mi...

[voltagex_]

I've never seen any embedded UPnP implementation (I think the spec is "Internet Gateway Device") require any kind of authentication before forwarding ports. I wonder if that's even possible?

[redwards510]

> why would the manufacturer have that port set to be forwarded?

Because remote management, and the default state is to have everything opened up to facilitate pain-free setup and config.

[drzaiusapelord]

To lower support costs. Its a lot easier to use upnp than explain to consumers why their app or web browser won't connect to their home device because of how NAT and firewalling works. Or to implement hosted servers, which also cost money, to be the go-between.

[empath75]

There are lots of ways to get inside a network besides going through open nat ports. If there's a web interface, you could pop that, or go through an infected pc, etc. Once you're in the network, you can hit all the ports you want inside it.

[dimino]

But that's not how it's happening. These IoT devices are being granted IP addresses, somehow. Mirai is scanning the web and blindly trying telnet, and if it works, it tries these password combos. It doesn't do anything even remotely sophisticated to navigate a network.

[glennos]

Agree, seems bizarre but sounds like sloppy device config.

https://news.ycombinator.com/item?id=12765265

[dubya]

Is there a relatively easy way to see what devices in your house are visible to the Internet?

[dubya]

To answer my own question, and to fish for better answers, http://iotscanner.bullguard.com/#/ gives an answer. Not sure how definitive though.