WyzGuys Tech Talk

A new botnet known as “Ares” is targeting misconfigured set top boxes that run the light-weight Android OS.  Two older botnets, Fbot and Trinity, are also targeting this misconfiguration.  A module, the Android Debug Bridge (ADB), is the specific vulnerability, and it should not be available at all.  The debug bridge is used by software developers during code writing to check for flaws, and then should be disabled before sending the finished code to manufacturing.  In many cases this is not happening.

ADB can be used to install new software or malware and control the device by opening a remote command shell on port 5555.  Even password protected ADB instances can fall to an Ares feature that provides brute-force password cracking capability.

Right now, it seems only models from three set-top box makers – HiSilicon, Cubetek, and QezyMedia are affected, but others may be vulnerable.

Your best option is to check with your set-top box manufacturer’s website to see if there are software or firmware updates for your device, and if so, apply them now.  Blocking port 5555 on your firewall or your cable or DSL modem’s built-in in port filtering firewall options should prevent an attacker from connected to an affected device.

This is yet again another instance where security is lacking on Internet of Things (IoT) devices.  The usual culprit is speed-to-market, where a company rushes the introduction of a new product without taking the additional time to check for security vulnerabilities.  This leaves fixing the problem to the end user, who may not be experienced or qualified to upgrade their device.