It's UPnP [0]. It was always going to be UPnP. UPnP is the wrong set of trade offs and always was. And even making it 'off by default' won't solve the problem because the standard instructions for getting any multiplayer game or IoT gizmo to work are 'turn on UPnP'.
Not that this in any way absolves the OEM for the utter idiocy of including the telnet port in their forwards at all and the absolute negligence of having it active by default and 'secured' by a single or small combination of well known auth tuples.
But yeah, that's really what they did. Here's the section of Mirai's scanner.c that sets up the destination port. [1]
I've never seen any embedded UPnP implementation (I think the spec is "Internet Gateway Device") require any kind of authentication before forwarding ports. I wonder if that's even possible?
Not that this in any way absolves the OEM for the utter idiocy of including the telnet port in their forwards at all and the absolute negligence of having it active by default and 'secured' by a single or small combination of well known auth tuples.
But yeah, that's really what they did. Here's the section of Mirai's scanner.c that sets up the destination port. [1]
They really did just forward port 23. Tempting to call malfeasance but at best massive incompetence.[0] https://www.us-cert.gov/ncas/alerts/TA16-288A
[1] https://github.com/jgamblin/Mirai-Source-Code/blob/master/mi...