Subscribe to our newsletter
Get the latest news and industry insights in your inbox.
Subscribe to our newsletter
Thanks for subscribing.
Late last year, we took a look at how the Internet of Things (IoT) is under attack. We analyzed hundreds of individual IoT devices to see how often they were probed for vulnerabilities, with the intention of being employed for IoT botnet attacks, as seen with the Mirai attacks against journalist Brian Krebs and Dyn last year.
Key takeaways from our first round of research showed that, on average, an infected device launched an attack within six minutes of being exposed to the internet, and over the course of a day, IoT devices were probed for vulnerabilities 800 times per hour. With 6.4 billion devices coming online, the emerging IoT market presents ever-growing opportunities to arm potential attackers with a lot of firepower. In this post, we’ll examine how manufacturers of IoT devices have responded to these threats.
We did more robust vulnerability research on IoT devices that have been found vulnerable in the past (smart cameras, baby monitors, and light bulbs) and concluded that while malicious probes are constant, manufacturers have taken action to update their firmware and address security holes. An example was the Chinese device manufacturer that recalled a good chunk of their product line for insecure configurations. Some feel that this is insufficient, however. For instance, Bruce Schneier has recently been calling for government policy to regulate IOT device security.
In our honeypot, all login attempts came through telnet, which is what Mirai uses to hack devices — it isn’t built to hack HTTP, UDP, etc., although later variants began to take advantage of vendor-specific bugs when they were widespread, such as the TR-069 exploits that were merged into some of these botnets, abusing a broadband forum protocol to gain entry to the devices.
Here’s some of what we found:
IoT devices expose a lot, reflecting their engineers’ focus on quickly getting to market and enabling people to get online easily, rather than building with security best practices in mind — undoing a significant amount of security work from the past 15 years. This work included convincing platform vendors such as Microsoft, Apple, RedHat, and others to take security seriously and to make security defaults a reality. Examples include Windows XP SP2’s default-on local firewall and exploit mitigation technologies, RedHat’s configuration changes to mail and web servers in default installations, and Apple’s inclusion of address randomization to defeat various attacks. These efforts took years of effort by a whole cast of characters, but clearly needs a new audience in IoT vendors, some of whom are coming to internet-enabled devices and security risks for the first time.
The large size of the Mirai botnet makes it an internet-scale issue — the fact that they can scan the entire web in under six minutes makes it a concern for the entire internet community as noted above. These botnets enable widespread secondary attacks by providing stepping stones and overlay networks for more sophisticated attacks, for example. But not every IoT device is a ticking time bomb. Many vendors, including Cisco, Philips, and Apple, have strengthened their default, out-of-the box experience to provide ease of use married to security. For the average consumer it’s relatively easy to defend against these sorts of issues for end users with IoT devices by employing basic hygiene on a home network behind a firewall.