Late last year, we took a look at how the Internet of Things (IoT) is under attack. We analyzed hundreds of individual IoT devices to see how often they were probed for vulnerabilities, with the intention of being employed for IoT botnet attacks, as seen with the Mirai attacks against journalist Brian Krebs and Dyn last year.
Key takeaways from our first round of research showed that, on average, an infected device launched an attack within six minutes of being exposed to the internet, and over the course of a day, IoT devices were probed for vulnerabilities 800 times per hour. With 6.4 billion devices coming online, the emerging IoT market presents ever-growing opportunities to arm potential attackers with a lot of firepower. In this post, we’ll examine how manufacturers of IoT devices have responded to these threats.
We did more robust vulnerability research on IoT devices that have been found vulnerable in the past (smart cameras, baby monitors, and light bulbs) and concluded that while malicious probes are constant, manufacturers have taken action to update their firmware and address security holes. An example was the Chinese device manufacturer that recalled a good chunk of their product line for insecure configurations. Some feel that this is insufficient, however. For instance, Bruce Schneier has recently been calling for government policy to regulate IOT device security.
In our honeypot, all login attempts came through telnet, which is what Mirai uses to hack devices — it isn’t built to hack HTTP, UDP, etc., although later variants began to take advantage of vendor-specific bugs when they were widespread, such as the TR-069 exploits that were merged into some of these botnets, abusing a broadband forum protocol to gain entry to the devices.
Here’s some of what we found:
62 username and password combinations in the Mirai source code are used to attempt to infect devices. This isn’t surprising, as this list has been used successfully by many embedded device botnets since then.
Given the size of the botnet, it would take less than 6 minutes for the Mirai botnet to scan the entire IPv4 space for hackable IoT devices. This means that a new exploit could be deployed rapidly, or the Mirai botnet could be used as a reconnaissance platform by third parties, not just denial of service (DoS) attacks.
Attacks to the IoT devices we tracked were constant, every second, for 7 days. This ceaseless activity is a testament to the prevalence of this problem. Despite a massive fracturing of the Mirai botnet into various competing botnets, compromised IoT devices number so many that this has become constant internet background noise.
The Telnet login requests from a single infected host come in at an average of every 3.7 seconds — faster than you can log in and patch a device, download a patch, or update the password. For a typical end user, this means that the window to update a vulnerable IOT device is virtually non-existent, reminding me of the worst days with a vulnerable Windows box on the open internet: before you could patch you were already compromised.
IoT devices expose a lot, reflecting their engineers' focus on quickly getting to market and enabling people to get online easily, rather than building with security best practices in mind — undoing a significant amount of security work from the past 15 years. This work included convincing platform vendors such as Microsoft, Apple, RedHat, and others to take security seriously and to make security defaults a reality. Examples include Windows XP SP2’s default-on local firewall and exploit mitigation technologies, RedHat’s configuration changes to mail and web servers in default installations, and Apple’s inclusion of address randomization to defeat various attacks. These efforts took years of effort by a whole cast of characters, but clearly needs a new audience in IoT vendors, some of whom are coming to internet-enabled devices and security risks for the first time.
The large size of the Mirai botnet makes it an internet-scale issue — the fact that they can scan the entire web in under six minutes makes it a concern for the entire internet community as noted above. These botnets enable widespread secondary attacks by providing stepping stones and overlay networks for more sophisticated attacks, for example. But not every IoT device is a ticking time bomb. Many vendors, including Cisco, Philips, and Apple, have strengthened their default, out-of-the box experience to provide ease of use married to security. For the average consumer it’s relatively easy to defend against these sorts of issues for end users with IoT devices by employing basic hygiene on a home network behind a firewall.