Connect with us

Hi, what are you looking for?



IoT Device Hit by Credential Attack Every Two Minutes: Experiment

Internet of Things (IoT) botnets such as Mirai might not be in the headlines as often as they were several months ago, but the threat posed by insecure IoT devices is as high as before, a recent experiment has revealed.

Internet of Things (IoT) botnets such as Mirai might not be in the headlines as often as they were several months ago, but the threat posed by insecure IoT devices is as high as before, a recent experiment has revealed.

Mainly targeting IP cameras, DVRs and routers that haven’t been properly secured, such botnets attempt to ensnare devices and use them for malicious purposes such as distributed denial of service (DDoS) attacks. Compromised IoT products are also used to scan the Internet for other vulnerable devices and add them to the botnet.

BASHLITE, Mirai, Hajime, Amnesia, Persirai, and similar botnets target DVR and IP camera systems via telnet or SSH attacks, and use a short list of commonly encountered login credentials, such as root: xc3511, root:vizxv, admin: admin, admin:default, and support:support.

According to recent research, there are nearly 7.5 million potentially vulnerable camera systems and around 4 million potentially vulnerable routers connected worldwide.

Prompted by recent news of a list of leaked login credentials associated with a set of thousands of IPs (mostly routers) being posted online, Johannes B. Ullrich, Ph.D., Dean of Research at SANS Technology Institute, exposed a DVR to the Internet for two days and recorded all attempts to login it.

According to him, the device used the root: xc3511 login pair and recorded a total of 1254 login attempts from different IPs over a period of 45 hours. Basically, someone or something would login to it every 2 minutes using the correct credentials, he says.

After performing a Shodan search, Ullrich retrieved information on 592 of the attacking devices, and reveals they were mainly coming from TP-Link, AvTech, Synology, and D-Link. The distribution of attacks matches that previously associated with Mirai, but the researcher notes that dozens of variants hit the device.

Advertisement. Scroll to continue reading.

Last year, Ullrich performed a similar experiment and revealed that the DVR was being hit every minute and that multiple login pairs were being tried on each attack. His experiment and the emergency of Mirai brought to the spotlight the issue of weak credentials being used in IoT.

“So in short: 1,700 additional vulnerable systems will not matter. We do see a pretty steady set of 100,000-150,000 sources participating in telnet scans. This problem isn’t going away anytime soon,” Ullrich argues.

He also points out that, while malware such as BrickerBot attempted to break the vulnerable devices, the method isn’t effective either, because most of the impacted devices cannot be bricked by overwriting the disk, but only become temporarily unresponsive and recover after a reboot.

“Many of these devices are buggy enough, where the owner is used to regular reboots, and that is probably the only maintenance the owner will perform on these devices,” he says.

Related: Botnets Can Exploit More Vulnerabilities in DVRs

Related: Cameras Top Source of IoT Attacks: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.