Security Experts:

The Threat to SoHo IoT Devices is Growing Rapidly

A network of 50 honeypots deployed around the world has been catching and monitoring attacks against IoT devices. Such detected attacks have increased almost nine-fold between H1 2018 and H1 2019, from 12 million to 105 million. During the same period, the number of unique attacking IP addresses increased from 69,000 to 276,000.

Many of the attacks are directed at home smart devices, such as routers. "Our telemetry data," says Kaspersky in its latest analysis, "suggests that smart botnet operators check the network AS [autonomous system] name and tend to target only IP addresses belonging to internet service providers supplying Internet connection to home users."

The reason is simple. IoT devices do not have the capacity for internal security software, and SoHo IoT devices tend not to have the surrounding security layers found in business IoT. The result is a source of devices that are easy to compromise and incorporate within large scale botnets that can be used different purposes -- such as massive DDoS attacks.

Many of the attacks on IoT devices focus on brute-forcing the access credentials using the devices' default settings, which are frequently unchanged by the user. By collecting the credentials used in the attacks, Kaspersky's researchers are able to gauge the most attacked devices. For example, in Q2 2019, the most used credentials were default/default, admin/admin, root/7ujMko0admin, and root/vizxv. The last two are the default credentials for two Dahua cameras.

"New cameras are probed every quarter as exploits are released into the wild," comments Kaspersky. "In Q1 2019, we observed bots trying to infect specific Gpon routers using a specific hard-coded password."

Thirty-nine percent of the detected attacks involved the Mirai family, but the Nyadrop malware family came a close second at 38.5%. Nyadrop is a backdoor and dropper, and can be used to further spread Mirai. It appeared in 2016 and has grown in popularity. It has replaced the Hajime malware, which was the second most popular (again behind Mirai) in Q1 2018.

The telemetry gathered by the honeypots also allows the researchers to discover the countries hosting the IP addresses behind the attacks. China leads, hosting 21.2% of all detected attacks. Brazil is second with 13.5%. China's dominance is even greater in telnet attacks, where it hosts 30%. Brazil is still second with 19%. This is a reversal from H1 2018, where Brazil hosted 28% of telnet attacks and China 14%. Egypt and Russia are both growing fast -- Egypt from outside of the top ten to third with 12%, and Russia from eighth with 3% to fourth with 11%.

"As people become more and more surrounded by smart devices, we are witnessing how IoT attacks are intensifying," comments Dan Demeter, one of the security researchers at Kaspersky. "Judging by the enlarged number of attacks and criminals' persistency, we can say that IoT is a fruitful area for attackers that use even the most primitive methods, like guessing password and login combinations. This is much easier than most people think: the most common combinations by far are usually 'support/support', followed by 'admin/admin', 'default/default'. It's quite easy to change the default password, so we urge everyone to take this simple step towards securing your smart devices."

Other steps recommended by Kaspersky include installing new firmware updates as early as possible, and rebooting any device that appears to be acting strangely. The latter might clear the device of any memory-resident malware, but will not prevent it from being re-infected later. Noticeably, the researchers comment, "We are looking at a steady trend for an increase in repeat attacks from attackers' IP addresses, suggesting increasingly persistent attempts at infecting devices previously known to the attackers." This will include attempts to re-infect rebooted devices that remain unpatched or with the same password.

A more advanced recommendation from Kaspersky is to keep access to IoT devices restricted by a local VPN, allowing the user to access them from the 'home' network, instead of publicly exposing them on the internet.

Although the growth of attacks against home IoT devices might appear to be a home problem, the ultimate threat is to business. Mirai botnets have already been seen to have the potential for massive DDoS attacks against business and even the internet itself. KrebsonSecurity was attacked by Mirai in 2016 with an attack peaking at 665 Gbps. One month later, another Mirai attack targeted the Dyn DNS service, affecting major services such as Twitter, Etsy, GitHub, Soundcloud, PagerDuty, Spotify, Shopify, Airbnb, Intercom and Heroku simultaneously. SoHo may be targeted by IoT infections, but business is threatened.

Related: California IoT Cybersecurity Bill Signed into Law 

Related: "Silexbot" Malware Bricks IoT Devices 

Related: Mozilla, Others Want Big Retailers to Pledge Minimum IoT Security 

Related: IoT Security - Where There is Smoke, There is Fire 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.