Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

The Threat to SoHo IoT Devices is Growing Rapidly

A network of 50 honeypots deployed around the world has been catching and monitoring attacks against IoT devices. Such detected attacks have increased almost nine-fold between H1 2018 and H1 2019, from 12 million to 105 million. During the same period, the number of unique attacking IP addresses increased from 69,000 to 276,000.

A network of 50 honeypots deployed around the world has been catching and monitoring attacks against IoT devices. Such detected attacks have increased almost nine-fold between H1 2018 and H1 2019, from 12 million to 105 million. During the same period, the number of unique attacking IP addresses increased from 69,000 to 276,000.

Many of the attacks are directed at home smart devices, such as routers. “Our telemetry data,” says Kaspersky in its latest analysis, “suggests that smart botnet operators check the network AS [autonomous system] name and tend to target only IP addresses belonging to internet service providers supplying Internet connection to home users.”

The reason is simple. IoT devices do not have the capacity for internal security software, and SoHo IoT devices tend not to have the surrounding security layers found in business IoT. The result is a source of devices that are easy to compromise and incorporate within large scale botnets that can be used different purposes — such as massive DDoS attacks.

Many of the attacks on IoT devices focus on brute-forcing the access credentials using the devices’ default settings, which are frequently unchanged by the user. By collecting the credentials used in the attacks, Kaspersky’s researchers are able to gauge the most attacked devices. For example, in Q2 2019, the most used credentials were default/default, admin/admin, root/7ujMko0admin, and root/vizxv. The last two are the default credentials for two Dahua cameras.

“New cameras are probed every quarter as exploits are released into the wild,” comments Kaspersky. “In Q1 2019, we observed bots trying to infect specific Gpon routers using a specific hard-coded password.”

Thirty-nine percent of the detected attacks involved the Mirai family, but the Nyadrop malware family came a close second at 38.5%. Nyadrop is a backdoor and dropper, and can be used to further spread Mirai. It appeared in 2016 and has grown in popularity. It has replaced the Hajime malware, which was the second most popular (again behind Mirai) in Q1 2018.

The telemetry gathered by the honeypots also allows the researchers to discover the countries hosting the IP addresses behind the attacks. China leads, hosting 21.2% of all detected attacks. Brazil is second with 13.5%. China’s dominance is even greater in telnet attacks, where it hosts 30%. Brazil is still second with 19%. This is a reversal from H1 2018, where Brazil hosted 28% of telnet attacks and China 14%. Egypt and Russia are both growing fast — Egypt from outside of the top ten to third with 12%, and Russia from eighth with 3% to fourth with 11%.

“As people become more and more surrounded by smart devices, we are witnessing how IoT attacks are intensifying,” comments Dan Demeter, one of the security researchers at Kaspersky. “Judging by the enlarged number of attacks and criminals’ persistency, we can say that IoT is a fruitful area for attackers that use even the most primitive methods, like guessing password and login combinations. This is much easier than most people think: the most common combinations by far are usually ‘support/support’, followed by ‘admin/admin’, ‘default/default’. It’s quite easy to change the default password, so we urge everyone to take this simple step towards securing your smart devices.”

Other steps recommended by Kaspersky include installing new firmware updates as early as possible, and rebooting any device that appears to be acting strangely. The latter might clear the device of any memory-resident malware, but will not prevent it from being re-infected later. Noticeably, the researchers comment, “We are looking at a steady trend for an increase in repeat attacks from attackers’ IP addresses, suggesting increasingly persistent attempts at infecting devices previously known to the attackers.” This will include attempts to re-infect rebooted devices that remain unpatched or with the same password.

A more advanced recommendation from Kaspersky is to keep access to IoT devices restricted by a local VPN, allowing the user to access them from the ‘home’ network, instead of publicly exposing them on the internet.

Although the growth of attacks against home IoT devices might appear to be a home problem, the ultimate threat is to business. Mirai botnets have already been seen to have the potential for massive DDoS attacks against business and even the internet itself. KrebsonSecurity was attacked by Mirai in 2016 with an attack peaking at 665 Gbps. One month later, another Mirai attack targeted the Dyn DNS service, affecting major services such as Twitter, Etsy, GitHub, Soundcloud, PagerDuty, Spotify, Shopify, Airbnb, Intercom and Heroku simultaneously. SoHo may be targeted by IoT infections, but business is threatened.

Related: California IoT Cybersecurity Bill Signed into Law 

Related: “Silexbot” Malware Bricks IoT Devices 

Related: Mozilla, Others Want Big Retailers to Pledge Minimum IoT Security 

Related: IoT Security – Where There is Smoke, There is Fire 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.

IoT Security

Taiwan-based networking and storage solutions provider Synology has informed customers about the availability of patches for several critical vulnerabilities, including flaws likely exploited recently...

IoT Security

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...

IoT Security

Censys finds 30,000 internet-exposed QNAP appliances that are likely affected by a recently disclosed critical code injection vulnerability.