Brute Force Attacks on IoT – Here to Stay?
IoT devices, such as routers, printers, televisions, cameras, lamps, baby-monitors and what-ever-else, can be found, well, everywhere. Their use has been growing for years and is expected to continue to grow. Unfortunately, these devices are notoriously vulnerable, or worse, the security implementation is so flawed that they are counter-protective leaving the consumer with a false feeling that the device is secure.
Recent IoT Attacks:
In 2016 an IoT based attack on Dyn hit the global headlines, making Mirai famous and synonymous with IoT malware. Since then Mirai has spawned a multitude of variants. At the root of Mirai, and its offspring lies an old attack vector called brute force attacks. This vector attempts to access a device (or any account for that matter) by using a list of well-known, hidden and default account credentials.
In the past, our PCs and email accounts were susceptible to brute force attacks, but Microsoft, Apple and other reputable vendors added mechanisms to prevent them. Almost three years after Mirai was discovered brute force attacks remain common and effective on IoT, why?
How Vulnerable are IoT Devices to Cyber Attacks?
But how easy is it to attack an IoT device? In fact, it is so easy that even an inexperienced 12-year-old could connect thousands of devices in minutes by using readily available scripts. And why is that? because most IoT devices still use their default credentials for authentication, not to mention devices that don’t use credentials at all. Therefore, it is not surprising that Telnet and SSH brute force attacks still account for nearly 70% of all IoT attacks.
Our research also shows that per-device the number of unique attackers and the number of brute force attacks is relatively stable and high.
IoT Brute Force Attacks
Even though brute force attacks are probably the oldest and least sophisticated type of attack, surprisingly, it is still a very common and effective method. It seems as if most IoT device manufacturers do not feel responsible for the security of the devices they build or their customers. Most end-users don’t have a clue about the security issues of these products and even if they change the default password, and many don’t, devices still have hidden, hard-coded accounts, that once leaked or discovered become an invite for anyone. Patching, to fix these issues is either non-existent or inconsistent. To make things worse OEM devices or labeled devices make life even easier for hackers since they ensure that the same vulnerabilities are common across many labeled devices, reuse of hardware or code is reuse of vulnerabilities.
The result is millions of highly vulnerable devices connected to the Internet, that represent an easy target for attackers. When so many devices could be controlled so easily, it is just a matter of time for them to be attacked and recruited as part of a botnet to create DDoS attacks or for cryptocurrency mining. There is also the possibility of using these devices for phishing, ransom, selling proxy services or even device bricking.
There are thousands of different malware variants out there. Your home router is either scanned or attacked every 10 seconds, and each exposed IoT device is attacked with default credentials at least once a minute on SSH, Telnet or HTTP ports.
Where Do Attackers Get Credentials?
There are more than 25,000 different credentials used only for brute forcing SSH and Telnet. However, the top ~100 are used much more than the others. Around 50% of these top used credentials are hardcoded into Mirai variants’ source code and the others are very easy to get by simply searching the internet. When analyzing these credentials, it becomes clear that there are two groups: the first group contains generic credentials, like “admin:admin”, “root:1234” and “root:root”, which are used by a large variety of devices. This is the generic group that represent 27% of attacks. The second group is device specific, providing credentials for specific network devices, including routers, controllers, printers and servers. But the most just-waiting-to-be-hacked type of device, which owns the largest bulk of credentials in the second group, are IP cameras at 27%
When analyzing IoT brute force attacks, we see that the attackers are constantly improving their existing IoT malware capabilities by expanding their database of default credentials and trying to attack additional Telnet, SSH and HTTP ports.
It is important to remember that the power of using an “army” of IoT bots is still the most desirable, and therefore, there is no need to attack particular devices. Suffice to find enough devices that could be compromised by one of the attacks methods. With so many vulnerable devices still in use, and more being deployed every day this does not seem to be a problem.
Therefore, there is an opportunity for ISPs to deliver IoT security services for the connected home, that are able to protect devices from brute-force attacks. Until IoT vendors significantly improve credential handling, brute-force attacks will probably remain the most popular method and will keep being improved in the future.
While brute force attacks remain effective and common IoT hackers aren’t waiting for the industry to wake up, they are already developing new attack vectors. Indeed, our security research is seeing new IoT attack methods on the rise. Some of these methods are related to brute-force attacks, exploiting additional ports and protocols. Other methods are designed to make it more difficult to detect the attack and protect against them with persistence methods, self-packing and other innovative features. Devices are getting smarter, attacks are getting smarter, we need to become smarter.
Recently, HardenStance published a whitepaper on the risks of home security, which you can download here.
If you are worried about brute force attacks or other threats to your network, find out how Allot NetworkSecure can help you understand your network and keep it safe from malicious activity.