According to Gartner, there are currently over 6 billion IoT devices on the planet. Such a huge number of potentially vulnerable gadgets could not possibly go unnoticed by cybercriminals. As of May 2017, Kaspersky Lab’s collections included several thousand different malware samples for IoT devices, about half of which were detected in 2017.
The number of IoT malware samples detected each year (2013 – 2017)
Threat to the end user
If there is an IoT device on your home network that is poorly configured or contains vulnerabilities, it could cause some serious problems. The most common scenario is your device ending up as part of a botnet. This scenario is perhaps the most innocuous for its owner; the other scenarios are more dangerous. For example, your home network devices could be used to perform illegal activities, or a cybercriminal who has gained access to an IoT device could spy on and later blackmail its owner – we have already heard of such things happening. Ultimately, the infected device can be simply broken, though this is by no means the worst thing that can happen.
The main problems of smart devices
Firmware
In the best-case scenario, device manufacturers are slow to release firmware updates for smart devices. In the worst case, firmware doesn’t get updated at all, and many devices don’t even have the ability to install firmware updates.
Software on devices may contain errors that cybercriminals can exploit. For example, the Trojan PNScan (Trojan.Linux.PNScan) attempted to hack routers by exploiting one of the following vulnerabilities:
- CVE-2014-9727 for attacking Fritz!Box routers;
- A vulnerability in HNAP (Home Network Administration Protocol) and the vulnerability CVE-2013-2678 for attacking Linksys routers;
- ShellShock (CVE-2014-6271).
If any of these worked, PNScan infected the device with the Tsunami backdoor.
The Persirai Trojan exploited a vulnerability present in over 1000 different models of IP cameras. When successful, it could run arbitrary code on the device with super-user privileges.
There’s yet another security loophole related to the implementation of the TR-069 protocol. This protocol is designed for the operator to remotely manage devices, and is based on SOAP which, in turn, uses the XML format to communicate commands. A vulnerability was detected within the command parser. This infection mechanism was used in some versions of the Mirai Trojan, as well as in Hajime. This was how Deutsche Telekom devices were infected.
Passwords, telnet and SSH
Another problem is preconfigured passwords set by the manufacturer. They can be the same not just for one model but for a manufacturer’s entire product range. Furthermore, this situation has existed for so long that the login/password combinations can easily be found on the Internet – something that cybercriminals actively exploit. Another factor that makes the cybercriminal’s work easier is that many IoT devices have their telnet and/or SSH ports available to the outside world.
For instance, here is a list of login/password combinations that one version of the Gafgyt Trojan (Backdoor.Linux.Gafgyt) uses:
root | root |
root | – |
telnet | telnet |
!root | – |
support | support |
supervisor | zyad1234 |
root | antslq |
root | guest12345 |
root | tini |
root | letacla |
root | Support1234 |
Statistics
We set up several honeypots (traps) that imitated various devices running Linux, and left them connected to the Internet to see what happened to them ‘in the wild’. The result was not long in coming: after just a few seconds we saw the first attempted connections to the open telnet port. Over a 24-hour period there were tens of thousands of attempted connections from unique IP addresses.
Number of attempted attacks on honeypots from unique IP addresses. January-April 2017.
In most cases, the attempted connections used the telnet protocol; the rest used SSH.