When Johannes Ullrich, dean of research at the SANS Technology Institute, exposed a digital video recorder to the Internet he was probably expecting the worse to happen. His expectations were met, and then some. After being online for just 45 hours, the IoT device had been accessed more than 1,250 times by attackers using the correct login credentials. It should be pointed out that the DVR in the research was rigged to reboot every five minutes so as to allow all login attempts to be more accurately logged. This is because some of the malware that is installed by attackers will disable telnet post-infection in order to prevent other attackers exploiting the now pwned device. It's this that allowed the true scope of the attack to be logged: a successful credentials-based attack once every two minutes on average.
This won't come as any great surprise to those within the security research sector, as all IoT honeypot systems are attacked equally ferociously. Indeed, ever since the Mirai malware that seeks out and compromises IoT devices to build offensive botnets launched as the proof of concept that nobody wanted to see, so vendors have been reporting a flow of probing requests on ports 22, 23 and 2323 looking for default credentials.
What the SANS research also revealed, courtesy of the nearly 600 logged IPs that were known to the Shodan IoT discovery search engine, was the fact that attackers covered a broad swathe of the world map. Perhaps predictably, the threat actor hotspots appear to be China, South Korea, India and Brazil followed by Russia, the United States and Turkey. This pretty much matches the early geographic spread of Mirai activity. According to Ullrich "we see a pretty steady set of 100,000 to 150,000 sources participating in telnet scans. This problem isn't going away anytime soon."
As Brian Vecci, technical evangelist at Varonis, told SC: "Credentials can be leveraged into so much more. A leak opens the door to infect devices, spread malware, and exploit all sorts of security vulnerabilities." Which begs the question, beyond the obvious 'change the defaults' message, what can the enterprise do to best mitigate the IoT credentials attack risk?
Phil Beecher, chairman of the Wi-SUN Alliance, says that "enterprises should verify the integrity of any device joining the network. A Wi-SUN device will be authenticated before being allowed to join a network - it has an electronic passport which can be checked to ensure it is what it says it is."
Pascal Geenens, Radware EMEA security evangelist, told SC Media that enterprises should "use network segregation to confine each IoT device to its own isolated segment and prevent direct connectivity between devices on the same switched network domain – practically this can performed through the use of Private VLAN (RFC 5517) which is supported by most network switch vendors."
Barry Shteiman, director of threat research at Exabeam recommends "monitor the behaviour of IoT devices in much the same way as actual human users." The argument being that by understanding what normal behaviour for these IoT devices looks like, it's possible to get an early indication of when a device has been hijacked by hackers.
Kyle Wilhoit, senior security researcher at DomainTools adds that enterprises should "turn off any unused services on the IoT device. For instance, if you are not going to be using SFTP, disable it."
While Kirill Kasavchenko, principal security technologist, EMEA at Arbor Networks, reminds us that "the issue of default user credentials is further impacted by a large proportion of systems embedded in IoT devices rarely – if ever – being updated to patch against security vulnerabilities." Of course, any changes to this inability need to come from vendors, and considered part of the production cost. Something that won't happen, Kasavchenko argues "until businesses vote with their wallets."
The financial incentive is also suggested by James Wickes, chief executive of Cloudview, who told SC Media UK, "companies making and selling IoT kit should really start thinking about indemnifying their users against losses incurred as a result of breaches of their equipment."
And finally, there's the legal angle. Take the draft bill which has been created by a group of senators in the US, entitled 'Internet of Things (IoT) Cybersecurity Improvement Act of 2017' for example. Within the bill it states that a device must not include any fixed or hard-coded credentials used for remote administration amongst other best practices. "This bill seeks to place the onus on IoT vendors to make their products more secure" says Lawrence Munro, Worldwide VP of SpiderLabs at Trustwave who continues "however, it will only pertain to vendors wishing to supply devices to the US federal government, but I would hope that others will follow suit."
