According to IoT Analytics, a provider of market insights for the Internet of Things (IoT), the IoT arena has seen growth in the first and second quarters of 2018, raising the total number of global IoT devices in use today to around seven billion.
However, a lurking threat could unravel the growth of the IoT and all the promise that it brings to change business dynamics and efficiencies in the home environment. This is according to Bryan Hamman, territory manager for sub-Saharan Africa at NETSCOUT Arbor, which specialises in advanced distributed denial of service (DDoS) protection solutions.
IoT Analytics notes in its most recent ‘State of the IoT & Short-term outlook report’ that the global connection growth is mainly driven by IoT devices, both on the consumer side, for example smart home applications, as well as on the enterprise/B2B side, such as connected machinery. The study estimates that the number of active IoT devices is expected to grow to 10 billion by 2020 and 22 billion by 2025.
Against this background, therefore, the realisation that IoT devices are under increasing attack from IoT botnet operators should come as a wake-up call to the manufacturers and consumers of such devices. Hamman says, “As the market for IoT devices and their role in everyday life grows, so cybercriminals are also seeing the financial opportunities, and are using multiple approaches accordingly. An ongoing strategy for threat actors is the use of the ‘brute-forcing approach’ for IoT botnet propagation, in which computational power is used to try to crack a code for a device. Instead of using a complex algorithm to decode a username and password combination, a brute-force attack uses a script or bot to submit guesses until it hits on a combination that works.”
According to a recent NETSCOUT Arbor blog written by Matthew Bing, who reverse-engineers malware and maintains NETSCOUT Arbor’s honeypot operations A honeypot is a system on a network that acts as a decoy and lures potential hackers (like bears get lured to honey). Honeypots do not contain any live data or information, but they can contain false information.
A honeypot should also prevent an intruder from accessing protected areas of the network., ‘Brute-forcing factory default usernames and passwords remains a winning strategy for IoT botnet propagation. Botnet operators with the best list will produce the larger botnet and obtain superior firepower for launching DDoS attacks. IOT bots are indiscriminate – they will randomly choose an address to attack and work through their list of usernames and passwords until either giving up or infecting the targeted device.’
Bing clarifies in the blog that for the month of September 2018, NETSCOUT Arbor observed 1,065 unique username and password combinations from 129 different countries being used by brute-force operators.
“IoT devices have the potential to bring astonishing benefits into our personal and business lives,” explains Hamman, “including internet connectivity, automation, and functionality that brings real convenience. However, the security and privacy sides of the IoT devices have commonly been an after-thought, especially when it comes to the design of consumer-oriented IoT devices. It is through these default, factory-set name and password combinations that IoT devices are vulnerable to brute-force botnet attacks, with passwords that are publicly available or easy to guess. Additionally, users often keep to the default settings and never change their usernames and passwords.
“In 2016, the world sat up and took notice when the Mirai botnet malware used brute-force tactics to gain access to tens of thousands of IoT devices that were running on default credentials. Having gained access, the botnet then unleashed a series of DDoS attacks on thousands of websites.”
According to www.bankinfosecurity.com, “Two years after Mirai botnets first appeared, new generations of botnets are continuing to probe for internet-connected devices that they can easily compromise, often via a vastly expanded list of default usernames and passwords.”
And, echoing this, Bing’s blog outlines the following key facts:
· Botnets are continuing to target the 64 username and password combinations seen in the Mirai source code, as well as at least 1,005 new ones.
· Combinations used across regions show different trends about device types used.
· Attacks from bots using specific manufacturer default passwords are often perpetrated from similarly compromised devices.
“These facts should galvanise manufacturers and users of IoT devices alike. While IoT devices such as smartphones, routers, smart TVs and refrigerators, and security cameras might not be powerful in themselves, they allow threat actors to gain entry to networks for illegal and harmful activities such as data theft, spying and blackmailing. As the IoT arena continues to grow exponentially, so the security of its ‘foot soldier’ devices should be made paramount to prevent them from being made to join an army of botnets that could unleash the next Mirai-inspired attack,” concludes Hamman.