Bots Infect Insecure IoT Device Every Two Minutes

Research and imagination paint a scary picture of security failures in internet-of-things devices. A recent experiment shows an even darker reality, though, where cyber-criminals persistently scan the web to access poorly protected connected devices. Successful attacks on a test gadget were as frequent as every two minutes and came mostly from IoT products already infected.

Johannes B Ullrich, dean of research at the SANS Technology Institute, ran the study with an older-model Anran digital video recorder (DVR) for security cameras, set up with the factory configuration. The default access password from the manufacturer is “xc3511,” – present on multiple white-labeled DVRs and IP cameras, and used by the Mirai botnet a year ago to swell its army of compromised systems.

Many attackers expend little effort trying to compromise a device. Default credentials are publicly available and easy to find, and so are the tools that search the internet for vulnerable devices and access them in an automated way. This is a simple job, even for crooks with little skill.

The experiment lasted 45 hours and 42 minutes and logged attacks from 1,254 IP addresses that tried the “xc3511” password to access the device. Simple math shows that successful compromise occurred every two minutes. Ulrich said much of the malware programs disabled the telnet communication post-infection to foil competitors’ attacks. To keep the test running, the devices rebooted every five minutes.

Much of the telnet scanning originated from infected internet-of-things devices in India, China and Brazil. According to Ulrich’s findings, some of the attacking gadgets ran the GoAhead embedded webserver, the Dahua DVR firmware or the DD-WRT firmware alternative for many routers and access points. High-profile manufacturers included TP-Link, AvTech, Synology, and D-Link.

“While I am calling the activity ‘Mirai,’ dozens of variants hit the DVR,” notes Ulrich, as multiple versions of this particular piece of malware have been created since the public release of the source code in late September last year. The code is easy to find and anyone with basic computer skills can create their own version.

This study shows devices facing the public internet with default credentials are sitting ducks, and cyber-criminals waste no time recruiting them into botnets to perpetrate malicious activity. As a minimal security precaution, users should change the default password from the manufacturer to a unique phrase.


Add Comment

Your email address will not be published. Required fields are marked *