Bots Infect Insecure IoT Device Every Two Minutes

Research and imagination paint a scary picture of security failures in internet-of-things devices. A recent experiment shows an even darker reality, though, where cyber-criminals persistently scan the web to access poorly protected connected devices. Successful attacks on a test gadget were as frequent as every two minutes and came mostly from IoT products already infected.

Johannes B Ullrich, dean of research at the SANS Technology Institute, ran the study with an older-model Anran digital video recorder (DVR) for security cameras, set up with the factory configuration. The default access password from the manufacturer is “xc3511,” – present on multiple white-labeled DVRs and IP cameras, and used by the Mirai botnet a year ago to swell its army of compromised systems.

Many attackers expend little effort trying to compromise a device. Default credentials are publicly available and easy to find, and so are the tools that search the internet for vulnerable devices and access them in an automated way. This is a simple job, even for crooks with little skill.

The experiment lasted 45 hours and 42 minutes and logged attacks from 1,254 IP addresses that tried the “xc3511” password to access the device. Simple math shows that successful compromise occurred every two minutes. Ulrich said much of the malware programs disabled the telnet communication post-infection to foil competitors’ attacks. To keep the test running, the devices rebooted every five minutes.

Much of the telnet scanning originated from infected internet-of-things devices in India, China and Brazil. According to Ulrich’s findings, some of the attacking gadgets ran the GoAhead embedded webserver, the Dahua DVR firmware or the DD-WRT firmware alternative for many routers and access points. High-profile manufacturers included TP-Link, AvTech, Synology, and D-Link.

“While I am calling the activity ‘Mirai,’ dozens of variants hit the DVR,” notes Ulrich, as multiple versions of this particular piece of malware have been created since the public release of the source code in late September last year. The code is easy to find and anyone with basic computer skills can create their own version.

This study shows devices facing the public internet with default credentials are sitting ducks, and cyber-criminals waste no time recruiting them into botnets to perpetrate malicious activity. As a minimal security precaution, users should change the default password from the manufacturer to a unique phrase.


One comment

  • By coyote - Reply

    Makes one long for Sasser, MyDoom &c more than two decades ago … I don’t know if that would be because there are far more nodes on the Internet now; I imagine that if there were as many Windows boxes as there are devices now in full then there would have been far more infections but still a big difference even if subtly.

    And to think that companies/organisations still recommend that one disable security services and permissions etc. to ‘troubleshoot’ a problem. This includes WordPress suggestion that one have world read/write/execute permissions (0777) on the files as well as giving ALL privileges on the database when that is a TERRIBLE suggestion. And always has been. But probably most people who use these services/etc. don’t know what they’re doing at all and happily do whatever is suggested. The fact WordPress is vulnerable in many ways makes it all the worse…

  • Add Comment

    Your email address will not be published. Required fields are marked *