It’s been more than two years since, in the fall of 2016, the threat of cyber attacks that leveraged Internet of Things (IoT) devices moved from theoretical to actual. That fall, several distributed denial of service (DDoS) assaults each leveraged tens of thousands of poorly secured IoT devices to send crippling volumes of traffic to targeted web sites.
One example: a September 2016 attack on the hosting provider OVH used a botnet that enlisted approximately 150,000 devices to send 1 terabyte of data per second at the victim’s servers.
Although such massive attacks have remained rare, the sheer number of IoT-based attacks ramped up rapidly in 2017 and held roughly steady in 2018, according to the most recent iteration of Symantec’s annual Internet Security Threat Report (ISTR). The vast majority of IoT-enhanced attacks still fall into the DDoS category, but there are indications that these ubiquitous devices will be increasingly tapped to execute different forms of assaults.
To track the prevalence of IoT attacks, Symantec operates a global “honeypot” of virtual machines that mimic the appearance and behavior of network routers – the favored target of IoT attackers, explains Candid Wueest, senior principal threat researcher with Symantec Security Response. Throughout 2018, the Symantec honeypot averaged 5,200 IoT attacks per month.
Infected routers were the source of 75% these attacks, with connected cameras a distant second at 15.2%. Still, it’s worth noting that connected cameras accounted for only 3.5% of IoT-compromised devices in 2017, so their role increased significantly during the course of last year.
Also, more than 90% of the 2018 IoT attacks exploited the Telnet protocol, up from 50% in 2017. The reason? Many IoT devices are older types of equipment that don’t get replaced or updated rapidly, notes Wueest, so still use the widespread, if poorly secure, Telnet.
“Many devices are five years old or older,” he says, “and they also don’t require other security processes such as the enforcement of password changes.” The consequence of this particular failing is evident in Symantec’s ISTR analysis: The top password attackers used to access IoT devices in 2018 was “123456,” which was used in one-quarter of all attacks. In second place? No password at all, which accounted for 17% of the 2018 attacks.
Ideally, manufacturers of new IoT device will build better security into their products, but there are no guarantees. “We still see vendors who don’t understand security or don’t care,” Wueest, says. “Sometimes, it may be because their margins are so low that they have no incentive to increase their expenses by building more-secure products.”
To date, the vast majority of IoT-based attacks have occurred in the tried-and-true DDoS realm.
To date, the vast majority of IoT-based attacks have occurred in the tried-and-true DDoS realm. Three forms of DDoS-associated malware – LightAidra, Kaiten and Mirai – collectively accounted for nearly 80% of the 2018 IoT attacks, Symantec’s ISTR reports. Still, there are already signs that the objectives and methods of IoT attackers are becoming more diverse.
One notable arrival on the IoT scene in 2018 was VPNFilter, malware designed to infect routers and some types of storage devices. Believed by the FBI to have originated with the “Russian Bear” targeted attack group, VPNFilter is notable in that it can persist even if the infected device is rebooted.
VPNFilter is able to carry a range of payloads that can, for example, capture and exfiltrate data or steal credentials. One of its more troubling actions is the interception of the Supervisory Control and Data Acquisition (SCADA) protocol communications used by much industrial plant machinery.
The potential of attackers to shut down or corrupt the actions of IoT devices that control equipment or interact in some other way with the physical world has long been the source of many nightmarish scenarios. Be it by compromising Internet-connected pacemakers, smart cars or power plant equipment, the threat of attackers causing real-world damage or danger is very real.
That said, Wueest cautions that most of the non-DDoS IoT attacks Symantec is seeing involve objectives such as gathering proprietary information or conducting espionage. He also expects to see an uptick in profit-seeking attackers to leverage IoT devices to perform cryptocurrency mining or to perpetrate click fraud schemes against online advertising.
“We’re not trying to cry wolf” about the threat of physical-world IoT threats, he says, while still acknowledging that “those types of attacks will likely grow in frequency.”
2019 Internet Security Threat Report (ISTR): The New Threat Landscape
As ransomware shows early signs of decline, new forms of attack emerge to take its place. Stealthy techniques allow attackers to fly under the radar, placing enterprises at increasing risk. Join us as we discuss these trends and more.
ISTR Volume 24 is here, providing insights into global threat activity, cyber criminal trends, attacker motivations, and other happenings in the threat landscape in 2018.
We encourage you to share your thoughts on your favorite social platform.