IoT attacks increase but rely on the same old weaknesses
Internet of Things devices have proved to be problematic in their vulnerability to cyber attacks. This is underlined by a new report from F-Secure which finds that threats and the number of attacks continue to increase, but still depend on well-known security weaknesses, such as unpatched software and weak passwords.
The number of IoT threats observed by F-Secure Labs doubled in 2018, growing from 19 to 38 in the space of a single year.
But many of these threats still use predictable, known techniques to compromise devices. Threats targeting weak/default credentials, unpatched vulnerabilities, or both, made up 87 percent of observed threats.
"The big guys like Google and Amazon have made strides in their smart home products with the help of massive backing and ethical hackers like our own Mark Barnes, who executed the first proof of concept for a hack of an Echo in 2017," says F-Secure operator consultant Tom Gaffney. "But for years manufacturers have been releasing products without giving much thought to security, so there’s a lot of 'smart' devices out there vulnerable to relatively simple attacks."
IoT threats first started to appear around 2014 with Gafgyt -- a threat that targeted a variety of IoT devices including CCTV and DVRs. In October 2016, Mirai, which was developed from Gafgyt's code, became the first IoT malware to achieve global notoriety when its massive botnet was used to launch one of the largest distributed denial-of-service attacks in history.
Mirai’s code has been public 'for Research/IoC Development Purposes' since 2016. Originally, it used 61 unique combinations of credentials used for infections. Within three months, that number had reached almost 500. And it's highly prevalent as a malware family. Approximately 59 percent of attack traffic detected by F-Secure's honeypot servers in 2018 targeted exposed Telnet ports, with Mirai's attempts to spread as the main culprit behind the attacks.
"Most device vendors license software development kits for the chipsets they use in their smart cameras, smart appliances, and other IoT devices. That's where the vulnerabilities and other issues are coming from," F-Secure Labs principal researcher Jarno Niemela says. "Device vendors have to start asking for more in terms of security from these suppliers, and also be prepared to issue updates and patches as they become available."
You can read more about the report's findings on the F-Secure blog.