Hacking into IoT: Beware the Internet of Thingbots

Smart Blog

Hacking into IoT: Beware the Internet of Thingbots

Machines and gadgets connected to the Internet of Things remain a prime target for cybercriminals, says a report by F5 Networks, an application security specialist. According to the study, entitled The Hunt for IoT, hacking into IoT networks is “so easy children are doing it.” So-called script kiddies are capable of assembling increasingly sophisticated “Thingbots” by simply downloading and tweaking existing tools offered by professional hackers.

According to the United Nations Interregional Crime and Justice Research said in 2012 that 61% of hackers begin hacking before the age of 16. Per NCCU, in 2017, the average age of a cyber-crime suspect was 17 years old—in comparison to 37 for drugs, and 39 for fraud. Early interest in hacking isn’t novel, but what has changed is the rise in IoT devices deployed in a way that makes them easy to compromise, thereby presenting a unique new opportunity for teens and young adults. This opportunity is marketed to them through online games and shady game modding forums—it is not a coincidence that most thingbots are named after anime and gaming characters.
IoT devices commonly use SSH or Telnet for remote administration, protected by vendor default credentials. It’s very easy to find vendor default credentials. Not only are there lots of published lists, but Google searches of a vendors’ name and “port forward” typically leads you to deployment guides that provide the vendors’ default credentials, and which port to find them on.
However, attackers don’t need to research default credentials when brute forcing the devices works just as well. The term “brute force” is used loosely in this case—the reality is that attackers have narrowed down a short list of possible credentials likely to work on their targeted devices. This makes the attack process closer to credential stuffing then brute forcing.
Typically, thingbots scan random IP ranges on command ports like Telnet and SSH. Upon a hit, they will begin brute forcing the login with a dictionary of known usernames and passwords.
Not only is it easy to find default credentials, ports, vulnerabilities, and exploits for IoT devices with some simple Google searches, the ease with which these attacks can be carried out has been widely publicized. This popularity can be seen in the increase in the number of thingbots since Mirai, a particularly malicious Distributed Denial of Service (DDoS) attack form, first appeared in 2016. 88% of the thingbots, F5 Networks says, were discovered since Mirai, and, of those, 46% are variants of Mirai.

Hacking into IoT: Thingbots

Device types targeted by Mirai and other thingbots typically include small office/home office (SOHO) routers, IP cameras, DVR, NVR, and CCTVs are still the primary types of IoT devices that get infected by thingbots. IP cameras, DVRs, NVRs and CCTVs are all components of surveillance systems widely deployed around the world by governments, private business and residences.
To protect themselves, companies need to block the most popular exploit paths:

  • Disable remote management, restrict to a management network, or place behind a firewall. Leverage NAT at a minimum if the devices will be used in a residence.
  • Change the vendor default creds and disable the default admin account if you can.
  • Continually update the devices with the latest firmware as it is released.

  • When it comes to DDoS attacks, a cloud scrubbing provider is the way to go, the authors believe – simply because attack sizes beyond the capacity of most networks (outside service providers and large banks) cost only $20 to launch. Finally, F5 recommends not to buy products with known vulnerabilities, products that are actively exploited, or products that don’t offer proper security. Quarantine or retire any devices you already have that can’t be secured.

    Author: Tim Cole
    Image Credit: F5 Networks

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    *