Malware Complaints

Vulnerable IoT Devices hacked in two minutes

What is IoT?

Before we go any further, we’d like to take a couple of moments to explain to our readers what IoT and an IoT device actually mean. IoT stands for Internet of Things – the term basically refers to the networking between any sort of device that is embedded with electronics, sensors, network connectivity and also software. Those characteristics enable IoT devices to collect and distribute data among other similar objects through the Internet of Things. IoT devices can and normally are controlled remotely by their users using this same inter-networking. More information on IoT can be found here. In the next lines, we will introduce you to a recent research test carried out by Johannes B. Ullrich, a researcher at the SANS Technology Institute. The results of the test suggest that a vulnerable IoT device can be compromised in under about two minutes!

The research

The object of the test was an Anran Digital Recorder System which was left connected to the Internet for a period of nearly 46 hours. The credentials of the device were left in their default state and the Telnet port was open during the testing period. Everything that took place during those two days was recorded. The DVR system was connected to a remote power outlet which was programmed to reset the system every 5 minutes – this was done in order to get rid of any malware infections that might have occurred.

Results

Once the the test was over, the results showed that during a time period of 45 hours and 40 minutes, 10 143 users connected to the device using 1 254 IP addresses. This means that roughly each two minutes someone was connecting to the DVR system. Using the IoT search engine Shodan, Ulrich traced the IPs back to other IoT objects, most of which were AvTech, Synology and TP-Link devices – companies that frequently have some their products exploited by hackers and made part of a botnet. Probably, the said devices have been hacked with an IoT malware that Telnet or SSH scanners in order to automatically try to log into random devices by using a number of default credentials. Though this sort of cyber-attack method isn’t anything new, it started becoming increasingly popular after the outbreak of Miria malware attacks back in 2016. Such attacks become particularly common after the Miria malware code was made publicly available.

Similar test carried out last year

During the outbreak of Miria DDoS (Distributed Denial of Service) attacks last year, a similar research test was conducted – a IoT connected camera was left with it’s default credentials and on average, it took about 98 seconds for the camera to get compromised. This only comes to show that an year later, there’s little to no improvement with regards to the security of IoT devices as according to Ulrich’s own research, currently it takes no more than two minutes for such a device to get hacked. According to Ulrich, this issue will likely not fade away anytime soon as most users who haven’t encountered such a hacker attack would be unaware of the fact that their device might be vulnerable due to a default password/credentials.

Publicly available list of default Telnet credentials

In fact, last week researchers discovered that a list of thousands fully functioning Telnet credentials has been available online since June, which further increases the risk of having more and more IoT devices hacked by this sort of malware. The list of credentials was found on Pastebin by Ankit Anubhav – a researcher at the New Sky Security company. The entries on the list are 33 138 and the information has gone viral after a number of security experts have shared on their Tweeter accounts. However, according to the chairman of the GDI Foundation, Victor Geves, out of the 33 138 IP addresses, only 1775 of the credentials still work. Attempts have been made towards informing the owners of the vulnerable devices in order to warn them about the potential danger of a malware attack.