Security researchers from F-Secure have issued a stark warning that cyberattacks on IoT devices are now accelerating at an unprecedented rate. The company’s “Attack Landscape H1 2019” measured a three-fold increase in attack traffic to more than 2.9 billion events. The company uses honeypots—decoy servers around the world disguised as everyday operational hardware to attract everyday attacks—and this is the first time that attacks on those honeypots “has ever hit the billion mark.”
The researchers put this increase in attacks down to the increase in the numbers of IoT devices being deployed around the world. In recent months, we have seen multiple warnings on the vulnerability of such devices to attack. This is part due to a basic lack of defences in ageing firmware or architectures, and part down to a lack of infosec housekeeping. Often IT departments are not even aware of all these devices on their networks, making the task of patching security issues near impossible. “From millions to billions,” F-Secure leads out its introduction, neatly summarizing the issue.
We have also seen an improved understanding of some of the risks that such devices introduce into homes and workplaces. Again, sometimes it is an attack on the device itself—remember that this includes medical and control devices which contain valuable data in themselves. But the greater risk is the use of these endpoints as soft access points into wider networks. Attacking an unpatched printer or VOIP phone to access a seemingly secure network is clever and dangerous. And such attacks are now firmly in the playbook of grown-up nation-state threat actors around the world.
The Telnet protocol attracted “the largest share of attack traffic—760 million events,” up almost 30% since the last report. Another IoT protocol UPnP was not too far behind, with 611 million events. Given this IoT focus, it was no surprise then, the researchers explained, “that malware found in the honeypots was dominated by various versions of Mirai, which infects IoT devices that use default credentials and co-opts those devices into botnets that conduct DDoS attacks.”
The biggest culprits for the origination of attack traffic were China and Russia, unsurprisingly, as well as the U.S. and Germany. The U.S. also topped the target list, followed by a number of European nation-states.
F-Secure acknowledged that improvements to its honeypots and their deployments would have accounted for some of the increase. “but there’s also no doubt that attack traffic is also simply on the increase.” The researchers cited IoT growth as well as the continuing “prevalence of Eternal Blue” for this.
Unsurprisingly, the team also concluded that “99.9% of traffic to our honeypots is automated,” meaning bots and scripts and malware designed to attack at scale. “Attacks may come from any sort of connected computing device—a traditional computer, malware-infected smartwatch or IoT toothbrush can be a source.”
What has been interesting in the exploitation of mass IoT endpoint vulnerability has been its use by tier-1 threat actors. That won’t show up in any headline attack numbers, but by value and impact those attacks will top the list.
Mitigation advice is as obvious as it is difficult—“know what devices and servers you have and why they’re needed. Retire old assets that aren’t necessary.” The challenge, is that IoT devices by their nature can be “fire and forget,” not carrying the same security inventory asset tracking rules and regulations within organizations as other—more obviously vulnerable— assets.
If you do know where all these devices happen to be, clearly keep them patched at all times. They are becoming the most vulnerable access point into home and business networks. Beyond that, the advice reflects the other major finding in recent reports—almost all attacks now start with a person taking an action—clicking or installing. Credential theft or malware loading is the opening needed to map an attack.
“Every half year it’s a different story,” F-Secure warns, “this time it’s the rampant exploitation of IoT devices via Telnet and UPnP” and “China’s domination of traffic,” as well as more targeted threats from the likes of ransomware and cryptomining.
Zak is a widely recognized expert on surveillance and cyber, as well as the security and privacy risks associated with big tech, social media, IoT and smartphone
…Zak is a widely recognized expert on surveillance and cyber, as well as the security and privacy risks associated with big tech, social media, IoT and smartphone platforms. He is frequently cited in the international media and is a regular commentator on broadcast news, with appearances on BBC, Sky, NPR, NBC, Channel 4, TF1, ITV and Fox, as well as various cybersecurity and surveillance documentaries.
Zak has twenty years experience in real-world cybersecurity and surveillance, most recently as the Founder/CEO of Digital Barriers, which develops advanced surveillance technologies for frontline security and defence agencies as well as commercial organizations in the US, Europe and Asia. The company is at the forefront of AI-based surveillance and works closely with flagship government agencies around the world on the appropriate and proportionate use of such technologies.
Zak can be reached at zakd@me.com.