It Still Takes 2 Minutes to Have Vulnerable IoT Devices Compromised Online

[frogboy]

Almost a year after the emergence of the Mirai botnet, smart devices are still facing a barrage of credential attacks, and a device left connected to the Internet with default credentials will be hijacked in about two minutes.

This is the result of a recent experiment carried out by Johannes B. Ullrich, a member of the SANS Technology Institute. Ullrich bought an Anran DVR system and left it connected to the Internet for two days. Ullrich left the device in its default state, with the Telnet port open to external connections, and with its default credentials intact (root/xc3511).

The researcher logged everything that happened on the device and connected the DVR to a remote-controlled power outlet that reset it every five minutes. Resetting the device was necessary because this action removed any malware from previous infections.

Experiment results: DVR hijacked every two minutes
Results showed that 10,143 "users" connected to the device from 1,254 different IPs during the two-day experiment.

The device was left online for 45 hrs and 42 min, which meant that around every two minutes, someone connected to the device using the default credentials.

Full Article. It Still Takes 2 Minutes to Have Vulnerable IoT Devices Compromised Online

 

[Winter Soldier]

Disturbing, it is like entering a river ... full of crocodiles!

 

[Weebarra]

It's things like this that make me so glad i have no internet connected devices but for the future, it looks like everything is going this way so i guess the industry as well as the user has to take action to prevent such attacks.

 

[The paranoid one]

We will have to learn to sleep with an open eye, always alert

 

[ForgottenSeer 58943]

It's things like this that make me so glad i have no internet connected devices but for the future, it looks like everything is going this way so i guess the industry as well as the user has to take action to prevent such attacks.

Unavoidable going forward. But also having an IoT based home is absolutely amazing, time saving and comforting at the same time. However I have the knowledge and equipment to secure IoT but the masses? Unfortunately without regulations and security requirements for IoT gear it's only going to get worse. Much worse.

For me, none of my IoT can traverse the WAN unless it is required. When it is required I have policy based routing only allowing that specific port/protocol/IP through and if possible, at the time it needs to get through. For example my Tivo units connect in a tight 1 hour window to pull programming updates. Any other time they're blocked from wan traversal. Tivo's are difficult to secure any other way because they're a proprietary linux distro with an API overlay.

Even still, I have a Session Shield on my network which in the event a compromise occurs no device on my network can be utilized in a DOS/DDOS assault. The session shield monitors the session creation rate of the clients creating sessions. Each time a session is processed the shield calculates the current session creation rate of the client initiating the session. If the session creation rate of the client reaches a level that the shield considers too aggressive the session is blocked. Botnets create a LOT of sessions and therefore are blocked.

A simple method to secure IoT for homes is if router manufacturers had session shields built in. When an ASUS router can pump 250,000 sessions, which was the level of enterprise gear a few years ago - then a botnet can have a field day. Perhaps that's where manufacturers should step up. However consumers are lazy.. If they have to think, or click things, or watch things, they get annoyed. Yet they have no trouble watching 3 hours of Bachlerette or something...

 

[Fritz]

However consumers are lazy.. If they have to think, or click things, or watch things, they get annoyed. Yet they have no trouble watching 3 hours of Bachlerette or something...

Couldn't have said it any better.