Monitoring scanning activities that could lead to IoT compromises

IoT devices are ideal targets for attackers looking to build DDoS botnets because they have limited or non-existent security features.

Some IoT devices utilize hard-coded default passwords. Many devices have unnecessary services running that can be exploited, and others have unprotected management interfaces. Most important for DDoS attackers, IoT devices offer high-speed connections that are always on, which allows for a large, predictable amount of attack traffic volume per compromised device.

Monitoring login attempts

Looking at honeypot data during a two week period, Arbor Networks saw a total of 1,027,543 login attempts, of which 819,198 failed, from a total of 92,317 unique source IP addresses.

Overall, Arbor witnessed a peak of 18,054 login attempts per hour during the monitoring period. Telnet is being targeted more frequently than SSH, and the average rates show the overall trend clearly — 756 versus 2,762 attempts per hour for SSH and Telnet respectively.

The hardware and software used in a large proportion of current IoT devices comes from a very small number of manufacturers based in Asia. In 2014, one of the major manufacturers issued a new software release that solved some security issues. However, these fixes were only made available for the English version of the software.

Regional brekdown

A regional breakout of the data showed a variation in the rate of login attempts by geographic area, with the Asia-Pacific and South America honeypots seeing higher average and maximum attempt rates, more than one per minute in some cases.

“On a broad regional level, this research from Arbor validates so much of what we have learned over this last year about the expected increase in massive DDoS attacks. It is becoming more and more critical that manufacturers of IoT devices integrate security by design, including update capabilities, into their products to reduce the likelihood of their devices being used in botnets,” said Ari Schwartz, Venable’s Managing Director of Cybersecurity Services and former Special Assistant to the President and Senior Director for Cybersecurity in the Obama administration.

“Arbor’s annual security report is always an authoritative source of data on the state of cybersecurity. The inclusion of a special section on IoT is particularly timely, as it’s coming onto a lot of folks’ radars as a new vector for DDoS and other types of cyberattacks,” said Ovum senior analyst Rik Turner.