Malware / Campaign Name:
App Tiers Affected:
This article is excerpted and edited from a thesis the author submitted in August 2020 in part fulfilment of the degree of BSc. (Hons.) in Computer Science, UCD School of Computer Science, University College Dublin.
The Importance of IoT Security
In 2019 there were 7.6 billion active Internet of Things (IoT) devices online, and this number is expected to reach 24.1 billion by 2030.1 In 2019, cyberattacks on IoT devices increased by 257%.2 The exponential growth of IoT devices, alongside their lax security, presents risks to all aspects of society; from the enterprise and consumer sector to industry and national security.
With an increasing number of attacks coming from a large multitude of sources, nationwide vulnerability assessments need to be conducted in order to assist IoT users with prioritizing vulnerabilities when adopting a proactive cyber defense approach to security.
We undertook a project to assess the biggest threats and vulnerabilities in the Irish IP address space. For this project, the IP address dataset was retrieved from IP2Location.3 IP2Location uses network routing information to perform geolocation and claims to have over 99.5% accuracy for country level detection.4 The scans conducted in June and July used a dataset containing 13,633,850 and 13,686,446 IP addresses, respectively.
Port scanning tools such as Nmap and Masscan were used to do transport layer TCP SYN scanning, service detection and OS fingerprinting, and to conduct a detailed assessment on 119 IoT ports and 9 frequently attacked IoT ports. Threats and vulnerabilities were then analyzed by classifying ports into categories that face a particularly high risk of being attacked.
Summary of Findings
- In total 2,171,934 IoT ports were exposed.
- Out of the 119 IoT ports that were scanned, 84.7% of exposed ports were from these 10 ports: 443 HTTPS, 80 HTTP, 22 SSH, 3389 RDP, 8443 HTTPS-Alt, 8080 HTTP_Alt, 21 FTP, 8081 HTTP_Alt, 25 SMTP, and applications that listen on port 8000.
- 12.76% of exposed ports are vulnerable to being attacked by malware or ransomware.
- Malware poses a much larger threat than ransomware, with 10.71% of hosts exposing ports that are commonly attacked by Mirai, Gafgyt, NyaDrop, Hajime, and Kaiji.
- There were 232,672 exposed ports attackable by Mirai, the highest malware threat to IoT devices.
- FRITZ!Box routers are vulnerable to CVE-2014-9727.5 This can be exploited by an unauthenticated remote attacker to perform an RCE attack. 12.1% hosts with port 443 SSL/HTTPS exposed are susceptible to this.
- OpenSSH, which is associated with 98 CVEs, listens on 88.87% of hosts with port 22 SSH exposed. The most popular version, OpenSSH 7.4 (protocol 2.0), makes up 52.56% of the services listening on port 22 SSH.
What Are the Top Ten Exposed IoT Ports?
Opened/exposed ports are problematic as the services listening on the ports are often vulnerable to exploit. The more ports that are open, the larger the attack surface for an attacker to exploit. In total, 2,171,934 IoT ports were found to be exposed. Focusing on the most important 119 IoT ports, the top 10 exposed ports and their services are shown in Table 1. These 10 ports account for 84.7% of exposed ports in the Irish IP address space.
|TCP Port||Service||Ports Open||% of Overall Exposed Ports|
Table 1. Top 10 Exposed IoT Ports
As expected, TCP port 80, 443, and 22 are the most exposed ports in the Irish address space. The top three most exposed ports are responsible for 65% of SMB (Small to Mid-Sized Businesses) port vulnerabilities.6
IoT Web Port Exposure
In the past, the Internet Assigned Numbers Authority (IANA) assigned TCP port 80 for HTTP activity, primarily used by the world wide web (www), and TCP port 443 for HTTPS activity, primarily used for secure web browser communication.7 Hence, these ports are often open as they are associated with “the Internet.”8 Fifty percent of ports in the top ten are related to HTTP and HTTPS as port 8080 and 8081 are alternative HTTP ports and port 8443 is an alternative HTTPS port.
IoT Remote Desktop Protocol Exposure
The fourth most exposed port was TCP port 3389, Remote Desktop Protocol (RDP). RDP is a popular application-level proprietary protocol for remote accessing Microsoft machines. The exposure of RDP reflects a wider trend that has come about as a result of COVID-19; many organizations have introduced remote working, contributing to a 41% increase in the number of exposed RDP ports9 with consequent brute force attacks skyrocketing.10 With Ireland being the third most popular home to foreign-company headquarters in the EU11 and over 30% of all EU data,12 it’s important to ensure workers use RDP securely.
RDP is associated with five critical vulnerabilities; one BlueKeep (CVE-2019-0708) and four DejaBlue (CVE-2019-1181, CVE-20191182, CVE-2019-1222, CVE-2019-1226). After connecting to a target using RDP, an attacker can send specially crafted requests to a victim in order to perform an RCE (Remote Code Execution) attack.13 According to the search engine Shodan, 1.63% of Irish hosts with port 3389 RDP open are vulnerable to BlueKeep.14 There is no data on DejaBlue exposure.
Other Exposed IoT Ports
Other non-HTTPS and non-HTTP ports in the top 10 are ports 21 and 25. There are 30,059 hosts with port TCP 21 FTP (File Transfer Protocol) exposed, a plain-text protocol used for transferring files across the Internet. FTP can be used by IoT devices to transfer data to an application server or gateway.15 The protocol is susceptible to brute-force, directory traversal and XSS (cross-site scripting) attacks.16 Furthermore, FTP servers may have anonymous authentication enabled, which allows anyone to log into the server.
There are 23,901 hosts with port 25 SMTP (Simple Mail Transfer Protocol) exposed, which is used for the transmission of email across a network. Exposed SMTP machines can be used for spam distribution.17
What Are the Greatest Malware and Ransomware Threats to IoT Ports?
Malware and ransomware target a given service port to exploit vulnerabilities that are associated with that service. We considered a port vulnerable to a particular ransomware family if that port is targeted by that malware/ransomware family. By counting the number of hosts with exposed IoT ports that are attacked by the most popular malware/ransomware families, we can determine which families pose the greatest threat to Irish IoT devices.
A total of 12.76% of ports used by IoT devices are vulnerable to being attacked by malware or ransomware. Malware poses a much larger threat than ransomware, with 10.71% of hosts exposing ports that are attacked by Mirai, Gafgyt, NyaDrop, Hajime, and Kaiji. Figure 1 gives a breakdown of the threat posed by each malware family.
Hosts are most vulnerable to Mirai, with 232,672 exposing ports attacked by the malware, more than any other family. Mirai and its variants have remained active since 2016 and there is no indication that it will subside in the near future. The Mirai source code is publicly available and many new variants are frequently detected.1
Mirai is followed by Gafgyt, with 8.96% of hosts vulnerable to the malware. Kaiji, which was discovered in May 2020, may still be under development.2 These findings indicate it has the potential to infect 184,848, or 8.51%, of exposed Irish hosts.
As few as 0.62% of the scanned hosts are susceptible to Hajime, a malware worm whose intentions are unknown at this time. Some reports indicate that it is a vigilante attempting to secure devices from Mirai, while others suspect the botnet is being used to proxy malicious traffic or perform credential stuffing attacks.
Only 0.45% of hosts are potentially vulnerable to NyaDrop, a malware family that infects Linux devices.
IoT Ransomware Threats
Figure 2 gives a breakdown of the threat posed by each ransomware family. Overall, exposed IoT ports are more susceptible to malware than ransomware.
In the Q1 2020 threat evaluation by Kaspersky Lab,1 Gandcrab was listed as the fourth most popular ransomware family attacking users. A total of 42,297 hosts are vulnerable to this ransomware family.
This is closely followed by the ninth most popular, Crysis/Dharma, with 40,893 hosts vulnerable to the ransomware family.
WannaCry was the most common ransomware family attacking users in Q1 2020. As many as 2,550 of the scanned hosts have exposed ports that are attackable by WannaCry.
What IoT Devices Are Most Vulnerable to Being Attacked?
To help figure out the most vulnerable devices, we categorized them into groups based on common services and ports, as seen in Table 2.
|IoT Device||Ports||Open Ports|
|Popular SOHO Routers||69, 135, 161, 162, 4786, 5431, 8291, 37215, 53413||14,108 / 0.65% of open ports.
CVE-2019-3978 associated with port 8219
|Surveillance systems, DVRs, NVRs, CCTV, IP Cameras, iDVR-E Recorders, webcams, home security, drones, VoIP and surveillance apps||21, 554, 888, 1159, 1160, 1161, 1435, 1518, 3389, 4550, 5005, 5400, 5550, 6550, 7000, 8000, 8081, 8090, 8150, 8866, 9000, 9650, 9999, 10000, 18004, 25001, 30001, 34567, 37777||192,755 / 8.87% of exposed ports|
|Surveillance systems and surveillance apps||137, 138, 139, 143, 445, 548, 892, 995, 2049, 3260, 4672, 5432, 5511, 6881, 7001, 9997, 9998, 55536||56,598 / 2.52% of exposed ports|
|Other Routers, DVRs, NAS, CCTV, home control assistants, home security, video chat||2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007||20,710 / 0.95% of exposed ports, Port 20000 is the most exposed port in this category, responsible for, 16.1% of this count|
|Gaming Consoles, Games, Printers, P2P Audio and Video; Streaming, cellular gateways||223, 1080, 1935, 2332, 8888, 9100||14,642 / 0.67% of exposed ports|
|Wi-Fi antennas, bridges and access points||10001||19,195 / 0.88% of exposed ports|
|Google Homes, Chromecasts and Smart TVs||1728, 3001, 8008, 8009||6,443 / 0.3% of exposed ports|
|Wi-Fi Routers, BusyBox, conferencing systems, presentation systems, GPON FTTH networks, Wi-Fi cams, personal assistants, set-top boxes, TVR’s, iPhone & iPad Apps, hotspots, Wireless PoEs, HDR’s, Gateways, temperature control systems, CCTV-DVR Cameras, smart plants, TelePresence, Home Assistants, DVR Server, Home Security Cameras, smart devices and control monitoring systems, smart sprinklers, iDVR-Pro Recorders, Echo, Alexa, lightweight messaging protocol used by small sensors, portable SDK for UPnP Devices, WAP’s,Wi-Fi Router, eCam, wireless chipsets, SDKs||22, 23, 25, 53, 80, 81, 110, 180, 443, 873, 2323, 5000, 5001, 5094, 5150, 5160, 7547, 8080, 8100, 8443, 8883, 49152, 52869, 56000||1,795,840 / 82.68% of exposed ports|
Table 2. Port Exposure by IoT Device
What Critical Industrial Control IoT Devices are Vulnerable to Known Attacks?
Vulnerabilities in IoT systems on Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) devices have the potential to cause great harm if exploited by a malicious actor. These types of systems are commonly used by industrial control systems for critical infrastructure like electrical power stations and water systems. In terms of example impact, some of these protocols can be exploited to prevent a dam gate from closing or to disable temperature control systems.2
As seen in Table 3 ports used by SCADA devices and other critical infrastructure make up 2.38% (51,643) of the exposed ports in Ireland’s IP address space. These devices are potentially susceptible to 33 CVEs.
|IoT Device||Ports||Open Ports||CVE Total|
|PLC & PAC||102, 2455, 9600, 18245, 18246, 20547, 44818||7,377||20|
|ICS, Industry Automation, SCADA systems and components||111, 502, 789, 1443, 1911, 1962, 2222, 2223, 2404, 4911, 5006, 5007, 20000||44,266||13|
Table 3. Exposure of ICS/SCADA IoT Systems to known CVEs
What Operating Systems Are Most Likely to be Attacked?
The results of the Operating Systems (OS) fingerprints can be seen in Table 6. Only 0.002% of OS Fingerprints on exposed machines were identified with high confidence. This is due to the large number of uncertain matches caused by only scanning 3 ports per host, which was necessary due to time constraints.
|Rank||OS & OS Version||Total||% Overall Matches|
|1||Actiontec embedded or Linux 2.4.X | 3.X||660,056||98.839|
|2||Actiontec embedded or Linux||1,706||0.256|
|4||Actiontec embedded or Linux 3.X||1,232||0.185|
|5||Actiontec embedded or Linux 2.4.X | 3.X or Microsoft Windows XP|7|2012||889||0.133|
|6||Actiontec embedded or Linux 2.4.X||588||0.088|
|8||Microsoft Windows XP|7|2012 or VMWare Player||308||0.046|
|9||Actiontec embedded or Linux 3.X or Microsoft Windows XP|7|2012||298||0.045|
|10||Linux 2.4.X or Microsoft Windows XP|7|2012||257||0.039|
Table 4. Most exposed operating systems on frequently attacked ports
Despite the lack of matches with high accuracy, there are operating systems that appeared consistently in the top three most exposed OSs. These are Actiontec embedded, Linux 2.4.X, Linux 3.X. Windows XP|7|2012 also appears multiple times. Hence, it can be determined that these operating systems are the most likely to be attacked. CVEs are not assigned based on operating system (as per the CVEs search tips that state operating system search results are incomplete).3
Vulnerabilities Associated with the Most Popular Services
An assessment of the most popular service listening on each port was conducted. This produced the results in Table 5. Service versions ending with ‘d’ indicate that it is a daemon i.e. a Unix terms referring to “a process that runs in the background and performs a specified operation at predefined times or in response to certain events”.4
|Port||Service||Service Version||Service Total||Port Open Total|
|443||SSL/HTTPS||FRITZ!Box http config||808||6, 675|
|80||HTTP||AkamaiGHost (Akamai's HTTP Acceleration/Mirror service)||1,591||8,119|
|22||SSH||OpenSSH 7.4 (protocol 2.0)||2,277||4,332|
|445||Microsoft-ds||Microsoft Windows Server 2008 R2 - 2012||141||143|
|5431||UPnP||Broadcom upnpd 1.0 (UPnP 1.0)||121||121|
Table 5. Most exposed services, by port
IoT Vulnerabilities Associated with FRITZ!Box Routers
FRITZ!Box routers are vulnerable to CVE-2014-9727.5 This can be exploited by an unauthenticated remote attacker to perform an RCE attack. 12.1% hosts with port 443 SSL/HTTPS exposed are susceptible to this.
IoT Vulnerabilities Associated with OpenSSH
OpenSSH, which is associated with 98 CVEs, listens on 88.87% of hosts with port 22 SSH exposed. The most popular version, OpenSSH 7.4 (protocol 2.0), makes up 52.56% of the services listening on port 22 SSH. There are two CVEs associated with this version; CVE-2018-15919 and CVE-2017-15906.6
IoT Vulnerabilities Associated with Telnet
Linux telnetd is listening on 40.08% hosts with port 23 Telnet exposed. These are susceptible to four CVEs ; CVE-1999-0740, CVE-2000-1195, CVE-2004-0911 and CVE2020-8797.
IoT Vulnerabilities Associated with Simple Mail Transfer Protocol (SMTP)
A total of 65.83% hosts with port 25 SMTP exposed are susceptible to two CVEs of medium severity associated with Postfix smtpd; CVE-2011-0411 and CVE-2011-1720. Postfix SMTP server is used to receive mail from the network and can be exposed to spamming and viruses.7
IoT Vulnerabilities Associated with Broadcom UPnP
In 2013, a critical vulnerability associated with Broadcom UPnP was discovered by DefenseCode researchers. When exploited, an attacker can execute arbitrary code remotely with root privileges.8 This vulnerability has been exploited multiple times, most recently in 2018. A botnet dubbed BCMPUPnP_Hunter exploited up to 100,000 routers that had TCP port 5431 UPnP exposed and Broadcom UPnP enabled.9 In 2020, a new UPnP vulnerability, CVE-2020-12695, was uncovered. This vulnerability, known as the CallStranger issue, can be used to exfiltrate data, use a victim’s network as part of a DDoS attack and scan a victim’s network.10 All hosts with port 5431 exposed are potentially susceptible to these vulnerabilities.
IoT Vulnerabilities Associated with Microsoft Server Message Block
Port 445 microsoft-ds returned a range of server operating systems as the most popular service, as opposed to a single version. There were also 21 instances of Samba smbd 3.X - 4.X listening on port 445 netbios-ssn. Smbd is the server daemon used for file sharing and printer services.11 Versions 3.5.0-4.6.4, 4.5.10 and 4.4.14 are vulnerable to RCE attacks whereby an attacker can “upload a shared library to a writable share, and then cause the server to load and execute it,”12 that is, CVE-2017-7494 (Eternal Red). The services of port 7547 cwmp? and 2323 3d-nfsd? could not be detected, hence the question mark returned by Nmap.
This project uncovered the top 10 most exposed IoT ports, identified Mirai as the greatest malware threat to IoT devices, and Gandcrab as the greatest ransomware threat. The IoT devices that are most likely to be attacked include surveillance systems, IP cameras, webcams, and so on. The IoT systems most vulnerable to attack are ICSs, SCADA systems and industrial automation technologies. The services that are most vulnerable to being attacked are FRITZ!Box http config listening on port 443 SSL/HTTPS and OpenSSH listening on multiple ports. The operating system that is most vulnerable to being attacked is either Actiontec embedded, Linux 2.4.X or Linux 3.x. This project also identified encrypted web traffic’s prevalence over plain text traffic.