IoT
November 17, 2020

IoT Vulnerability Assessment of the Irish IP Address Space

13 min.

This article is excerpted and edited from a thesis the author submitted in August 2020 in part fulfilment of the degree of BSc. (Hons.) in Computer Science, UCD School of Computer Science, University College Dublin.

The Importance of IoT Security

In 2019 there were 7.6 billion active Internet of Things (IoT) devices online, and this number is expected to reach 24.1 billion by 2030.1 In 2019, cyberattacks on IoT devices increased by 257%.2 The exponential growth of IoT devices, alongside their lax security, presents risks to all aspects of society; from the enterprise and consumer sector to industry and national security.

With an increasing number of attacks coming from a large multitude of sources, nationwide vulnerability assessments need to be conducted in order to assist IoT users with prioritizing vulnerabilities when adopting a proactive cyber defense approach to security.

We undertook a project to assess the biggest threats and vulnerabilities in the Irish IP address space. For this project, the IP address dataset was retrieved from IP2Location.3 IP2Location uses network routing information to perform geolocation and claims to have over 99.5% accuracy for country level detection.4 The scans conducted in June and July used a dataset containing 13,633,850 and 13,686,446 IP addresses, respectively.

Port scanning tools such as Nmap and Masscan were used to do transport layer TCP SYN scanning, service detection and OS fingerprinting, and to conduct a detailed assessment on 119 IoT ports and 9 frequently attacked IoT ports. Threats and vulnerabilities were then analyzed by classifying ports into categories that face a particularly high risk of being attacked.

Summary of Findings

  • In total 2,171,934 IoT ports were exposed.
  • Out of the 119 IoT ports that were scanned, 84.7% of exposed ports were from these 10 ports: 443 HTTPS, 80 HTTP, 22 SSH, 3389 RDP, 8443 HTTPS-Alt, 8080 HTTP_Alt, 21 FTP, 8081 HTTP_Alt, 25 SMTP, and applications that listen on port 8000.
  • 12.76% of exposed ports are vulnerable to being attacked by malware or ransomware.
  • Malware poses a much larger threat than ransomware, with 10.71% of hosts exposing ports that are commonly attacked by Mirai, Gafgyt, NyaDrop, Hajime, and Kaiji.
  • There were 232,672 exposed ports attackable by Mirai, the highest malware threat to IoT devices.
  • FRITZ!Box routers are vulnerable to CVE-2014-9727.5 This can be exploited by an unauthenticated remote attacker to perform an RCE attack. 12.1% hosts with port 443 SSL/HTTPS exposed are susceptible to this.
  • OpenSSH, which is associated with 98 CVEs, listens on 88.87% of hosts with port 22 SSH exposed. The most popular version, OpenSSH 7.4 (protocol 2.0), makes up 52.56% of the services listening on port 22 SSH.

What Are the Top Ten Exposed IoT Ports?

Opened/exposed ports are problematic as the services listening on the ports are often vulnerable to exploit. The more ports that are open, the larger the attack surface for an attacker to exploit. In total, 2,171,934 IoT ports were found to be exposed. Focusing on the most important 119 IoT ports, the top 10 exposed ports and their services are shown in Table 1. These 10 ports account for 84.7% of exposed ports in the Irish IP address space.
 

TCP Port Service Ports Open % of Overall Exposed Ports
443 HTTPS 772,258 35.6%
80 HTTP 670,789 30.9%
22 SSH 184,848 8.5%
3389 RDP 40,893 1.9%
8443 HTTPS-Alt 39,100 1.8%
8080 HTTP_Alt 30,502 1.4%
21 FTP 30,059 1.4%
8081 HTTP_Alt 27,187 1.3%
25 SMTP 23,901 1.1%
8000 Applications 21,028 1.0%

Table 1. Top 10 Exposed IoT Ports

As expected, TCP port 80, 443, and 22 are the most exposed ports in the Irish address space. The top three most exposed ports are responsible for 65% of SMB (Small to Mid-Sized Businesses) port vulnerabilities.6

IoT Web Port Exposure

In the past, the Internet Assigned Numbers Authority (IANA) assigned TCP port 80 for HTTP activity, primarily used by the world wide web (www), and TCP port 443 for HTTPS activity, primarily used for secure web browser communication.7 Hence, these ports are often open as they are associated with “the Internet.”8 Fifty percent of ports in the top ten are related to HTTP and HTTPS as port 8080 and 8081 are alternative HTTP ports and port 8443 is an alternative HTTPS port.

IoT Remote Desktop Protocol Exposure

The fourth most exposed port was TCP port 3389, Remote Desktop Protocol (RDP). RDP is a popular application-level proprietary protocol for remote accessing Microsoft machines. The exposure of RDP reflects a wider trend that has come about as a result of COVID-19; many organizations have introduced remote working, contributing to a 41% increase in the number of exposed RDP ports9 with consequent brute force attacks skyrocketing.10 With Ireland being the third most popular home to foreign-company headquarters in the EU11 and over 30% of all EU data,12 it’s important to ensure workers use RDP securely.

RDP is associated with five critical vulnerabilities; one BlueKeep (CVE-2019-0708) and four DejaBlue (CVE-2019-1181, CVE-20191182, CVE-2019-1222, CVE-2019-1226). After connecting to a target using RDP, an attacker can send specially crafted requests to a victim in order to perform an RCE (Remote Code Execution) attack.13 According to the search engine Shodan, 1.63% of Irish hosts with port 3389 RDP open are vulnerable to BlueKeep.14 There is no data on DejaBlue exposure.

Other Exposed IoT Ports

Other non-HTTPS and non-HTTP ports in the top 10 are ports 21 and 25. There are 30,059 hosts with port TCP 21 FTP (File Transfer Protocol) exposed, a plain-text protocol used for transferring files across the Internet. FTP can be used by IoT devices to transfer data to an application server or gateway.15 The protocol is susceptible to brute-force, directory traversal and XSS (cross-site scripting) attacks.16 Furthermore, FTP servers may have anonymous authentication enabled, which allows anyone to log into the server.

There are 23,901 hosts with port 25 SMTP (Simple Mail Transfer Protocol) exposed, which is used for the transmission of email across a network. Exposed SMTP machines can be used for spam distribution.17

What Are the Greatest Malware and Ransomware Threats to IoT Ports?

Malware and ransomware target a given service port to exploit vulnerabilities that are associated with that service. We considered a port vulnerable to a particular ransomware family if that port is targeted by that malware/ransomware family. By counting the number of hosts with exposed IoT ports that are attacked by the most popular malware/ransomware families, we can determine which families pose the greatest threat to Irish IoT devices.

A total of 12.76% of ports used by IoT devices are vulnerable to being attacked by malware or ransomware. Malware poses a much larger threat than ransomware, with 10.71% of hosts exposing ports that are attacked by Mirai, Gafgyt, NyaDrop, Hajime, and Kaiji. Figure 1 gives a breakdown of the threat posed by each malware family.

Figure 1 - Malware threats facing exposing IoT ports

Malware Threats

Hosts are most vulnerable to Mirai, with 232,672 exposing ports attacked by the malware, more than any other family. Mirai and its variants have remained active since 2016 and there is no indication that it will subside in the near future. The Mirai source code is publicly available and many new variants are frequently detected.1

Mirai is followed by Gafgyt, with 8.96% of hosts vulnerable to the malware. Kaiji, which was discovered in May 2020, may still be under development.2 These findings indicate it has the potential to infect 184,848, or 8.51%, of exposed Irish hosts.

As few as 0.62% of the scanned hosts are susceptible to Hajime, a malware worm whose intentions are unknown at this time. Some reports indicate that it is a vigilante attempting to secure devices from Mirai, while others suspect the botnet is being used to proxy malicious traffic or perform credential stuffing attacks.

Only 0.45% of hosts are potentially vulnerable to NyaDrop, a malware family that infects Linux devices.

IoT Ransomware Threats

Figure 2 gives a breakdown of the threat posed by each ransomware family. Overall, exposed IoT ports are more susceptible to malware than ransomware.

Figure 2. Ransomware Threats Facing Exposed IoT Ports

In the Q1 2020 threat evaluation by Kaspersky Lab,1 Gandcrab was listed as the fourth most popular ransomware family attacking users. A total of 42,297 hosts are vulnerable to this ransomware family.

This is closely followed by the ninth most popular, Crysis/Dharma, with 40,893 hosts vulnerable to the ransomware family.

WannaCry was the most common ransomware family attacking users in Q1 2020. As many as 2,550 of the scanned hosts have exposed ports that are attackable by WannaCry.

What IoT Devices Are Most Vulnerable to Being Attacked?

To help figure out the most vulnerable devices, we categorized them into groups based on common services and ports, as seen in Table 2.
 

IoT Device Ports Open Ports
Popular SOHO Routers 69, 135, 161, 162, 4786, 5431, 8291, 37215, 53413 14,108 / 0.65% of open ports.
CVE-2019-3978 associated with port 8219
Surveillance systems, DVRs, NVRs, CCTV, IP Cameras, iDVR-E Recorders, webcams, home security, drones, VoIP and surveillance apps 21, 554, 888, 1159, 1160, 1161, 1435, 1518, 3389, 4550, 5005, 5400, 5550, 6550, 7000, 8000, 8081, 8090, 8150, 8866, 9000, 9650, 9999, 10000, 18004, 25001, 30001, 34567, 37777 192,755 / 8.87% of exposed ports
Surveillance systems and surveillance apps 137, 138, 139, 143, 445, 548, 892, 995, 2049, 3260, 4672, 5432, 5511, 6881, 7001, 9997, 9998, 55536 56,598 / 2.52% of exposed ports
Other Routers, DVRs, NAS, CCTV, home control assistants, home security, video chat 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 20,710 / 0.95% of exposed ports, Port 20000 is the most exposed port in this category, responsible for, 16.1% of this count
Gaming Consoles, Games, Printers, P2P Audio and Video; Streaming, cellular gateways 223, 1080, 1935, 2332, 8888, 9100 14,642 / 0.67% of exposed ports
Wi-Fi antennas, bridges and access points 10001 19,195 / 0.88% of exposed ports
Google Homes, Chromecasts and Smart TVs 1728, 3001, 8008, 8009 6,443 / 0.3% of exposed ports
Wi-Fi Routers, BusyBox, conferencing systems, presentation systems, GPON FTTH networks, Wi-Fi cams, personal assistants, set-top boxes, TVR’s, iPhone & iPad Apps, hotspots, Wireless PoEs, HDR’s, Gateways, temperature control systems, CCTV-DVR Cameras, smart plants, TelePresence, Home Assistants, DVR Server, Home Security Cameras, smart devices and control monitoring systems, smart sprinklers, iDVR-Pro Recorders, Echo, Alexa, lightweight messaging protocol used by small sensors, portable SDK for UPnP Devices, WAP’s,Wi-Fi Router, eCam, wireless chipsets, SDKs   22, 23, 25, 53, 80, 81, 110, 180, 443, 873, 2323, 5000, 5001, 5094, 5150, 5160, 7547, 8080, 8100, 8443, 8883, 49152, 52869, 56000 1,795,840 / 82.68% of exposed ports  

Table 2. Port Exposure by IoT Device

What Critical Industrial Control IoT Devices are Vulnerable to Known Attacks?

Vulnerabilities in IoT systems on Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) devices have the potential to cause great harm if exploited by a malicious actor. These types of systems are commonly used by industrial control systems for critical infrastructure like electrical power stations and water systems. In terms of example impact, some of these protocols can be exploited to prevent a dam gate from closing or to disable temperature control systems.2

As seen in Table 3 ports used by SCADA devices and other critical infrastructure make up 2.38% (51,643) of the exposed ports in Ireland’s IP address space. These devices are potentially susceptible to 33 CVEs.
 

IoT Device Ports Open Ports CVE Total
PLC & PAC 102, 2455, 9600, 18245, 18246, 20547, 44818 7,377 20
ICS, Industry Automation, SCADA systems and components 111, 502, 789, 1443, 1911, 1962, 2222, 2223, 2404, 4911, 5006, 5007, 20000 44,266 13

Table 3. Exposure of ICS/SCADA IoT Systems to known CVEs

What Operating Systems Are Most Likely to be Attacked?

The results of the Operating Systems (OS) fingerprints can be seen in Table 6. Only 0.002% of OS Fingerprints on exposed machines were identified with high confidence. This is due to the large number of uncertain matches caused by only scanning 3 ports per host, which was necessary due to time constraints.
 

Rank OS & OS Version Total % Overall Matches
1 Actiontec embedded or Linux 2.4.X | 3.X 660,056 98.839
2 Actiontec embedded or Linux 1,706 0.256
3 Linux 2.4.X 1,338 0.200
4 Actiontec embedded or Linux 3.X 1,232 0.185
5 Actiontec embedded or Linux 2.4.X | 3.X or Microsoft Windows XP|7|2012 889 0.133
6 Actiontec embedded or Linux 2.4.X 588 0.088
7 Linux 2.4.X|3.X 481 0.072
8 Microsoft Windows XP|7|2012 or VMWare Player 308 0.046
9 Actiontec embedded or Linux 3.X or Microsoft Windows XP|7|2012 298 0.045
10 Linux 2.4.X or Microsoft Windows XP|7|2012 257 0.039

Table 4. Most exposed operating systems on frequently attacked ports

Despite the lack of matches with high accuracy, there are operating systems that appeared consistently in the top three most exposed OSs. These are Actiontec embedded, Linux 2.4.X, Linux 3.X. Windows XP|7|2012 also appears multiple times. Hence, it can be determined that these operating systems are the most likely to be attacked. CVEs are not assigned based on operating system (as per the CVEs search tips that state operating system search results are incomplete).3

Vulnerabilities Associated with the Most Popular Services

An assessment of the most popular service listening on each port was conducted. This produced the results in Table 5. Service versions ending with ‘d’ indicate that it is a daemon i.e. a Unix terms referring to “a process that runs in the background and performs a specified operation at predefined times or in response to certain events”.4
 

Port Service Service Version Service Total Port Open Total
443 SSL/HTTPS FRITZ!Box http config 808 6, 675
80 HTTP AkamaiGHost (Akamai's HTTP Acceleration/Mirror service) 1,591 8,119
22 SSH OpenSSH 7.4 (protocol 2.0) 2,277 4,332
23 Telnet Linux telnetd 97 242
25 SMTP Postfix smtpd 368 559
445 Microsoft-ds Microsoft Windows Server 2008 R2 - 2012 141 143
5431 UPnP Broadcom upnpd 1.0 (UPnP 1.0) 121 121
7547 cwmp? Not Found 90 138
2323 3d-nfsd? Not Found 12 50

Table 5. Most exposed services, by port

IoT Vulnerabilities Associated with FRITZ!Box Routers

FRITZ!Box routers are vulnerable to CVE-2014-9727.5 This can be exploited by an unauthenticated remote attacker to perform an RCE attack. 12.1% hosts with port 443 SSL/HTTPS exposed are susceptible to this.

IoT Vulnerabilities Associated with OpenSSH

OpenSSH, which is associated with 98 CVEs, listens on 88.87% of hosts with port 22 SSH exposed. The most popular version, OpenSSH 7.4 (protocol 2.0), makes up 52.56% of the services listening on port 22 SSH. There are two CVEs associated with this version; CVE-2018-15919 and CVE-2017-15906.6

IoT Vulnerabilities Associated with Telnet

Linux telnetd is listening on 40.08% hosts with port 23 Telnet exposed. These are susceptible to four CVEs [109]; CVE-1999-0740, CVE-2000-1195, CVE-2004-0911 and CVE2020-8797.

IoT Vulnerabilities Associated with Simple Mail Transfer Protocol (SMTP)

A total of 65.83% hosts with port 25 SMTP exposed are susceptible to two CVEs of medium severity associated with Postfix smtpd; CVE-2011-0411 and CVE-2011-1720. Postfix SMTP server is used to receive mail from the network and can be exposed to spamming and viruses.7

IoT Vulnerabilities Associated with Broadcom UPnP

In 2013, a critical vulnerability associated with Broadcom UPnP was discovered by DefenseCode researchers. When exploited, an attacker can execute arbitrary code remotely with root privileges.8 This vulnerability has been exploited multiple times, most recently in 2018. A botnet dubbed BCMPUPnP_Hunter exploited up to 100,000 routers that had TCP port 5431 UPnP exposed and Broadcom UPnP enabled.9 In 2020, a new UPnP vulnerability, CVE-2020-12695, was uncovered. This vulnerability, known as the CallStranger issue, can be used to exfiltrate data, use a victim’s network as part of a DDoS attack and scan a victim’s network.10 All hosts with port 5431 exposed are potentially susceptible to these vulnerabilities.

IoT Vulnerabilities Associated with Microsoft Server Message Block

Port 445 microsoft-ds returned a range of server operating systems as the most popular service, as opposed to a single version. There were also 21 instances of Samba smbd 3.X - 4.X listening on port 445 netbios-ssn. Smbd is the server daemon used for file sharing and printer services.11 Versions 3.5.0-4.6.4, 4.5.10 and 4.4.14 are vulnerable to RCE attacks whereby an attacker can “upload a shared library to a writable share, and then cause the server to load and execute it,”12 that is, CVE-2017-7494 (Eternal Red). The services of port 7547 cwmp? and 2323 3d-nfsd? could not be detected, hence the question mark returned by Nmap.

Conclusion

This project uncovered the top 10 most exposed IoT ports, identified Mirai as the greatest malware threat to IoT devices, and Gandcrab as the greatest ransomware threat. The IoT devices that are most likely to be attacked include surveillance systems, IP cameras, webcams, and so on. The IoT systems most vulnerable to attack are ICSs, SCADA systems and industrial automation technologies. The services that are most vulnerable to being attacked are FRITZ!Box http config listening on port 443 SSL/HTTPS and OpenSSH listening on multiple ports. The operating system that is most vulnerable to being attacked is either Actiontec embedded, Linux 2.4.X or Linux 3.x. This project also identified encrypted web traffic’s prevalence over plain text traffic.

F5 Labs Recommendations

This section was written by F5 Labs, not the study’s author. We wanted to provide some advice on how to mitigate these types of IoT attacks in your environments. F5 Labs recommends implementing the following security controls based on your specific circumstances:

Technical
Preventative
  • Always keep IoT systems up to date with current versions of the firmware.
  • Conduct frequent inventories to maintain awareness of the attack surface.
  • External scans of the environment can help identify vulnerabilities in practice, especially in complex environments.
  • Avoid leaving IoT ports open when not in use.
  • Choose IoT tools that can be hardened and updated easily.
  • Familiarize yourself with the security features included in your devices and applications. You may need to configure things like data encryption, remote wipe, password customization, two-factor authentication, backups, VPN, and malware removal. Using two-factor authentication is now considered a best practice; be sure to turn it on if your devices support it.
Technical
Detective
  • Enable logging and monitoring of all IoT devices so you can detect when systems are compromised.
Footnotes

1 https://iot-analytics.com/state-of-the-iot-update-q1-q2-2018-number-of-iot-devices-now-7b/

2 https://blog-assets.f-secure.com/wp-content/uploads/2019/09/12093807/2019_attack_landscape_report.pdf

3 https://www.ip2location.com/database/ip2location

4 https://www.ip2location.com/faqs

5 https://www.cvedetails.com/cve/CVE-2014-9727/

6 Alert Logic, "Critical Watch Report SMB Threatscape 2019", Alert Logic, 2019.

7 https://www.computerworld.com/article/2597255/finding-out-whats-flowing-over-port-80-on-your-network.html

8 https://isc.sans.edu/forums/diary/Cyber+Security+Awareness+Month+Day+25+Port+80+and+4 43/7450/

9 https://www.zdnet.com/article/kaspersky-rdp-brute-forceattacks-have-gone-up-since-start-of-covid-19/

10 https://securelist.com/remote-spring-the-rise-of-rdp-bruteforceattacks/96820/

11 S. Shehadi, "Dublin tops European HQ location rankings", fDi Intelligence, London, UK, 2020.

12 https://www.irishexaminer.com/news/arid-30972368.html

13 https://cve.mitre.org/cve/

14 https://www.shodan.io/search?query=vuln%3ACVE-2019-0708+country%3A%22ie%22

15 M. Martina, D. Stiawan, M. Yazid Idris, R. Firsandaya Malik, S. Nurmaini, N. Alsharif and R. Budiarto, "Investigating Brute Force Attack Patterns in IoT Network", Hindawi - Journal of Electrical and Computer Engineering, vol. 2019, p. 1, 1 April 2019.

16 https://www.globalscape.com/blog/top-4-ftp-exploits-used-hackers

17 http://www.cs.toronto.edu/~simon/howto/smtptunnels.html

18 https://www.f5.com/labs/articles/threat-intelligence/mirai-covid-variant-disregards-stay-at-home-orders

19 https://www.zdnet.com/article/new-kaiji-malware-targets-iot-devices-via-ssh-brute-force-attacks/

20 https://securelist.com/itthreat-evolution-q1-2020-statistics/96959/

21 E. N. Ylmaz, B. Ciylan , . S. Gönen , E. Sindiren and . G. Karacayılmaz , "Cyber security in industrial control systems: Analysis of DoS attacks against PLCs and the insider effect", in 2018 6th International Istanbul Smart Grids and Cities Congress and Fair (ICSG) , Istanbul, Turkey, 2018.

22 https://cve.mitre.org/find/search_tips.html

23 https://www.webopedia.com/TERM/D/daemon.html

24 https://www.cvedetails.com/cve/CVE-2014-9727/

25 https://www.cvedetails.com/vulnerability-list/vendor_id-97/product_id-585/Openbsd-Openssh.html

26 https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

27 https://www.zdnet.com/article/iot-botnet-infects-100000-routers-to-send-hotmail-outlook-and-yahoo-spam/

28 https://www.zdnet.com/article/iot-botnet-infects-100000-routers-to-send-hotmail-outlook-and-yahoo-spam/

29 Y. Çadırcı , "About Vulnerability", 8 June 2020. [Online]. Available: http://callstranger.com/

30 https://medium.com/@lucideus/the-eternal-exploitation-bible-lucideus-research-20e3ed541d4

31 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.