Executive Summary
In this fifth volume of F5 Labs’ The Hunt for IoT report series, we examine the data on global attacks against Internet of Things (IoT) devices from January through June 2018. In early 2017, Gartner—one of the most conservative analyst firms when it comes to IoT projections—expected IoT devices to surpass 8.4 billion in 2017 and grow to over 20.4 billion by 2020.1 That’s a staggering 143% growth rate over three years. The current global population is 7.6 billion and growing at a comparatively miniscule rate of about 1% per year.2
With IoT devices already outnumbering people, and a projected IoT growth rate that far outpaces global population growth, the Internet is running us now, not the other way around. These devices are being used everywhere for everything—controlling virtually every aspect of our lives. Most of us are so bought into the idea of constant and pervasive “connectedness” that we are becoming the “things” of the Internet, which leads us to the following startling conclusions:
Insecure IoT affects everyone. You don’t have to be able to afford a smart home or own a smartphone to be impacted by compromised IoT devices. The moment you step outside, you can be watched. The CIA spoke about this problem recently, saying compromised wearables and IP cameras were enabling their agents’ locations to be tracked.3 F5 Labs published stories about attacks against IoT devices within the vicinity of President Trump during his meetings with Kim Jung-Un in Singapore and with Putin in Finland. These attacks were likely efforts by both adversaries and friendly nations trying to gain access to those meetings through IP cameras, VoIP phones, or video systems within proximity of the targets of interest. Governments can target anyone from a regular Joe all the way up to a President, Chairman, or Prime Minister. With help from Dutch intelligence services, the UK was able to attribute attacks against its own television stations to Russian operatives by hacking into CCTV cameras, watching the accused Russian operatives’ activities and collecting their keystrokes.4,5
You want privacy? Get off the grid. Governments are deploying IP cameras in major cities for surveillance, allegedly to improve public safety, but many believe they’re there just to spy on civilians. The entire city of Camden, New Jersey has been under surveillance since 2013.6 In the UK, widely regarded as one of the most surveilled countries in the world, Londoners can expect to be monitored through CCTV cameras. In 2012, 300 CCTV cameras were deployed,7 however, the number is probably much higher now. In China, surveillance is welcomed. Citizens like the convenience of purchasing products based on facial recognition and are proud of having a “good citizen” score.8 China also deployed flocks of “doves”—drones in the shape of doves—to spy on its citizens.9 In April 2018, the US Cert issued a warning that Russia was compromising Small Office Home Office (SOHO) routers inside US homes and businesses to spy on civilians, collect data, and use it to inform their social media propaganda.
Human life is at stake. So far, our research in the Hunt for IoT report series has focused on WiFi-connected IoT devices, but there are also cellular-connected IoT devices. These are often gateways into critical infrastructure and equipment that supports human life like police cars, fire trucks, and ambulances; critical Industrial Control Systems (ICSs), and other critical systems that need stable, long-range connectivity. These cellular devices have the same weak access control problems traditional IoT devices have (open to the entire Internet and “protected” with vendor default credentials), and many also provide GPS tracking as they are typically used in fleet vehicles. These devices give away GPS coordinates without authentication. At Black Hat 2018, F5 Labs released this research, which included a video of a police car’s route as the officer drove around throughout the day. Simple pattern recognition can identify a police car and where the officer lives in less than six minutes.
Our homes have been weaponized against us. Outside of the routine use of SOHO routers, DVRs, and IP cameras, things like your TV, oven, refrigerator, Amazon Alexa, Siri and Google Assistant10, Keurig coffee maker (yes, we have attack traffic coming from a Kuerig), and toys11 have been breached and are used to spy, collect data, or launch attacks.
IoT is beating people in the “weakest link” contest. It’s easier to compromise an IoT device exposed to the public Internet and “protected” with (known) vendor default credentials than it is to trick an individual into clicking on a link in a phishing email. Businesses are getting compromised through the unassuming IoT devices they’re using in their networks because the devices are often considered “facilities” devices and are managed by third parties who are not concerned with security, rather than by the organization’s internal corporate IT and security teams. A casino in Europe was breached through the thermostat in its fish tank.12 US retailer Target was breached through its HVAC system.13 A university in the US lost its Internet service after an attack that involved 5,000 devices on its IoT network.14
Building multi-purpose attack bots from “things” is popular in the attacker community now. Script kiddies are learning to build bots from YouTube videos and launching damaging DDoS attacks. Seventy-four percent of the thingbots we know about were developed in the last two years. Thirteen thingbots have been discovered in 2018 alone, and they are no longer single- or dual-purpose bots. There has been a shift to multi-purpose attack bots for hire that deploy proxy servers. You can launch any attack of your choice or install other bots using multiple attack options.
The need for secure IoT has never been more critical. We publish where the attacks are coming from (source countries, ASNs, industries, and IP addresses), where the attacks are headed (destination country or region), and the top 50 attacked admin credentials—the credentials attackers use first in brute force attacks—in hopes that the owning entities (primarily telecom companies and hosting providers), will do something about the malicious traffic. We also publish this information so that defenders can use it defensively within their own networks and look for indicators of compromise.
As promised in The Hunt for IoT: The Growth and Evolution of Thingbots (volume 4), we have broadened the scope of attack data collected to include services routinely used by IoT devices (beyond telnet). Twenty of the top ports commonly used by IoT devices are profiled in this report. Here are the key findings from attack data collected from January 1 through June 30, 2018:
- IoT devices are now the number one attack target on the Internet, surpassing web and application servers, email servers, and databases (that shouldn’t be accessible on the Internet).
- As expected, telnet attacks are in decline as we think most of the IoT devices listening on port 23 have already been swept up in existing thingbots.
- March saw a large spike in attack traffic that targeted every port we are now tracking related to IoT. Given the industry breakdown of source traffic, 84% of which came from telecom companies, it’s likely this traffic is growth of existing thingbots running off of IoT devices inside telecom networks.
- SSH brute force is the number one attack type targeting IoT devices, followed by telnet.
- IP addresses in Iran and Iraq that we haven’t previously seen attacking jumped into the Top 50 attacking IP addresses list.
- All (100%) of the top 50 attacking IP addresses were new in this period (five ASNs on the top 50 list have had offending IP addresses previously on the top 50 list; the IP addresses used in their networks for this period are new). In The Hunt for IoT, volume 4, we reported that 74% of the top attacking IP addresses were repeat offenders. (Did those infected systems finally get cleaned up, we wonder?)
- Spain was the top attacked (destination) country, receiving 80% of the period’s attacks. Spain has been the #1 attacked country for the past year and a half. Clearly, Spain has an IoT security problem.
- Brazil was the top attacking (source) country followed by China, Japan, Poland, and the US.
Introduction
Twelve billion new IoT devices are expected to be deployed by 2020. That is an astonishing number. What will these devices be doing? Roughly half of the world’s population has Internet access,15 so there is a lot of room to grow, which means we will continue to see more homes, businesses, and cities lit up with connectivity. We already have Internet-enabled dishwashers, ovens, toasters, fridges, and coffee makers. Verizon recently announced it is opening up 5G residential service that can serve speeds of up to 1 Gbps.16 That’s more than enough bandwidth to support every appliance in your kitchen; entertainment, lighting, and heating systems; smart TVs, gaming systems, DVRs, streaming TV sticks—and likely several computers. Imagine the attack size of a thingbot made from a 1 Gbps home router!
Drones will have their own air space assigned for package delivery and monitoring services. There will be more cameras watching traffic, people, buildings, and homes. Certain types of stores can become completely automated and cashier-less, like the Standard Market17 in San Francisco, which uses security cameras to watch what items customers pick up, and then charge them appropriately. The investment firm behind this operation estimates it will add this technology to 100 stores per month by 2020.
Compromising digital displays has been a popular IoT attack since Defcon in 1999 when hackers changed the hotel displays to show pornographic images. There are many cases of this same kind of hacktivism with freeway displays and digital signs on buildings. In 2016, Chinese hackers allegedly changed the digital displays in Vietnam’s two most popular airports to display propaganda about the South China Sea battle.18 The F5 Labs research project looking into cellular IoT gateways started with an infected airport display at one of the world’s busiest airports. That system had 39 threat actors actively connected who could have changed the airport displays but were instead using the system to launch other attacks. Just last month (September 14–15, 2018), cyber criminals attacked digital displays at the Bristol airport in the UK and installed ransomware. Airport officials chose to not pay the ransom and moved to manual operations for two days, which required handwritten flight schedules. Busier airports would likely not be able to function manually and would pay the ransom to get up and running faster.
Attackers have been busy discovering and infecting as many of those 8.4 billion things as they can. Thirteen thingbots were discovered in the first half of 2018 in comparison to six being discovered in all of 2017, and nine in 2016. We monitor the discovery of thingbots, what types of devices they infect, how they infect the devices, and what attacks they launch to discover patterns. Below is a profile of the 13 thingbots discovered in 2018:
- VPN Filter19 collects credentials, install a network sniffer to monitor ICS protocols, and installs tor nodes.
- Wicked20 targets SOHO routers, CCTV, and DVRs, and installs SORA and OWARI, both of which are rentable bots.21 At the time of its discovery, Wicked was the tenth Mirai spinoff bot.
- Roaming Mantis22 preys on WIFI routers as well as Android and iOS phones, and conducts DNS hijacks and mines cryptocurrency on compromised devices.
- Omni23 compromises GPON home routers to use for crypto-jacking or DDoS attacks.
- UPnProxy24 is sweeping up SOHO routers and installing proxy servers on them that bypass censorship controls; launch spam and phishing campaigns; conduct click fraud, account takeovers, and credit card fraud; launch DDoS attacks; install other bots; and distribute malware.
- OWARI25 compromises SOHO routers and is available as a multi-purpose attack bot for hire.
- SORA26 compromises SOHO routers and is available as a multi-purpose attack bot for hire.
- DoubleDoor27 targets SOHO routers behind Juniper home firewalls, then installs proxy servers from which an attacker can launch any attack of choice.
- OMG28 compromises SOHO routers, wireless IP cameras, and DVRs and then installs proxy servers from which the attacker can launch any attack of choice.
- JenX29 compromises SOHO routers and wireless chipsets from which to launch DDoS attacks. JenX is a DDoS-for-Hire services offering 300Gbps attacks for $20.00.
- Hide’n Seek30 compromises IP cameras. We don’t know what attacks it launches yet.
- Pure Masuta31 compromises home routers. We don’t know what attacks it launches yet.
- Masuta32 compromises home routers and launches DDoS attacks.
The most commonly infected IoT devices, as determined by their participation in bots, are SOHO routers followed by IP cameras, DVRs, and CCTVs.