IOT Security : Trend Analysis

Here, we come up with a most interesting summary of a highly trending topic in Cyber Security - "IOT Security". All devices and networks connected to the Internet form the gamut of IOT. Gartner estimates a 43% increase in IoT devices coming online in 2016. Since, the idea of networking appliances and other objects is relatively new, security was not considered as part of the product design.

Let's take a look at the security issues trending in the IOT space observed in the span of last 6 months.

1) New protocols (Eg. NTP) are used for DDOS (Never knew Time would be used to perform a DDOS attack?)

2) China, Russia, Ukraine, Brazil, and India are the top 5 sources of origin who perform these DDOS attacks.


3) China leads telnet bruteforce scans hunting for IoT devices with default passwords configured.

4) China, followed by Russia, Romania, Brazil, and Vietnam are the most likely locations for Command and Control (C&C) servers.

5) Around 2,174,216 telnet bruteforce scans were observed in last 6 months sourcing from 5,43,819 IP addresses.

6) Telnet scans have increased 140% year over year from July 2015

7) 50% of Telnet attacks were generated from top 13 ASNs

8) Around  6,293,889 SSH bruteforce attacks were observed in last 6 months from 28,616 IP addresses.

9) 92 ASNs comprise 2.1+ million Telnet brute force scans of which four of them are China telecom which comprise of 57% of the total Telnet scan.

10) The top 24 attacking ASNs (contribute >1% individually) combine for a total of 67% of the total attacks.

11) IOT Botnets using more than 52,000 IP addresses were DDOSing from multiple sources port (like port 53, 20000-60000) to fixed common destination port tcp 80.

12) SYN flood on port 80 is also performed with around 2.3 Gbps traffic.

13) 70% of the attacks are not originating from a spoofed source IP address.

14) The attack strategy used is as follows :
    a) Scan for IOT devices which have telnet enabled.
    b) After successful authentication via a bruteforce attack, attacker tries to identify the host's architecture and download the appropriate pack from the CnC server.
    c) Attempts to kill other additional rootkits already present or malware present on the compromised host.
    d) Connects to CNC using commonly used IRC channel.

The blessing and curse of IoT devices is that they are stateless devices which gets reboot under stress. This means their ability to launch attacks is very limited, but once re-infected and they can be leveraged all over again. So the next question to ponder upon is - How many IOT devices have their management ports available online and configured with vendor default passwords ?

All credits to :- F5 LABS THREAT ANALYSIS REPORT