Skip to main content

Hitachi

Hitachi Incident Response Team

Hitachi Incident Response Team

HIRT-PUB16003 : Cyber attacks Using IoT Devices

Last Update: April 24, 2017

Cyber attacks involving IoT (Internet of Things) devices installed in Linux environments, such as home/small office routers, webcams, network storage systems, and digital video recorders, have become prominent since 2016. HIRT-PUB16003 reports on this recent trend.

1. Overview

IoT is a generic term that refers to devices capable of connecting to the Internet and communicating with each other. An estimated 20.8 billion IoT devices will be in use by 2020 (Figure 1). [1]
1) Gartner Says 6.4 Billion Connected "Things" Will Be in Use in 2016, Up 30 Percent From 2015

Figure 1: Internet of Things Units Installed Base by Category (Source: Gartner, Inc.)
Figure 1: Internet of Things Units Installed Base by Category (Source: Gartner, Inc.)


In particular, IoT devices installed in Linux environments, such as home/small office routers, webcams, network storage systems, and digital video recorders, have been targeted as springboards for Cyber attacks. Many organizations have issued security alerts regarding this topic.

2. Cyber attacks using IoT devices

2.1 Distributed Denial of Service (DDos) attacks

DDoS (Distributed Denial of Service) attacks using IoT devices to disrupt operations have been reported. (Figure 2).


Figure 2: Distributed Denial of Service (DDoS) attacks for disrupting operations
Figure 2: Distributed Denial of Service (DDoS) attacks for disrupting operations

  • September 20, 2016
    Krebs on Security, a blog covering security issues, encountered a massive DoS attack that reached 620 Gbps.
    KrebsOnSecurity Hit With Record DDoS
  • September 27, 2016
    French hosting provider OVH encountered massive DoS attacks of over 1 Tbps from approximately 150,000 sources.
    The DDoS that didn't break the camel's VAC*
  • October 01, 2016
    The source code of Mirai malware, which is used to remotely control IoT devices running Linux, was released.
  • October 18, 2016
    Level 3 Communications reported the number of IoT devices infected with Mirai.
    Before the source code was released: 213,000
    After the source code was released: Total of 493,000 (increase of 280,000 after the code was released)
    How the Grinch Stole IoT
  • October 21, 2016
    U.S. service provider Dyn came under a large DoS attack of 1.2 Tbps from up to 100,000 sources by bots infected with Mirai malware.
    Dyn Analysis Summary Of Friday October 21 Attack

2.2 Infection attacks

Scans and break-ins to a wide range of IoT devices, in order to control them remotely, have also been reported.

2.2.1 Ports 23/tcp and 2323/tcp

Cyber attacks are targeting IoT devices that use the default factory settings and those for which simple accounts or passwords are set. Infection attacks are break-ins to IoT devices using Telnet. The threat actor can control infected IoT devices to use them for scanning and infection.

Figures 3, 4, and 5 show the investigative results of connecting a single PC (with ports 23/tcp and 2323/tcp enabled) to the Internet. he PC received an average of 1,000 connections from an average of 235 source IP addresses per day. That is an average of 44 connections from approximately 10 source IP addresses per hour.


Figure 3: Number of connections per day to ports 23/tcp and 2323/tcp, and the number of sources per day
Figure 3: Number of connections per day to ports 23/tcp and 2323/tcp, and the number of sources per day


Figure 4: Number of connections per hour to ports 23/tcp and 2323/tcp, and the number of sources per hour
Figure 4: Number of connections per hour to ports 23/tcp and 2323/tcp, and the number of sources per hour


Figure 5: Number of source IP addresses per address block (xxx.0.0.0-xxx.255.255.255)
Figure 5: Number of source IP addresses per address block (xxx.0.0.0-xxx.255.255.255)


The results of the observed infection attacks (login attempts, assumedly by Mirai malware) can be seen in Figure 6.


Figure 6: Login attempts
Figure 6: Login attempts

2.2.2 Ports 5555/tcp and 7547/tcp

Cyber attacks are targeting IoT devices that have a command injection vulnerability resulting from implementing TR-069. Infections exploiting this vulnerability have deployed malicious programs.

  • November 07, 2016
    It was reported that implementing TR-069, a standard for remote management of user devices, is responsible for a command injection vulnerability.
    TR-069 NewNTPServer Exploits: What we know so far
  • November 27, 2016
    The German ISP provider Deutsche Telekom encountered a cyber-attack by Mirai malware that disabled approximately 900,000 of its customers' Speedport DSL modem/router connections. According to a report, the attacks exploited the TR-069 implementation and disabled the devices, although infection attempts failed.
    The "open interface" myth: what really happened


Figure 7 shows the result of investigating what happens when a single PC (with port 7547/tcp enabled) is connected to the Internet. The PC received an average of eight connections from an average of three source IP addresses per hour.


Figure 7: Number of connections to port 7547/tcp per hour, and the number of sources per hour
Figure 7: Number of connections to port 7547/tcp per hour, and the number of sources per hour


The results of our investigation into a command injection that exploits the vulnerability resulting from implementing TR-069 (instructing IoT devices to download and run a program called ga" from the Internet website gbinpt.**") can be seen in Figure 8.


Figure 8: Command injection exploiting the vulnerability resulting from implementing TR-069
Figure 8: Command injection exploiting the vulnerability resulting from implementing TR-069

3. Countermeasures

3.1 Proactive measures

Protecting IoT devices from Cyber attacks is paramount, particularly infection attempts that attempt to deploy malicious programs (see 2.2).

  • Restrict access from the Internet to IoT devices and permit access only from trusted IP addresses.
    Restrict access by using a firewall (or similar means) to permit access only from trusted IP addresses, and block untrusted access from the Internet. Make especially sure that access is blocked from the Telnet service (using 23/tcp and 2323/tcp) provided for remote control of IoT devices and Web interface (using 80/tcp and 443/tcp), unless such access is absolutely required.
  • Enable authentication functionality and use a complex password.
    Avoid using the following with default factory settings when connecting to the Internet:
    * Using an IoT device for which authentication functionality is disabled
    * Using the default account and password.
  • Check for product update information. If a vulnerability is reported, update your firmware.
    Check for update information (for example, on the product vendor's website). If a vulnerability is reported, update your firmware to eliminate the vulnerability.

3.2 Reactive measures

If a malware infection of an IoT device is reported based on information from a third party or by an intrusion detection system, disconnect the IoT device from the network, restart it, and then make sure all proactive measures are taken.

4. Update history

April 24, 2017
  • This webpage was created and published.

Masato Terada (HIRT), Naoko Asai (HIRT) and Naoko Ohnishi (HIRT)