Simple statistics can tell you a lot about the state of security in a market niche. For example, if we'd said that just five passwords would grant you access to 10% of all the IoT devices available online, you'd be right to feel concerned.

According to security researchers from Positive Technologies, this happens because 15% of all device owners don't change the default password for the devices they buy.

This leaves millions of equipment exposed online that features the same password listed in their documentation manual. Malware authors who want to build botnets use brute-force (dictionary) attacks and lists of default passwords to break into these devices, take them over, and add them to a botnet of IoT equipment.

In recent months, this practice has become the de-facto technique that almost any malware author wannabe uses to put together his personal DDoS cannon.

Five username-password combos is all you need

After performing several mass Internet scans, according to Positive Technology experts, just five username and password combos will be enough to get your hands on a large number of IoT devices, may they be DVRs, IP cameras, routers, smart washing machines, or anything else.

support/support
admin/admin
admin/0000
user/user
root/12345

This list can be expanded with many other username and password combos to improve an attacker's chances at expanding his botnet. For example, Mirai, the IoT malware responsible for the biggest DDoS attacks ever recorded, used only 62 username & password combos to create its botnet.

Almost all of today's IoT malware families use this list, plus a few more additions, new additions that aid these malware families brute-force their way into new victims.

Devices see tens of thousands of exploitation attempts per day

On top of these, many also improve their chances of infection by incorporating ready-made exploits that take advantage of unpatched vulnerabilities, allowing an attacker to take root-level control over the targeted device.

According to Kaspersky Labs, today we have tens of thousands of exploitation attempts and brute-force attacks on any given IoT device exposed to the Internet.

Despite this constant danger, very few device owners understand the risk they are exposing themselves. Not all change default passwords, and very few update the device's firmware to patch against publicly known exploits. According to Positive Technologies, on average, a device remains unpatched for three to four years.

This is a big issue, especially since Kaspersky has noted an explosion in 2017 in terms of the number of IoT malware samples.

Number of IoT samples in recent years
Number of IoT samples in recent years

According to Pen Test Partners, more dangerous vulnerabilities lie in waiting, that could give IoT malware the same boot persistence that desktop malware currently enjoys.

Furthermore tools like Shodan, Censys, or ZoomEye, allow malware authors to identify vulnerable devices exposed online.

For example, via simple Shodan queries, Positive Technologies experts have identified millions of vulnerable routers exposed online via various ports or services.

Vendor devices available on Shodan and the most common ports exposed online on vulnerable devices
Vendor devices available on Shodan and the most common ports exposed online on vulnerable devices

These devices can be hacked today. All a malware author needs to do is read some infosec blogs and Reddit threads in order to keep up with the most recent security flaws that emerge. And, they emerge, believe us! There's been at least one IoT-related bug report each day for the past few months.

To stay safe, device owners should follow these basic rules:

✓ Change default login passwords
✓ Disable ports and services they don't use (Telnet, SSH, FTP, etc.)
✓ Install firmware updates at regular intervals
✓ Check device settings and make sure the device is not exposing administrative panels over the Internet

Image credits: Positive Technologies, Kaspersky Labs