The Commonality of the Brute Force IoT Attack

by: Moshe Elias, Director of Product Marketing, Allot

IoT connectivity is the new way of life. From smart printers and televisions to lamps and baby monitors, the use of IoT devices continues to trend up each year. However, the popularity of these devices is no indicator of their safety. In reality, IoT devices are extremely vulnerable to cyber-attacks, data breaches and brute force attacks, which continue to be the favorite tried and tested method of hackers.

Brute Force IoT Attacks Happen Every Day

In 2016, Mirai, an IoT botnet launched an attack on the DNS service provider Dyn. This resulted in major Internet-based services, including Twitter, Netflix and CNN, becoming unreachable.

The Mirai botnet was so effective because it was able to infect a huge number of IoT devices that were vulnerable to brute force attacks. Those IoT devices were effectively press-ganged into joining the Mirai botnet army which launched a massive DDoS attack.

Almost three years after Mirai was discovered, the volume of brute force attacks continues to grow, effecting more and more IoT systems and devices, despite reputable vendors such as Microsoft and Apple working to prevent attacks. In a brute force attack on IoT devices, a hacker attempts to access a device or an account by using a list of well-known, hidden and default account credentials. Essentially, the attacker submits combinations of usernames and passwords until one eventually works.

IoT Devices Are the Main Targets of Brute Force Attacks

The current number of brute force attacks per device and the number of unique attackers is alarmingly high. According to a recent Allot report, Telnet and SSH brute force attacks account for nearly 70% of all IoT attacks. This is because these attacks are very easy to implement. Using readily available scripts, one can connect to thousands of devices in minutes.

Furthermore, most IoT device manufacturers do not feel responsible for the security of their devices, resulting in the production of those with inherent security flaws. As a result, consumers who do not have enough understanding or knowledge about IoT security are at increased risk. Even if a user has some security understanding and changes the default password, which many do not, devices still have hidden, hard-coded accounts that can be leaked, inviting attackers to unleash a brute force attack.

Making life even easier for hackers, is the fact that OEM or white-labeled devices reuse hardware and/or code, perpetuating vulnerabilities.

Sourcing Credentials

There are more than 25,000 different sets of credentials used for brute forcing Telnet and SSH alone. Roughly 50% of these frequently used credentials are hardcoded into the botnet variant’s source code, and the others are quickly accessible on the Internet. Further analysis of these credentials makes it clear that they can be categorized into two groups. The first group, representing 27% of attacks, contains generic credentials, such as “root:root”, “root:1234” and “admin:admin”, which are used by a large variety of devices. The second group is device-specific, including credentials for specific types of IoT devices, including servers, controllers, routers, and printers. In this group, by far the most hackable devices are IP cameras, accounting for 27% of all IoT brute force attacks.

The analysis of IoT brute force attacks reveals that attackers are constantly expanding their database of default credentials and trying to attack additional SSH, Telnet and HTTP ports to improve their existing IoT malware capabilities. Until IoT vendors significantly improve credential handling, brute-force attacks will most likely remain the most popular method in the future.

But this doesn’t mean that hackers won’t come up with more advanced forms of hacking. New IoT attack methods are on the rise. While some are related to exploiting additional ports and protocols and advancing brute force attacks, others are designed to make it more difficult to detect the attack and protect against them with self-packing and persistence methods.

With attackers getting smarter by the minute, Internet Service Providers (ISPs) have the unique opportunity to deliver both network and CPE-based IoT security services for the connected home and to protect devices from brute force attacks. Not only can ISPs play an active role in protecting end users; They can also educate them to form a collaborative alliance against brute force attacks that aim to sabotage the network using vulnerabilities in IoT devices.