Almost a year after the emergence of the Mirai botnet, smart devices are still facing a barrage of credential attacks, and a device left connected to the Internet with default credentials will be hijacked in about two minutes.
This is the result of a recent experiment carried out by Johannes B. Ullrich, a member of the SANS Technology Institute. Ullrich bought an Anran DVR system and left it connected to the Internet for two days. Ullrich left the device in its default state, with the Telnet port open to external connections, and with its default credentials intact (root/xc3511).
The researcher logged everything that happened on the device and connected the DVR to a remote-controlled power outlet that reset it every five minutes. Resetting the device was necessary because this action removed any malware from previous infections.
Experiment results: DVR hijacked every two minutes
Results showed that 10,143 “users” connected to the device from 1,254 different IPs during the two-day experiment.
The device was left online for 45 hrs and 42 min, which meant that around every two minutes, someone connected to the device using the default credentials.
|Start Time||Aug 24th 11:53 am|
|End Time||Aug 26th 9:35 am|
|Data Collected||3,098 MBytes, 36 Million Packets|
|Time Active||45 hrs 42 min|
|Total connections to the DVR||10,143|
|Total login attempts using the “xc3511” password||1254 Different IPs (every 2 minutes)|
Ullrich analyzed the IP addresses using Shodan, and to nobody’s surprise, most of the IPs from where logins originated were traced back to other IoT devices from vendors such as TP-Link, AvTech, Synology, and D-Link, the usual suspects when it comes to botnet cannon fodder.
These devices were most likely infected with IoT malware. Mirai and most of today’s IoT malware families include Telnet or SSH scanners that select random IP addresses and attempt to log in via Telnet or SSH with a list of default credentials.
This type of self-spreading mechanism has been used for years, but it became very popular after the large-scale DDoS attacks carried out with the Mirai malware. After the Mirai malware source code was released online, Telnet and SSH scanners became almost prevalent.
Results similar to 2016 experiment
Last year, in the middle of all the Miria-powered DDoS attacks, security researchers carried out a similar test by putting an IP-based security camera with default credentials online. IoT malware took control over the camera in 98 seconds (1.5 minutes) on average.
Almost a year after that experiment, the security of IoT devices hasn’t improved at all, and IoT malware scanners are as aggressive as they were last year.
“This problem isn’t going away anytime soon,” Ullricht concluded. “If people haven’t heard yet about vulnerable DVRs and default passwords, then they will not read this article either.”
Ulbricht’s experiment comes on the heels of another IoT security woe after last week security researchers discovered a Pastebin list containing thousands of fully working Telnet credentials.