With the maturity of sensing, computing, and communication technologies, the Internet of Things (IoT) will be more and more widely used in various industries. Gartner, a market research agency, predicts that endpoints of the IoT will grow at a 33% CAGR from 2015 through 2020, reaching an installed base of 20.4 billion units, with almost two-thirds of them consumer applications. Spending on networked consumer and business endpoints will displace non-networked, growing at a 20% CAGR to $2.9 trillion. In 2016, IoT was written into the Thirteenth Five-Year Plan, which pointed out that efforts should be made to push the development of cloud computing and IoT, promote the planning layout of IoT-aware facilities, and develop open-loop IoT application. This suggests that the government attaches great importance to various types of IoT infrastructure and applications strategically.
Meanwhile, many IoT devices and applications are facing severe security challenges. On September 20, 2016, the famous security journalist, Brian Krebs’s website, KrebsOnSecurity.com, was attacked by a large-scale distributed denial-of-service (DDoS) attack, whose traffic peaked at 665 Gbps. Brian Krebs speculated that this attack was launched by means of the Mirai botnet. On the same day, France-based hosting service provider OVH became a victim of the record-breaking DDoS attacks that reached 1 Tbps, with peak traffic of 1.5 Tbps. On October 21, 2016, Dyn, a US-based DNS provider, received a global DDoS attack, whose attack source was confirmed to be the Mirai botnet. This attack finally led to a massive network outage in the east coast of the United States. On November 28, 2016, a new Mirai variant disrupted Deutsche Telekom services. The reason why Mirai botnets are widely spread is that IoT devices exposed on the Internet are prone to security issues, such as weak passwords.
It is important to note that a majority of Mirai-infected IoT devices are directly exposed on the Internet. Therefore, it is noteworthy to research on exposed IoT assets. A feasible research methodology is to locate related IoT devices by using cyberspace search engines.
Unlike Internet search engines (such as Google and Baidu), cyberspace search engines (such as NTI, Shodan, and ZoomEye) focus on IP addresses, corresponding devices, and services running on these devices. NSFOCUS Threat Intelligence (NTI) is a threat intelligence platform of NSFOCUS. According to detection results, security researchers can find vulnerabilities and quickly grasp the global distribution of such vulnerabilities.
In 2016, Trend Micro released a research report based on Shodan data, which analyzed the exposed six key sectors (the government, emergence services, healthcare, utilities, finance, and education) on the Internet in America. At the 2017 RSA Security Conference, a researcher from Trend Micro delivered a keynote speech on the report content. In the IoT-related analysis, the report mainly focuses on the industrial control system. Though video surveillance devices and routers are mentioned, they are not the focal point and only mentioned as products detected in an industry.
In the context that IoT-related security issues are attracting more and more attention, it is necessary to analyze and identify IoT assets exposed on the Internet. Related data can be obtained for analyzing IoT security situation, solutions, and technically assessing vulnerabilities and risks.
In terms of the technical roadmap, considering the great differences between China and international IoT systems and products, this paper mainly analyzes IoT assets in China and describes their exposure to illustrate what services are accessible on the Internet and potential security problems, with the purpose of raising the public awareness of IoT threat defense.
It is worth noting that, when an IoT device is exposed on the Internet, this does not necessarily mean that this device is vulnerable, but suggests that it is at risk of being attacked and exploited. For example, for a device that allows users to log in by typing a correct user name and password, if the user adopts a complex password, this device is not prone to a weak password vulnerability. However, once exposed on the Internet, the device will have a larger attacker surface. In an unexpected security event (such as heartbleed), the vulnerability in its Internet-exposed services will be found and exploited.
This analysis is conducted based on NTI, ZoomEye, and Shodan data. There are mainly two data sources: One is information about the devices identified by search engines. If believing such information correct, we will directly use such information, for example, using “service:DAHUA-DVR” as the keyword on NTI to search for information about Dahua DVRs. The other data source is the search results of vendor names and models. We will observe the search results and then adjust search keywords until satisfactory results appear. Here, take routers as an example. We first search for most models of mainstream home routers. For Hikvision products, we find that the banner information of some services of their cameras contains “Server: Hikvision-Webs”. Therefore, we can use this character string as the keyword to search for Hikvison cameras.
Banner information refers to the return information received by search engines in the process of detecting IP addresses and ports. Take an HTTP message as an example. The received result contains HTTP headers and body. “Server: Hikvision-Webs” resides in the HTTP header section.
By analyzing common IoT devices and OSs, we find as follows:
- Hikvision and Dahua have the most exposed network surveillance devices. Coastal provinces in the southeastern part of China witness the most exposed devices.
- Most routers exposed to China’s Internet are of domestic brands. The ports of these exposed routers mainly adopt UPnP and FTP protocols. The Sales of routers from Internet vendors are booming, with few exposed on the Internet.
- Thousands of routers in China are infected with malware Linux.Wifatch. The security situation of routers is not optimistic
- Hong Kong and Taiwan have the most exposed network printers, accounting for over 95% of the printers.
- The reason why most devices carrying an OS are probed is that they are deployed on the Internet with no default settings changed. For example, among the 7924 ports opened for the HTTP service on devices running DD-WRT, 22.6% are exposed because their titles contain “DD-WRT (build xxxxx=”infopage”>”. 98.6% devices running uClinux contain such banner information as “Server: uClinux/220.127.116.11 UPnP/1.0 MiniUPnPd/1.3”.
- For a device that runs DD-WRT or uClinux and functions as a router, performing network address translation (NAT) makes it possible for its IP address to embody combined properties of multiple devices.
Based on scanning data of NTI, Shodan, and ZoomEye, we analyzed IoT assets located in the Chinese territory from two perspectives: One is the distribution of various devices on the Internet and the other is the exposure of IoT operating systems on the Internet.
Owing to the limited time and energy, we cannot guarantee that our analysis covers all types of devices and all operating systems in use. And even for the covered device types and operating systems, we cannot safely say that all related data is 100% accurate. In spite of this, we tried our utmost to ensure the comprehensiveness and accuracy of data by basing our research on the comparison and analysis of data from three search engines instead of relying only on one search engine. Then, our purpose is to call people’s attention to the necessity and urgency of IoT protection by revealing the exposure of IoT devices on the Internet. In this sense, a few omissions or some noisy data will not prevent readers from understanding our viewpoints presented in this article.
This article dwells upon such IoT devices as video surveillance devices, routers, and printers. In future, we will analyze the exposure of more devices and may update data provided here as necessary.
Based on our findings, we recommend users and vendors to do the following for their IoT devices:
- Enhance security of user names and passwords by changing initial passwords and weak passwords.
- Disable unused ports such as ports 21 (FTP), 22 (SSH), and 23 (Telnet).
- Upgrade device firmware in time.
- For the first use of devices, force users to change the initial password and check the complexity of passwords set by users.
- Provide an automatic online upgrade option for device firmware to reduce the exposure of networked devices to security risks.
- Provide default settings according to the principle of opening the fewest ports required to reduce the possibility of ports exposed on the Internet.
- Set access control rules to strictly control external access from the Internet.
For a complete breakdown and analysis of vulnerable IoT devices and OS’s please download the following white-paper below.