Remember the poor goat tied to the fence in Jurassic Park—bait to lure T-Rex into the open? Well think of cyber honeypots as something similar. Monitored machines, mimicking connected smart devices, placed on networks to tempt attacks. And just as T-Rex soon took his bait, so the research team at Kaspersky have had no shortage of hits on the honeypots they have set up. “So far,” the team says, “we have collected results for more than a year—we have deployed more than 50 honeypots around the world, with 20,000 infected sessions every 15 minutes.”
Learn more from our latest magazine, Preventing a Cyberattack: A Guide to Cyber Readiness. Download it now.
The rush to connectivity under the broad headline of IoT has left us much more vulnerable than ever before. Unlike computers and phones, most of these smart devices are essentially plug and play. We neglect to update firmware and where there are additional security options available, we rarely take them. As a result, attacks on these devices have become the low hanging fruit for nation states, cybercriminals, opportunists. “The main problem with these IoT/embedded devices,” Kaspersky warns, “is that one simply cannot install any kind of security software.”
Kaspersky operates different types of honeypots, with varying levels of sophistication to trick multiple types of malware. The intent is to encourage an attack to drop its payload where it can be recorded and investigated. Given that honeypots are networked within an ecosystem that is linked to the researchers themselves, there is risk with such an approach. “A system vulnerable to attack or a system under attack can put you and others at risk.” Threat actors also become wise to the methods, monitoring honeypots, “so after some time, public IP addresses may get flagged by cybercriminals, which results in fewer attacks… there are lists of ‘honeypot IPs’ traded in darknet markets.”
The most serious aspect to Kaspersky’s warning isn’t actually the truly black box devices where a user has no ability to enhance security, it’s the middle ground. Smart devices which do present options to take protective measures, notwithstanding that few users take them. Within the surging IoT market, attacks brute force common login credentials used by routers, printers, cameras and other devices. The Kaspersky team captured login details, “the most common combination by far is “support/support”, followed by “admin/admin”, “default/default” and “root/vizxv”. The first three entries are self-explanatory, but the fourth one is quite interesting: it is the default password for a vulnerable IP camera.”
If you have the option to change the default login details, both username and password, for any of the smart devices in your home or workplace, then quite obviously you should. This report is a timely warning. If you don’t, you’re vulnerable to attack.
In addition to the nightmare scale of attacks, the speed by which opening a port almost immediately lured malicious traffic was notable, as was the probing sophistication of such attacks. And the rate of overall growth is frightening. In the first six months of 2019, the team’s Telnet honeypots saw “more than 105 million attacks that originated with 276,000 unique IP addresses.” This compares to “12 million attacks, originating with 69,000 IP addresses” in 2018. The team also detected “a steady trend” for repeat attacks from the same origins, “suggesting increasingly persistent attempts at infecting devices previously known to the attackers.”
This new research is consistent with others. Last month, F-Secure warned that cyber attacks on IoT devices have increased 300% to more than 2.9 billion events. And as with Kaspersky’s findings, Telnet attacks and Chinese attackers topped the lists.
In August, Microsoft warned that such is the vulnerability of smart devices, it intercepted nation state attacks on high-profile targets through a VOIP phone, a printer and a video decoder. Unsurprisingly given the Kaspersky findings, Microsoft reported that two of the three devices still carried factory security settings, and the software on the third hadn’t been updated.
As we continue to connect more devices to home and work networks, the recommendations are simple: update firmware regularly—a challenge for many businesses that do not inventory manage or monitor IoT devices in the same way as servers and computer; change login details from defaults—and keep a note somewhere of what you select; and take some care as to how many cheap devices you bring inside your firewalled home or office. Convenience could come at a significant price.