by Tony Yang, Adam Huang, and Louis Tsai
We have noted time and again how compromising networks and connected devices is rooted in finding weak points in the system. Often, these are in the form of vulnerabilities. Worse, vulnerabilities that aren’t even new. In the context of the internet of things (IoT) and noteworthy security incidents related to it, these vulnerabilities have afforded attackers means to use unsecure devices to facilitate malicious activities such as distributed denial-of-service (DDoS) attacks.
Using our IoT scanning tool, we looked into home and other small network environments and the vulnerabilities that connected devices usually encounter. Our findings homed in on known vulnerabilities, IoT botnets with top vulnerability detections, and devices that are affected.
From April 1 to May 15, we observed that 30 percent of home networks had at least one vulnerability detection. A detection would mean that we found at least one connected device being accessed through a vulnerability in the network. Our scanning covered different operating systems (OSs), including Linux, Mac, Windows, Android, iOS, and other software development kit (SDK) platforms.
Known vulnerabilities affecting IoT and other connected devices
What’s particularly interesting in our findings is that the top detections were not the usually expected weaknesses in the home network. While we still saw a number of default password logins attributed to default credentials like those used with the Mirai and Brickerbot malware, the recent top detected vulnerabilities (as seen in Figure 1) were actually those that had been known over the past few years.
Figure 1. Top 10 vulnerabilities in connected devices
Being the gateways to internet-connected devices in networks, routers were unsurprisingly the devices on which most of the vulnerabilities were found. The highly publicized Poodle vulnerability in Secure Sockets Layer (SSL) and early Transport Layer Security (TLS), for example, was found to mostly affect routers as well as printers; attackers who successfully exploit the vulnerability can decrypt any encrypted traffic that they are able to capture. Drown, another well-known vulnerability, was also found to primarily affect routers; it affects Hypertext Transfer Protocol Secure (HTTPS) and any server or client that allows SSLv2 and TLS connections.
The vulnerability exploited by the WannaCry ransomware remains pervasive, as it also makes an appearance in our top detections. Other noteworthy vulnerabilities in our top detections include the SambaCry Linux vulnerability, the OpenSSL Heartbleed bug, the remote code execution CVE-2014-9583 router vulnerability, and the remote code execution CVE-2017-6361 Network Attached Storage (NAS) vulnerability.
Figure 2. Top affected ports
Unless network administrators disable unnecessary ports or at least identify which ports are open to manage security better, open ports on devices can very well result in networks’ running the risk of being attacked. When we looked at the affected ports in our scanning, we found that port 443 significantly eclipsed the other top ports on the list. Port 443 is the standard Transmission Control Protocol (TCP) port used for HTTPS websites using SSL. This checks out as the Poodle and Drown vulnerabilities both involve weaknesses in SSL or its successor, TLS. Another top affected port is Server Message Block (SMB) port 445, which is used by the EternalBlue exploit that gave way to the infamous WannaCry outbreak in 2017.
Vulnerabilities taken advantage of by IoT botnets
Vulnerabilities related to IoT botnets also emerged among our top detections. Two vulnerabilities in our top 10 detections, for example, are ones that are taken advantage of by the Reaper botnet. Reaper uses a combination of nine attacks that target known IoT vulnerabilities. Routers, Internet Protocol (IP) surveillance cameras, and NAS devices were found to be particularly susceptible to Reaper.
Satori, considered to be the successor of the Mirai botnet, is also represented at the top of our vulnerability detections with remote code execution CVE-2014-8361. As with Mirai, Satori’s source code was released publicly and can be used by any attacker, which could explain its appearance on the list. Satori propagates itself by scanning vulnerable devices and then compromising them.
Android and iOS mobile devices vulnerable to BlueBorne and KRACK
“Airborne” threats like BlueBorne and KRACK are capable of compromising devices over the air, provided that attackers are within range. BlueBorne, for example, enables an attacker to sniff, intercept, or redirect traffic between Bluetooth-enabled devices to gain access to data. The KRACK (Key Reinstallation AttaCK) exploit, on the other hand, takes advantage of several security flaws in the Wi-Fi Protected Access 2 (WPA2) protocol, making it possible for attackers to eavesdrop on users’ data.
Figure 3. 58 percent of Android devices found to be vulnerable to BlueBorne and KRACK
In this case, Android and iOS devices having Bluetooth and Wi-Fi capabilities were found at risk of these two threats. Seemingly living up to its reputation of being less secure than iOS, Android was found to have 58 percent of its devices vulnerable to BlueBorne and KRACK. The iOS platform isn’t exempt, though, with 12 percent of Apple smartphones found to be vulnerable. Patches had already been issued to users of iOS, which could account for the platform’s relatively low numbers.
Figure 4. 12 percent of iOS devices found to be vulnerable to BlueBorne and KRACK
Securing connected devices against vulnerabilities and exploits
Attacks exploiting the aforementioned vulnerabilities can easily be avoided by applying patches made available by device manufacturers. However, not all manufacturers provide fixes for the vulnerabilities, and not all users are in the habit of patching routers, not to mention the devices connected to them.
Users should secure the way they set up their networks. Enabling password protection on routers and connected devices and replacing factory default passwords with strong, hard-to-guess ones is a step in the right direction. For ensured protection, the Trend Micro™ Home Network Security solution can check internet traffic between the router and all connected devices. Our IoT scanning tool has been integrated into the Home Network Security solution and HouseCall™ for Home Networks scanner. Enterprises can also monitor all ports and network protocols for advanced threats and be protected from targeted attacks with the Trend Micro™ Deep Discovery™ Inspector network appliance.
Users of the Trend Micro Home Network Security solution are protected from particular vulnerabilities via these rules:
- 1058981 WEB Directory Traversal -21
- 1059406 SSL OpenSSL TLS DTLS Heartbeat Information Disclosure -1 (CVE-2014-0160, Heartbleed)
- 1059407 SSL OpenSSL TLS DTLS Heartbeat Information Disclosure -2 (CVE-2014-0160, Heartbleed)
- 1130118 SSL OpenSSL SSLv3 POODLE Padding Brute Force (CVE-2014-3566)
- 1130327 EXPLOIT ASUSWRT 220.127.116.11.376_1071 LAN Backdoor Command Execution (CVE-2014-9583)
- 1133637 SMB Microsoft MS17-010 SMB Remote Code Execution -3
- 1133638 SMB Microsoft MS17-010 SMB Remote Code Execution -4
- 1134286 WEB Realtek SDK Miniigd UPnP SOAP Command Execution (CVE-2014-8361)