Executive Summary
With the constant evolution of the Internet of Things (IoT), the security of IoT is becoming an issue that more and more people are concerned about. In 2016, we issued the IoT Security Whitepaper to popularize IoT security for a general audience. In 2018, we released the 2017 Annual IoT Cybersecurity Report to present our analysis of exposure of IoT assets on the Internet, device vulnerabilities, and threats and risks to which IoT devices are exposed. Our 2018 Annual IoT Security Report is focused on the actual exposure of IoT assets on the Internet, aimed at revealing the overall security posture of IoT assets based on threat intelligence. The report also allots quite a few pages to the security of the UPnP protocol stack, which is often used in IoT applications. In the 2019 Annual IoT Security Report, we continue to delve into IoT assets and the risks and threats facing them: In IoT asset reconnaissance (“recon” for short), we update data on the actual exposure of IoT assets on IPv4 networks and add data on the exposure of IoT assets on IPv6 networks; as for threats, we analyze IoT security incidents and threat sources from the perspectives of vulnerability exploitation and protocol exploitation. Finally, we provide a solution for protecting IoT devices.
The report covers the following contents:
- Chapter 1 looks back at major IoT incidents in 2019. The power outages in Venezuela, largescale attacks launched via Mirai-based botnets and ransomware, and critical vulnerabilities in Boeing systems all point to a gloomy security landscape of the IoT. The upgrade issue of D-Link devices indicates that a large number of devices, for which vendors stop providing support or updates, will pose a severe threat in years to come if no effective controls are put in place to fix vulnerabilities inherent in them. A hacker was reported to have dozens of botnets in hand. This tells us that it is technically feasible to take down botnets by taking the initiative to attack them. In numerous incidents, attack sources can be traced back to vulnerable IoT devices, indicating a severe IoT security situation. Probably for this reason, the USA and Japan both enacted acts and policies to address the security of IoT devices in 2019.
- If historical data is used to delineate the exposure of IoT assets, the statistics will deviate from the reality, presenting a larger value than the actual number. The 2018 Annual IoT Security Report analyzes changes in network addresses of IoT assets before revealing their actual exposure on the Internet. This year’s report updates such data in chapter 2. In China, cameras represented the largest proportion of exposed devices, followed by routers.
- With the booming of IoT applications and depletion of IPv4 addresses, IPv6 addresses will be gradually adopted, which is an irreversible trend. As a result, IoT assets on IPv6 networks will become major targets of attackers. In this sense, it will be of great significance to cybersecurity to accurately survey IPv6 assets and services. Chapter 2 describes the methods for scanning IPv6 assets and analyzes the captured ones. It turns out VoIP phones and video surveillance devices were major types of such assets. Compared with IPv4 assets, the number of exposed IPv6 assets was small. However, with the wide adoption of IPv6 addresses in future, predictably, there must be a lot of them exposed. All parties concerned should attach importance to the security of these assets.
- Chapter 3 analyzes IoT threats from the perspective of vulnerabilities. NSFOCUS’s threat hunting systems registered over 30 types of IoT exploits, most of which targeted remote command execution vulnerabilities. Obviously, from the perspective of global IoT threats, though hundreds to thousands of IoT vulnerabilities are unveiled each year, only a few can cause an extensive impact. In addition, exploits captured by us mainly targeted routers and video surveillance devices, which were also two major types of IoT devices exposed on the Internet. This indicates that attackers are inclined to attack devices large in number so as to expand the scope of impact.
- Chapter 4 anatomizes major and high-risk IoT services, including Telnet, WS-Discovery, and UPnP. Overall, Telnet exploits trended up in the first half of the year; the number of active attackers peaked in August and then declined in the remaining months. An analysis of weak passwords leveraged by attackers found that attackers’ major targets were still IoT devices with the Telnet service enabled. Since being disclosed by Baidu security researchers in February 2019, WS-Discovery reflection attacks steadily grew in number, especially in the latter half of the year. Since mid-August, WS-Discovery reflection attacks registered were on the rise. Worse still, September witnessed a sharp increase in such attacks. All parties concerned, including security vendors, service providers, and telecom carriers, should pay due attention to this type of threats. The number of IoT devices with the UPnP service enabled decreased about 22% from the previous year, but still stood at around 2 million, with a security risk too great to be overlooked. Geographically, exposed IoT devices in Russia dropped significantly by 84% presumably because Russian cybersecurity authorities put more governance measures in place regarding UPnP. This, to some extent, reflects defenders’ inclination to handle IoT threats by means of not only monitoring but also governance.
- Chapter 5 presents a protection mechanism for IoT devices, which involves protection of information on IoT devices and anomaly analysis of IoT devices. Assuring the security of IoT devices by enhancing authentication and encryption and providing forensics support is to lay the solid foundation for the security of the entire IoT. Security vendors should work closely with device vendors to jointly resolve various security issues of devices and should keep improving cloud-side security analysis capabilities, thus building a sturdy wall of protection for the IoT.
Overall, the IoT security landscape is as challenging as ever. Securing the IoT is no easy task that can be achieved overnight. It calls for concerted efforts from governments, enterprises, and people. Only in doing so, can we reduce the threats facing the IoT. Specifically, government agencies and legislatures should gradually put in place all necessary statutes and policies concerning IoT security, thus driving the security of the IoT ecology. Enterprises should make more efforts to standardize the management of IoT security around their personnel and devices and even need to invest in security controls to reduce losses incurred by distributed denial-of-service (DDoS) attacks and ransomware attacks. People should raise the security awareness. When making purchase decisions, they should understand what loss they may suffer because of using insufficiently protected devices and so choose secure devices. Besides, they should learn about these devices’ configurations as much as they can to mitigate the risk arising from misconfiguration. Attackers tend to attack exposed devices that are vulnerable and large in number, which, therefore, should be the top priority of defenders.
Looking ahead, we expect the following changes in IoT security in the coming years:
- More and more IoT assets will be exposed on the Internet. Predictably, more related exploits will emerge in quick succession. When joining hands to address cybersecurity, government departments, telecom carriers, security vendors, and users will allocate an increasing large proportion of efforts to mitigation of IoT risks.
- New types of attacks like WS-Discovery reflection attacks launched via IoT assets will keep emerging as a result of more devices getting connected to networks. Those large in number but receiving insufficient attention should be put on top of the agenda.
- Despite the fact that IPv6 addresses, like IPv4 addresses, change from time to time, it is foreseeable that more such assets will definitely be exposed over time along with the accelerated adoption of IPv6 addresses, though the current number detected is small. In years to come, there will be more attacks on IoT assets in IPv6 environments.
To be continued.