Introduction

This chapter analyzes IoT threats from the perspective of vulnerabilities. We first analyze the change trends of IoT vulnerabilities and exploits 1 in the NVD and Exploit Database (Exploit-DB) in 2019 and then IoT exploits captured by NSFOCUS’s threat hunting system. The following dwells upon some representative exploits.

Heuristic Recon via the Dual-Stack UPnP Service

In addition to the recon of IPv6 addresses based on their characteristics, we can also use UPnP to detect IoT assets by referring to the method described in a blog post 28 from Cisco Talos Labs.

Principle

UPnP is a set of protocols designed to achieve interconnectivity between devices on a LAN. Due to misconfiguration, many UPnP services are exposed on the Internet. We can use UPnP to uncover dualstack IoT devices — devices with both an IPv4 and IPv6 address. Two roles are available in the UPnP protocol, namely, the control point and device. Each time when the control point goes live, it sends an M-SEARCH message to the multicast address 239.255.255.250:1900 for searching for controllable devices.

After receiving the M-SEARCH message or joining the network, a device sends a NOTIFY message to the multicast address, notifying its own information to other devices. In a NOTIFY message, the LOCATION field indicates the link to the device description. Upon receiving the NOTIFY message sent by the device, the control point will access the link contained in the LOCATION field. Figure 2-16 shows the workflow of UPnP.

Heuristic Recon of IPv6 Addresses Based on Their Characteristics

Previously, we mentioned that IPv6 addresses, when assigned, can, for example, include random values in particular bytes or embed MAC addresses. With these facts in mind, we exercised some restrictions to narrow down the address space to be scanned.

Specifically, we employed the following approaches to conduct the recon based on data from the collection of IPv6 addresses available on Hitlist.

• Recon of low-byte addresses and addresses containing random bits in particular bytes

For low-byte IPv6 addresses, the recon method is similar to that for IPv4 addresses. Such addresses contain 0s in all bytes except the least significant byte, so it is only necessary to base the scan on this part (least significant byte).

For those containing random bits in particular bytes than in the least significant byte, Scan6 uses hexadecimal notation to specify the scanning scope so as to traverse only specified bits. To do so, we ran the “scan6 -i eth0 -d ****:983:0-3000::1” command, in which 0-3000 (hexadecimal) specifies
the traversal scope. It took about 1 minute to complete a scan of 12,288 IPv6 addresses, with 3853 active ones found, as shown in Figure 2-13.

Identification of IoT Assets from Known IPv6 Addresses

The preceding section gives a brief account of difficulties in the blind-scan of IPv6 addresses. To work around these problems, we based our recon on some available IPv6 addresses, in a bid to discover IoT assets operating in IPv6 environments. Sources of these addresses include Hitlist27, which maintains about 3 million IPv6 addresses, and NSFOCUS Threat Intelligence (NTI), which provides a collection of about 1.7 billion IPv6 addresses extracted from domain name intelligence. Note that the IPv6 addresses available for our recon are but a very small portion of the total number. Besides, IoT assets found active in IPv6 environments were rather small in number.

This section presents the exposure of IPv6 assets on the Internet and methods for recon of these assets. IPv6 Evolution With the IoT and 5G gaining ground, the demand of network applications for IP addresses is undergoing an explosive growth. However, the IPv4 address space has been depleted and IPv4 addresses have been unevenly allocated. […]

Overview

2020 H1 witnessed nine Internet of Things (IoT) security events that deserved close attention:

• Ripple20 0-day vulnerabilities were discovered and affected hundreds of millions of networked devices in various industries across the globe.
• A high-risk 0-day vulnerability was detected in dozens of Netgear router products.
• A group of Industrial Control System (ICS) honeypots attracted four 0-day attacks.
• A critical remote code execution (RCE) vulnerability affected millions of network devices based on OpenWrt.
• Hackers exploited 0-day vulnerabilities in DrayTek devices to launch attacks on enterprise networks.
• Hackers hijacked a smart building access system and could launch distributed denial-of-service (DDoS) attacks on devices accessible via networks.
• Millions of devices using LoRaWAN were vulnerable to hacker attacks, and nodes, gateways, and servers in the LoRaWAN network were prone to critical vulnerabilities. Therefore, their security protection capabilities remained to be improved.
• Hackers divulged Telnet credentials of over 500,000 devices.
• Researchers discovered LiquorBot, which was a new botnet with the cryptomining function.

Introduction

As we indicated in the 2018 Annual IoT Security Report, network addresses on the Internet constantly change. Use of historical data to delineate exposure of assets will result in a deviation from reality, presenting a value higher than the actual number. Therefore, to accurately reflect the reality of a given area, we should specify a short period as the statistical cycle when calculating the number. This chapter starts with an analysis of the actual exposure of IoT assets in 2019.

With the booming of IoT applications and depletion of IPv4 addresses, IPv6 addresses will be gradually adopted, which is an irreversible trend. This means that IoT assets on IPv6 networks will become major targets of attackers. In this sense, it will be of great significance to cybersecurity to accurately survey IPv6 assets and services. For this reason, we also describe the methods for discovering IoT assets in IPv6 environments and analyze their exposure in this chapter.

LockerGoga Ransomware Alleged to Repeatedly Attack Plants

On January 24, 2019, France-based Altran Technologies was allegedly hit by LockerGoga ransomware. On March 19, Norsk Hydro, one of the largest aluminum companies worldwide, was hit by an extensive cyberattack, having machines around the globe infected with malware and some unable to operate. As a result, some plants had to switch from automatic to manual procedures, significantly compromising the productivity. This attack on the Norwegian aluminum company employed a tactic similar to that of LockerGoga. On March 12, 2019, two US chemical manufacturers Hexion and Momentive respectively suffered a LockerGoga ransomware attack9. In as short as two months, four plants in Europe and the USA became targets of ransomware attacks. Such devastating ransomware caused great damages to enterprises. According to a report on July 23, 201910, the attack could cost Norsk Hydro a whopping amount of $63.50 million to $75 million. But no exact figure was given because the computing system used for calculating profits was also compromised by the ransomware.

Extensive Power Outages in Venezuela and New York

Starting from the evening of March 7, 2019, a cyberattack hit Venezuela, leaving most parts of the country, including the capital Caracas, without power for more than 24 hours1. Because of the outage, the subway service in Caracas came to a halt, resulting in massive traffic jams. Schools, hospitals, factories, and airports were all greatly affected by this incident. Even mobile phones and networks could not work properly.

Just four months after the power outage in Venezuela, on July 13, 2019, 18:47, a large-scale blackout affected Midtown to the Upper West Side in Manhattan, leaving the Times Square, subway stations, cinemas, and Broadway in the dark2. At its peak, the New York blackout shut off power to about 73,000 people. At a press conference, New York City Mayor Bill de Blasio claimed that the blackout was caused by a transformer fire. Though not a malicious cyberattack, this incident sounds the alarm on the security
of critical infrastructure.

Executive Summary

With the constant evolution of the Internet of Things (IoT), the security of IoT is becoming an issue that more and more people are concerned about. In 2016, we issued the IoT Security Whitepaper to popularize IoT security for a general audience. In 2018, we released the 2017 Annual IoT Cybersecurity Report to present our analysis of exposure of IoT assets on the Internet, device vulnerabilities, and threats and risks to which IoT devices are exposed. Our 2018 Annual IoT Security Report is focused on the actual exposure of IoT assets on the Internet, aimed at revealing the overall security posture of IoT assets based on threat intelligence. The report also allots quite a few pages to the security of the UPnP protocol stack, which is often used in IoT applications. In the 2019 Annual IoT Security Report, we continue to delve into IoT assets and the risks and threats facing them: In IoT asset reconnaissance (“recon” for short), we update data on the actual exposure of IoT assets on IPv4 networks and add data on the exposure of IoT assets on IPv6 networks; as for threats, we analyze IoT security incidents and threat sources from the perspectives of vulnerability exploitation and protocol exploitation. Finally, we provide a solution for protecting IoT devices.