IoT malware doubled in 2016, says report from Kaspersky

IoT malware doubled in 2016, says report from Kaspersky

Connected devices under increasing attack from cybercriminals

IoT malware doubled in 2016, according to Kaspersky
Kaspersky's research used 'honeypots' to attract and trap malware for identification.

The amount of malware targeting IoT devices more than doubled in 2016, according to a report by IT security company Kaspersky.

Researchers there set up ‘honeypots’ that imitated IoT devices running Linux and managed to collect around 7,200 different types of malware preying on IoT devices. Last year, the company detected 3,200 samples.

“After just a few seconds, we saw the first attempted connections to the open telnet port. Over a 24-hour period, there were tens of thousands of attempted connections from unique IP addresses,” the researchers say in their report.

They add that, in most cases, the attempted connections used the telnet protocol; the rest used SSH (Secure Shell protocol). They also noticed that the malware used a set of very common, and thus very vulnerable, usernames and passwords in order to access the IoT devices.

According to the report, of the types of devices from which the attacks originated, over 63 percent of them were identified as DVR services or IP cameras, while about 20 percent were network devices and routers from major manufacturers. One percent were Wi-Fi repeaters and other network hardware, TV tuners, VOIP devices, Tor exit nodes, printers and ‘smart home’ devices. Some one in five, meanwhile, could not be identified.

Read more: Industroyer takes spotlight in latest IT security scare

Malware on enterprise IoT devices

The company said that its honeytraps not only recorded attacks coming from network hardware classed as home devices, but also enterprise-class hardware, suggesting that business kit is being used as a launchpad in many cases, presumably without the knowledge of corporate owners.

“Even more disturbing is the fact that among all the IP addresses from which attacks originated, there were some that hosted monitoring and/or device management systems with enterprise and security links,” researchers said.

These included point-of-sale devices in retail stores, restaurants and filling stations; digital TV broadcasting systems; physical security and access control systems; and environmental monitoring devices.

Researchers also detected malware infecting a monitoring system at a seismic station in Bangkok, as well as industry-grade programmable microcontrollers and power management systems elsewhere.

The honeypots detected attacks from China, Vietnam, Russia, Brazil and Turkey.

“The growing number of malware programs targeting IoT devices and related security incidents demonstrates how serious the problem of smart device security is. 2016 has shown that these threats are not just conceptual but are in fact very real,” the researchers said. “The existing competition in the DDoS market drives cybercriminals to look for new resources to launch increasingly powerful attacks.”

Kaspersky recommends that devices should not allow access from outside of their immediate local network, unless it is specifically needed to use a device. All network services that are not needed should also be disabled. Default passwords should be changed and, if they can’t be, then network services should be disabled where these passwords are used, or alternatively, access to devices from outside the local network should be disabled.

Read more: Entropy: a shot in the arm for IoT security?