Avast: Cybercriminals Fall for IoT Honeypots


23.2 million potential attacks target 500 fake IoT-like devices deployed at Mobile World Congress.

On Sunday 24th February, the eve of Mobile World Congress 2019, Avast security researchers Martin Hron, Vladislav Iliushin, Libor Bakajsa, and Anna Shirokova set a project in motion: the deployment of 500 honeypots in 10 countries around the world that would run for the length of the show (four days), and beyond. The idea was to capture the number of attempted connections that potential attackers made to these honeypots in the hope that valuable data might be lurking within. The honeypots, akin to mousetraps on the internet, were purposely set up with open ports typically found in internet-connected devices to trick the attackers who scanned them into thinking they were connecting to routers, smart TVs, security cameras, or other smart appliances. The findings were better (or worse) than they expected.

As MWC drew to a close at around 4pm on Thursday, February 28th, 23.2 million attempts to connect to these honeypots were recorded by the team. In other words, among 500 fake IoT-like devices installed on the internet, 23.2 million potential attacks were performed by possible cybercriminals. That’s 11,588 attempts to connect per device per day. The three ports that were scanned most often were those usually found in Chromecast streaming devices and Google Smart Home Speakers (port 8088), Telnet port 22 and SSH port 23 that are often present in routers. This is not particularly surprising. Streaming devices are among the most widespread and vulnerable smart devices in the home, according to our latest research. Router security is also cause for concern. Of 11 million routers scanned by Avast in September 2018, 60% either had weak credentials or software vulnerabilities.

So, where did these potential attacks to our honeypots come from and who were the targets? From our data, the top three most “attacked” countries were Ireland, Germany, and the United States (details in the chart below) while the three most aggressive countries in terms of scans performed were the United States, China and France.

Country Connections per honeypot during the 4 days of the show
Ireland 218,851
Germany 162,868
United States 159,532

However, attribution in cybersecurity is rarely clear-cut. Technologies such as Virtual Private Networks (VPNs), the infamous TOR network or proxying connections through an already-infected device, are techniques often used by attackers to obfuscate their origin. That being said, in the four days, we observed the most attacks coming from servers located in the United States, China, and the Netherlands.

You’re not a target… or are you?

The purpose of a honeypot is to catch cybercriminal activity and then examine their attack methods. They exist to fool attackers into thinking that the devices they are targeting are real and contain real data. But what if these devices were real and not decoys? What if it was your home router, or smart assistant being scanned for vulnerabilities almost 12,000 times a day? Your home network is only as strong as the weakest link in the chain, and as the number of smart devices attached to a network grows, the weaker that chain becomes. If 23.2 million potential attacks were performed on 500 fake IoT-like devices over four days, imagine the volume we can expect next year when 38.5 billion authentic smart devices make up the IoT ecosystem worldwide. If we take the average number of connections that were made to a single honeypot on any given day at MWC and scale that up to the total number of IoT device installations expected next year, that would equate to over 446 trillion attempted connections worldwide over a 24 hour period, given these devices remain publicly accessible via the internet. This is, of course, an extreme scenario, but a clear indication that we are approaching a cybersecurity epidemic.

According to The Ponemon Institute, the chance of experiencing a cyberattack is one in four. That’s more likely than rolling any given number on a six-sided die. So, why the apathy towards cybersecurity when the odds are stacked against the security of our personal data? The problem is partly emotional. Most people think it doesn’t matter if their smart TV, smart speaker or light bulb at home is vulnerable, because they do not consider themselves to be a target. After all, why would a cybercriminal be interested in the shows you watch, the music you play and how often you turn your lights on? This is a fairly reasonable argument, until you understand the bigger picture. Imagine an attacker compromises your smart coffee machine which sits on the same network as your smart speaker and smart assistant. If we apply the thinking that it only takes one breached device to take control of an entire home network, the breached coffee machine could be used as a vector to allow the attacker to also talk to your smart speaker and issue voice commands that prompt the smart speaker to place orders via your account, potentially maxing out your credit card.

Now imagine your home is “secured” with a smart door lock that integrates with your smart assistant to open and close the front door. Your home location has been discovered in the firmware of your smart light bulbs because a companion app on your phone is storing physical GPS coordinates in the light bulbs, and has been since they were installed. Your home address has now been compromised and by applying the same attack process as above, the attacker sends a request from the Alexa to open your front door.

Cunning countermeasures

As dystopian as the scenarios above may seem, they are credible. We’ve already seen real-life examples of IoT malware infecting close to a million Deutsche Telecom routers, severing customers’ internet connections. Many more variants of the same malware, known as Mirai, have been used to launch Distributed Denial of Service (DDos) attacks on popular website domains or harness the computing power of IoT devices to mine cryptocurrencies. But it’s not all doom and gloom. Despite an increase in the number of attackers looking to ride the IoT insecurity wave and the ensuing surge of maliciously-inclined scans to locate the weakest links in the chain, threat mitigation can be achieved with what we often describe as basic digital hygiene.

Just like a virus that spreads from one host to the next can be prevented with something as simple as hand sanitization, a malicious IoT virus can be stopped with equally elemental steps. Below are two actions that everybody can – and should – take to radically decrease the chances of becoming a victim of cybercrime:

    1. Strong Passwords: Set up strong passwords for your router, Wi-Fi and IoT devices. Create strong and unique passwords, excluding personal information. Wherever possible, passwords should consist of at least 10 or more characters and ideally contain numbers and special characters, and should be unrelated to yourself or the service they are protecting.
    2. Update router and IoT devices’ firmware: Updating your router and IoT devices’ firmware, whenever an update is made available, is vital. Updates often contain patches that fix vulnerabilities, securing your devices and preventing cybercriminals from taking advantage of vulnerabilities to gain access. Before purchasing a device, look for software security patches on the vendor’s website. If the vendor doesn’t supply patches, or hasn’t done so in one or two years, it is very likely that the device you’re about to purchase is already vulnerable.

Remember that your home network is only as strong as the weakest link in the chain. So, as you continue to add new smart devices to your network, make sure to follow the above tips to keep your smart home safe and secure.

Related posts