Threat Research

FortiGuard Labs Telemetry – Roundup and Comparison of 2015 and 2016 IoT Threats

By Gavin Chow | March 06, 2017

Attacks targeting and originating from IoT devices began grabbing news headlines toward the last quarter of 2016. Insecure IoT devices became the low-hanging fruit for threat actors to easily exploit. Some were even notoriously used as botnets to launch DDoS attacks against selected targets.

For example, the infamous Mirai botnet exploited weak login vulnerabilities in insecure IoT devices such as IP cameras and home routers, and was responsible for one of the largest known DDoS attacks to date. Besides being used in DDoS attacks, exploited IoT devices can also be used to spy on people, hold IoT devices ransom, or possibly be leveraged as a vulnerable pivot point to infiltrate deeper into the networks where compromised devices are attached.

In this and following blog posts, we will examine some of the more interesting IoT threat telemetry data collected from our FortiGuard Labs.

The first thing this data revealed is huge spikes in certain attack vectors, and equally impressive decreases in others. A careful look at the data indicates that cybercriminals continue to be extremely focused opportunists. For example, we saw a significant rise in attacks targeting home routers and IP cameras leveraging known vulnerabilities. The types of attacks grew and persisted because manufacturers were slow to release patches or updates to fix known issues.

Some of these vulnerabilities are embedded in firmware and involve thousands of devices from multiple manufacturers. The ability to create and deliver a patch is extremely difficult because the devices do not have adequate mechanisms for being updated. It is extremely difficult (if not impossible) to manually update them, and automated systems updating large numbers of deployed devices is a rarity.

Criminals targeting IoT devices are currently successful in exploiting known vulnerabilities, such as weaknesses associated with default usernames and passwords or hardcoded backdoors. Apart from these simplistic entryways into devices, there are other readily available methods available for exploiting in IoT devices beyond default passwords. This includes taking advantage of weaknesses resulting from poor coding practices used to enable IoT connectivity and communications.

The problem is rampant. IoT manufacturers have flooded the market with highly insecure devices. In addition to the potential for simple compromise, millions of IoT devices are highly susceptible to being disabled or “bricked”, resulting in overwhelmed consumer help desks.

The challenge within the risk model presented by IoT devices is the aspect of impact. While a cybercriminal may be able to hack into a connected toothbrush, there is little interest in discovering how often we brush our teeth. But if that toothbrush is connected to a home network or even a cell phone – which is connected to the same home network used to connect back into my corporate network –then it is safe to assume the consumer IoT device vulnerabilities have deeper consequences.

The larger impact, however, is related to commercial, industrial, and medical IoT devices. These are prolific and diverse, with examples including gauges, pumps, meters, industrial control systems, inventory controls, and automated manufacturing floors. Of particular concern are items connected to critical infrastructure or hyperconnected environments such as connected buildings and smart cities.

If IoT manufacturers fail to secure their devices, the potential impact on the digital economy could be devastating.  There is a high potential for the disruption of critical services which will result in consumer hesitation to purchase connected devices. Because vulnerable IoT devices are becoming so pervasive, we predict that attacks targeting IoT devices will continue to be opportunistic as well as more sophisticated in order to more effectively exploit weaknesses in the IoT communications and data gathering chain.

Let’s begin by looking at our collection of IoT IPS signature hits by comparing data from the years of 2015 and 2016.

The charts below have the following general characteristics:

  • The IPS signature attack information consists of known IoT vulnerabilities and targets
  • General classifications are provided by different types of IoT devices
  • Telemetry is based on a global data collection perspective
  • The data was collected during 2015 and 2016
  • ­­­ The X-axis uses a base-10 logarithm scale due to the large difference between minimum and maximum values

GLOBAL IoT IPS signature hits by device – 2015

Figure 1: GLOBAL IoT IPS signature hits by device – 2015

From the chart above chart we can see that home routers triggered the most IoT IPS signature hits in 2015, which was close to 820,000. These signatures were followed by those triggered by IP cameras, telephony systems, and Network Attached Storage (NAS) systems. By comparison, Digital/Network Video Recorders (DVR/NVR), Smart TVs, and printers had a comparatively smaller number of signature hits.

The following figures provide a breakdown of this data from a regional perspective (Americas, EMEA and APAC):

IoT IPS signature hits in Americas by device – 2015

Figure 2: IoT IPS signature hits in Americas by device – 2015

 IoT IPS signature hits in EMEA by device – 2015

Figure 3: IoT IPS signature hits in EMEA by device – 2015

: IoT IPS signature hits in APAC by device – 2015

Figure 4: IoT IPS signature hits in APAC by device – 2015

The same list of IoT devices, when plotted with 2016 IPS signature hits, is shown below:

GLOBAL IoT IPS signature hits by device - 2016

Figure 5: GLOBAL IoT IPS signature hits by device - 2016

As you can see, home routers continued to have the most IPS signature hits in 2016. But the number of hits increased exponentially by a multiplication factor of more than 3000 to over 25 billion hits. A few other differences can be seen in this chart, showing a more than 2000 times increase in hits against Digital/Network Video Recorders (DVR/NVR), while Smart TV hits nearly tripled in volume. Interestingly, Network Attached Storage (NAS) systems, IP cameras, telephony systems, and printers hits all decreased significantly, by a factor of from -1.5 to nearly -10.

The breakdown from a regional perspective (Americas, EMEA and APAC) for 2016 is shown below:

IoT IPS signature hits in Americas by device - 2016

Figure 6: IoT IPS signature hits in Americas by device - 2016

IoT IPS signature hits in EMEA by device - 2016

Figure 7: IoT IPS signature hits in EMEA by device - 2016

IoT IPS signature hits in APAC by device - 2016

Figure 8: IoT IPS signature hits in APAC by device - 2016

We can better see the exponential increase between 2015 and 2016 of some of these targeted IoT when we compare both years charted side-by-side:

Global IoT IPS signature hits by device – 2015/2016 side by side comparison

Figure 9: Global IoT IPS signature hits by device – 2015/2016 side by side comparison

It is important to note that botnet hits from the now infamous Mirai attack in September of 2016 are not included in the charts above. These charts are simply tracking the increase or decrease of normal threat traffic targeted at IoT devices. We will explore the impact of the Mirai botnet telemetry in another post.

What is contributing to the large increase in home router hits, and the differences in hits for other IoT devices between 2015 and 2016? Is it the increasing volume of deployed IoT devices? Are we seeing new attack techniques or vulnerabilities?

Stay tuned. We’ll explore what contributed to these dramatic differences in our next post.


Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.



Join the Discussion