Nearly three years after the Mirai distributed denial-of-service (DDoS) attacks, the danger to corporate networks from insecure consumer Internet of Things (IoT) devices appears to have grown.
Researchers from Avast Software, in collaboration with researchers from University of Illinois Urbana-Champaign and Stanford University, recently analyzed data from 83 million Internet-connected devices in some 16 million homes globally to better understand how they are deployed, as well as how secure they are. Devices scanned included home routers, game consoles, printers, scanners, home IP cameras, and home automation devices, such as smart thermostats. Computers and phones were excluded from the IoT classification in the study.
The research highlights not only the prevalence of IoT devices, but also their inherent vulnerabilities, says Rajarshi Gupta, vice president and head of AI at Avast.
According to the study, one-third of the homes has at least one IoT device. In North America, the number is double, at 66%. The research shows that one in four homes in North America have three or more IoT devices, and 9% have six or more.
Media devices, such as smart TVs and streaming devices, are by far the most common IoT devices in a majority of geographies. However, beyond that, the types of IoT devices installed in home networks tend to vary widely by region.
For example, Internet-connected home surveillance equipment is the most common IoT device across several parts of Asia; work appliances, like printers, are more prevalent in Africa; and voice and home assistant devices, such as those from Amazon and Google, are substantially more common in North America than anywhere else.
Disturbingly, millions of the devices in the Avast study have security weaknesses, such as open services, weak default credentials, and vulnerabilities to known attacks. Millions of devices, for instance, are still using obsolete protocols, such as FTP and Telnet, Gupta says. In some parts of Africa, the Middle East, and Southeast Asia, as many as 50% of IoT devices still support FTP, and nearly 40% of home routers in Central Asia use Telnet.
Open and weak HTTP credentials are another major concern with a significant proportion of routers that Avast and the other researchers analyzed. A small number of home routers in the study host publicly accessible services. But more than half (51.2%) that did also had a recently exploited vulnerability on them.
"Millions of IoT devices today still use obsolete protocols like Telnet and FTP, both of which are known to transfer data in plain text," Gupta notes. "The security implications of this cannot be overstated, and I'd argue that there is absolutely no reason to be using these protocols in 2019."
The Mirai malware of 2016, for instance, exploited such weaknesses in IoT products to enable attackers to quickly assemble botnets for launching DDoS attacks. There are other concerns, too. Many IoT products that people use at home are found in work environments as well, especially printers, cameras and TVs, Gupta says.
"If a gadget at home is compromised and that employee unknowingly uses their work laptop on the same Wi-Fi, a cyberattacker can infiltrate the computer, too," he says.
The Avast-sponsored study shows that despite a large number of branded IoT products around the world, the number of manufacturers is surprisingly small.
"There's a long tail of more than 14,000 IoT manufacturers globally," he says. "Yet an overwhelming majority of all devices — 94% — are made by the same 100. Half are made by the same 10."
This market dominance means the onus for building strong privacy and security postures for IoT products rests with a handful of companies.
"Device manufacturers — at the very least, the top 100 — need to incorporate stronger security principles into their software development process," Gupta says. Consumers, meanwhile, should consider security controls that can observe traffic at the router-level, identify irregular device behavior, and quarantine malicious network flows or infected devices.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio