The report advises that users should use complex and unique passwords for each service, and use a password manager too for simplicity
- The increasing complexity with each additional device and automation rule also means an expanding attack surface
As our homes and gadgets like speakers, TVs and fridges begin talking to each other with rising frequency, ushering the Internet of Things (IoT) era, they are simultaneously becoming increasingly vulnerable to hacker attacks.
Last month, security firm Trend Micro revealed in a report how an attacker could monitor activity within the home or building through sensors, cameras, and any other device capable of collecting information from its surroundings.
On Wednesday, just a day after we celebrated World IoT Day, a report by security firm Sophos revealed that when it laid honeypots, Mumbai received over 600,000 brute-force login attacks in the one month that Sophos researchers conducted the study.
Honeypots are designed to purposely engage and deceive hackers and identify malicious activities performed over the internet. Multiple honeypots can be set on a network to form a honeynet.
When cybercriminals start interacting with the device, they trigger alarms to alert a business or individual to their presence and track their activity. While there are many types of honeypots, Sophos used low-interaction honeypots (a honeypot which, once found by the hacker, will not be of much use to hackers) and high-interaction honeypots (ones that permit the attacker to go further to gather additional information about their intentions) for this study.
The honeypots in this study simulated the Secure Shell (SSH) service and, therefore, measured SSH login attempts. SSH is a remote access service used not only by servers but is also enabled in domestic environments in devices as diverse as CCTV cameras or NAS (network access storage) devices.
Sophos initially set up honeypots in 10 of the most popular Amazon Web Service (AWS) data centres in the world and made sure that the honeypots are not affiliating with Sophos or any other company other than, perhaps, the hosting provider. To a hacker, the honeypots appeared “as just a number, a bit of extra processing power that could be theirs, a camera they could control or a directory of files they could access and share”, according to the Sophos report.
About 95% of the traffic Sophos tracked appeared to originate in China. It doesn’t necessarily mean that the attackers conducting these brute-force attempts are also locating in China, the report clarified, “because attacks may be the route through other machines under the attackers’ control”.
The London honeypot alone suffered 314,000 login attempts over the 30 days in which Sophos ran these honeypots, while the honeypots hosted in Mumbai and Ireland received more than 600,000 login attempts. Does this mean that hosting services in London is safer than hosting services in Mumbai?
No, clarifies the Sophos report, since the brute-force login attempts varied in complexity from default usernames and passwords down to complex passwords with what security practitioners would consider sufficiently complex combinations of numbers, letters, and special characters. Looking at what drives this number of brute force login attempts, for instance, Sophos found the dominant problem was ongoing exposure as a result of not changing default usernames and passwords (e.g. root, admin, user, ubuntu and Postgres).
Further, many devices ship with default passwords. “Whether they are easy to guess or not, this is always a mistake,” cautions the Sophos report. The report advises that users should use complex and unique passwords for each service, and use a password manager too for simplicity.
Trend Micro researchers, too, pointed out last month that IoT has given rise to complex IoT environments (CIE) comprising at least 10 IoT devices that are functionally chained together and integrated into an environment using an IoT automation platform. For instance, a smart home has an internet connection throughout the entire CIE, which requires Ethernet or fibre wiring and modems and Wi-Fi routers.
Devices integrated into the environment can include a gateway, smart bulbs, smart locks, speakers and TVs. The complexity afforded by automation platforms, note Trend Micro researchers, expands the possibilities in smart homes and buildings and other setups in various settings. However, they caution that the increasing complexity with each additional device and automation rule also means an expanding attack surface.
For instance, if smart locks are installed and connected to the CIE, attackers could modify automation rules that would allow them entry into the home and make the sensors either recognise them as one of the homeowners or leave the doors unlocked. Attackers could also analyse and clone the owner’s voice and play the resulting sound file to bypass any voice recognition checks by connected devices in the CIE.
Homeowners, thus, should check automation rule files and make backups, advise the Trend Micro researchers. They should also enable two-factor authentication where applicable.
(This story originally appeared on Livemint)