A scan of the Japanese Internet infrastructure showed how many devices could be compromised with common user names and passwords, and ISPs helped the authorities make that determination. But ISPs also seemed to lack the tools to make those determinations by themselves, in a way that secures their networks and customers at the same time.
Changing the default credentials of new IoT devices is a good place to start, but attackers have more than one way to control their targets. In an ideal situation, ISPs know when they have vulnerable devices in their infrastructure; history shows us that ISPs usually settle for providing Internet services when they should take care of the security aspect as well.
It’s impossible to fend off threats if you don’t know which one of your devices is vulnerable. IoT ecosystems and their devices are now prime targets for bad actors looking to add machines to their bot networks or use those devices to infiltrate other networks.
With an estimated 75 billion active units by 2025, IoT devices outnumber anything else. If we add the fact that IoT security is almost a joke, with no unifying standards or policies, we get a recipe for disaster. What’s even worse is that compiling a proper inventory of potentially vulnerable devices in the wild is a gargantuan task.
Japan is leading the way
A Japanese government project called the National Operation Towards IoT Clean Environment is trying to get a better view of the IoT landscape in the country. With the help of ISPs, the project has begun scanning public-facing IPs, almost 200 million. It took a year to scan just half that, with interesting results.
Out of 110 million scanned IP addresses, around 100,000 allowed potential attackers to use credentials, and 2,249 had default or weak credentials. Following the investigation, the authorities notified the ISPs about their security issues, and in turn they informed their users.
The Japanese authorities are also sending ISPs alerts regarding malware-infected IoT devices, and that number hovers around 160 alerts each day. All in all, the project seems to be a success, and the Japanese IoT ecosystem is a little bit safer. But are we going to see it replicated elsewhere?
Credential stuffing is only a slice
Japan chose to use credential stuffing in the project because it’s the most direct way to scan for security problems. Sometimes users don’t change their login credentials, or they use weak passwords. It doesn’t get any more straightforward than just scanning for ports and using the right credentials. Moreover, it doesn’t require high technical expertise, so unsophisticated attackers can do it.
Unfortunately, the IoT ecosystem is much, much more complicated. There are other ways to compromise the IoT devices or to go straight for the data they collect.
For example, all devices have various vulnerabilities. Some are known, and patches are issued, others are waiting to be discovered. Command injection is a common type of vulnerability found in IoT devices, and it has nothing to do with how good the password really is.
In other situations, bad actors can even bypass the authentication altogether and go after the apps used to control the devices. In some instances, such as with Guardzilla, vulnerabilities in communications between the apps and the cloud services allow attackers to access the cloud data directly and even commandeer the backend.
This means that the number of possibly compromised devices in Japan (and the rest of the world for that matter) is probably much higher if we include all avenues.
There’s an “app” for that
With ISPs suddenly in a position to be responsible for the security of their users to a much greater degree, their options are narrowing. A company with an internal network wants to make sure that all devices with access to its infrastructure are as safe as they can be. An ISP has a similar network, but in this case, it’s their customers. It’s a no-brainer that ISPs want their customers to use secure devices, but we all know it’s close to impossible to enforce that.
So, is there a way for ISPs to harden their infrastructure and protect themselves and their customers? We designed the Bitdefender IoT Security Platform precisely for that purpose.
Let’s assume that the Japanese Internet infrastructure had advanced security capabilities deployed in various forms, such as on home routers. Japanese ISPs would have had a much clearer picture of the potential vulnerabilities, as the platform provides that information, both to them and even their users, and they would have known about security issues other than just credential stuffing.
Moreover, the Bitdefender IoT Security Platform is capable of dealing with many of these threats, such as DDoS attacks or brute force. It’s both a proactive and defensive security platform. The customers are kept safe, and the ISPs know their infrastructure is protected.
Using a network-level solution for the IoT makes sense from both directions. Users will want to know that their ISP is looking out for them without having to buy extra hardware, and the ISP will have granular control over their network security without having to start from scratch with an expensive solution.