Как обнаружили эксперты Avira Antivirus, использование цифр «12345» или слова «пароль» в качестве пароля ни в коем случае не является худшим вариантом в современном мире. Многие говорят, что они вообще не защищают доступ к своим умным технологиям. И это активно используется злоумышленниками. По словам эксперта Avira Хамидреса Эбтехай, проблема со смарт-устройствами заключается в том, что изначально никто не задумывался об их безопасности. Кто в конце концов мог прийти к идее использовать миллионы манекенов для майнинга криптовалюты? И все же с помощью Honeypots - устройства, которое позволяет имитировать действия с гаджетами в Интернете - эксперты Avira обнаружили более 14 000 таких атак.
Проанализировав данные, эксперты обнаружили, что как минимум 25% всех устройств, подключенных к Интернету, вообще не защищены.
Владельцы оставляют поля логина и пароля пустыми или не изменяют заводские поля, что позволяет злоумышленникам легко получить доступ к устройствам.
Эксперты считают, что производители IoT-устройств просто не задумываются о своей безопасности, перенося эту ответственность на плечи самих владельцев. Однако люди часто даже не знают о необходимости защиты своего оборудования и возможных рисках. В результате хакеры могут легко использовать интеллектуальные колонки других людей и другие электронные устройства для запуска точечного удара по веб-сайтам, взлома криптовалют и других личных целей.
Admin is NOT the worst password of all
Forget about 12345 or P@ssW0rd, an Avira honeypot set up to find new smart device threats has identified an even more insecure credential – nothing.
“The most commonly used credential is blank, which means that the attackers just enter an empty username and password,” says Avira threat analyst Hamidreza Ebtehaj. “This is even more common than admin.”
Credentials in this case are a two-part combination of the user name and the password which hackers enter into Avira’s smart device honeypot while attacking it. Attacks with blank or empty credential slots made up a 25.6% of the total, vastly outnumbered the other top credential combinations. This blank category even exceeded share of default IoT device credentials such as “admin | QWestM0dem” and “admin | airlive” (24.0%) and the collection of general default credentials(23.4%) with those timeless classics such as “admin | admin”, “support | support”, and “root | root”.
Specific IoT malware attacks, where the hackers zeroed in on a known vulnerability made up 25% of the total. The two top credential pairs were “root | xc3511” and default | S2fGqNFs” – two internet connected web cams which have gone to market under a number of names.
“These stats were collected on Friday, September 13,” he adds. “The numbers, especially for IoT malware-related stats, do vary slightly based on ongoing attacks, but the general distribution has remained consistent for some time now.”
What’s a honeypot
A honeypot is a decoy device, computer or network set up to lure in hackers. An established element in cyber-defense strategies, honeypots enable researchers to attract and engage hackers while uncovering their newest techniques and preferred targets. “We let attackers in with any combination of usernames and passwords, they are allowed in our honeypot even with empty passwords,” explains Hamidreza.
Honey, who is my smart device talking to?
This particular honeypot mimics the features and behaviors of online devices such as routers and smart IoT devices as it draws in hackers. As it makes itself visible and seemingly vulnerable online, it uses three of the most common protocols used with smart devices – Telnet, Secure Shell, and Android Debug Bridge.
Aiming at the second phase
Each smart device attack has two largely automated phases. The first phase is simply selecting the target. For this, the attackers can use IP/port scanning, they might get information from other attackers/botnets. they might blindly scan the internet with Shodan, or they might have a database of the vulnerable devices.
The second phase is when the hackers work to infect the identified device – and this is where the honeypot plays a critical role. In addition to recording the credentials used in the attack, the honeypot also collects data on infection vectors, malicious scripts, and malware.
This time, it’s not just the users
Smart devices are often criticized for their inbuilt insecurity – and their users not changing the default passwords. But Hamidreza says the issue is more than lazy device users. “Common users have no knowledge of these protocols and they are not even aware that their devices might be accessible by hackers. We can’t expect users to log into a terminal and change the configuration of the protocols they have not even heard of.” Much of the blame rests on the device manufacturers and developers.
The dumb smart device conundrum
The problem with many smart devices is that they were just not designed with security in mind. Vulnerabilities and hacking of these connected devices has resulted in everything from people getting notices to subscribe to PewDiePie or, more seriously, the Mirai botnet and the world’s largest DDoS knocking parts of the internet offline. Industry agreements on smart device standards are only now getting past the planning stages, leaving millions of insecure devices online.
Remaining in uncertainty
Those with smart devices have three basic security options:
Do an online search for any reported potential vulnerabilities in their devices.
Check for firmware updates to patch any known vulnerabilities or issues in their devices.
Scan their network for open ports that could be inviting hackers in.
Источники
https://4pda.ru/2019/09/29/361932/
https://blog.avira.com/admin-is-not-the-worst-password-of-all/
Новости