Skip to main content

The average IoT device is compromised after being online for 6 minutes

With the creation of countless new Internet of Things (IoT) devices that are always connected to the internet, hackers have found a new means of easily creating large botnets that can deliver attacks which can be used to take websites offline and shut down businesses.

In a recent string of attacks, two packet floods made use of a host of IoT devices to take down the website of the cybersecurity journalist Brian Krebs, along with the French web hosting company OVH. Krebs' website was hit by the notorious Mirai botnet whose source code was recently posted online allowing anyone to utilise the malware for their own attacks.

The attack launched against Krebs spread at the surprisingly fast rate of 620Gbps. The botnet attempted to break into thousands of other devices worldwide through the use of 61 username and password combinations.
The Mirai malware has been so successful because it takes advantage of the default usernames and passwords that vendors include with their IoT devices. As most users are unaware that they can even change these credentials, it is much easier for the malware to compromise a range of connected devices which includes IP cameras, routers and other new technologies built around the Internet of Things.

The Director of Security Research a Fastly, Jose Nazario has been able to estimate the amount of time it takes hackers to gain complete control of these devices. His work found that an IoT device will launch an attack within six minutes of being infected by malware after connecting to the internet.

Hackers worldwide currently probe IoT devices for vulnerabilities after they have been connected to the internet for six minutes. Each hour these devices are tested for vulnerabilities - at least 800 times per hour - with an average of 400 login attempts occurring daily. On average, hackers try to access one IoT device every five minutes and a total of 66 per cent of their attempts end up being successful.

In order to prevent IoT devices from becoming part of a large botnet, security measures need to be put in place that inform users as to how they can protect their devices by simply changing their default usernames and passwords to something more unique.

Ken Tindell, entrepreneur and independent technologist, thinks the main issue is that the financial incentive to do so is missing: “It's an economics problem.  I did think it could be fixed with revenue but now I the the incentive is too weak.” 

Image Credit: Chesky / Shutterstock

Anthony Spadafora
After living and working in South Korea for seven years, Anthony now resides in Houston, Texas where he writes about a variety of technology topics for ITProPortal.