Skip to main content

The average IoT device is compromised after being online for 6 minutes

With the creation of countless new Internet of Things (IoT) devices that are always connected to the internet, hackers have found a new means of easily creating large botnets that can deliver attacks which can be used to take websites offline and shut down businesses.

In a recent string of attacks, two packet floods made use of a host of IoT devices to take down the website of the cybersecurity journalist Brian Krebs, along with the French web hosting company OVH. Krebs' website was hit by the notorious Mirai botnet whose source code was recently posted online (opens in new tab) allowing anyone to utilise the malware for their own attacks.

The attack launched against Krebs spread at the surprisingly fast rate of 620Gbps. The botnet attempted to break into thousands of other devices worldwide through the use of 61 username and password combinations.
The Mirai malware has been so successful because it takes advantage of the default usernames and passwords that vendors include with their IoT devices. As most users are unaware that they can even change these credentials, it is much easier for the malware to compromise a range of connected devices which includes IP cameras, routers and other new technologies built around the Internet of Things.

The Director of Security Research a Fastly, Jose Nazario has been able to estimate the amount of time it takes hackers to gain complete control of these devices. His work found that an IoT device will launch an attack within six minutes of being infected by malware after connecting to the internet.

Hackers worldwide currently probe IoT devices for vulnerabilities after they have been connected to the internet for six minutes. Each hour these devices are tested for vulnerabilities - at least 800 times per hour - with an average of 400 login attempts occurring daily. On average, hackers try to access one IoT device every five minutes and a total of 66 per cent of their attempts end up being successful.

In order to prevent IoT devices from becoming part of a large botnet, security measures need to be put in place that inform users as to how they can protect their devices by simply changing their default usernames and passwords to something more unique.

Ken Tindell, entrepreneur and independent technologist, thinks the main issue is that the financial incentive to do so is missing: “It's an economics problem.  I did think it could be fixed with revenue but now I the the incentive is too weak.” 

Image Credit: Chesky / Shutterstock

After getting his start at ITProPortal and then working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches to how to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.