1-1hit |
Kosuke MURAKAMI Takahiro KASAMA Daisuke INOUE
Since the outbreak of IoT malware “Mirai,” several incidents have occurred in which IoT devices have been infected with malware. The malware targets IoT devices whose Telnet and SSH services are accessible from the Internet and whose ID/Password settings are not strong enough. Several IoT malware families, including Mirai, are also known that restrict access to Telnet and other services to keep the devices from being infected by other malware after infection. However, tens of thousands of devices in Japan can be still accessed Telnet services over the Internet according to network scan results. Does this imply that these devices can avoid malware infection by setting strong enough passwords, and thus cannot be used as a stepping stone for cyber attacks? In February 2019, we initiated the National Operation Toward IoT Clean Environment (NOTICE) project in Japan to investigate IoT devices with weak credentials and notify the device users. In this study, we analyze the results of the NOTICE project from February 2021 to May 2021 and the results of the large-scale darknet monitoring to reveal whether IoT devices with weak credentials are infected with malware or not. Moreover, we analyze the IoT devices with weak credentials to find out the factors that prevent these devices from being infected with malware and to assess the risk of abuse for cyber attacks. From the results of the analysis, it is discovered that approximately 2,000 devices can be easily logged in using weak credentials in one month in Japan. We also clarify that no device are infected with Mirai and its variants malware due to lack of functions used for malware infection excluding only one host. Finally, even the devices which are logged in by NOTICE project are not infected with Mirai, we find that at least 80% and 93% of the devices can execute arbitrary scripts and can send packets to arbitrary destinations respectively.