Smart Device Security: China's online smart device Security Situation Report in 2017, and the situation report in 2017

Smart Device Security: China's online smart device Security Situation Report in 2017, and the situation report in 2017

Smart Device Security: China's online smart device Security Situation Report in 2017. In recent years, security incidents of online smart devices have occurred from time to time, and CNCERT has continuously tracked and analyzed the related situations. CNCERT monitoring found that in 2017, China's connected smart devices (hereinafter referred to as "smart devices") mainly showed the following characteristics in terms of security vulnerabilities, malicious code and attack activities:

1. In terms of vulnerabilities, the number of smart device vulnerabilities has increased significantly. The National Information Security Vulnerability sharing platform (CNVD) publicly recorded 2017 general-purpose smart device vulnerabilities in 2440, up 118% year on year. According to the vulnerability type statistics, the top three types are Permission Bypass (27%), information leakage (15%), and command execution (13% ). Vrouters, gateways, cameras, video systems, set-top boxes, and other types of devices have a large number of vulnerabilities. This is an important target of vulnerability attacks, intrusion into office devices such as printers by exploiting vulnerabilities is becoming a way for hackers to steal files and data from important organizations.

2. In terms of malicious code attacks, overseas control servers control a large number of smart devices in China. CNCERT sample monitoring found that in the second half of 2017, the number of controlled smart device IP addresses infected with malicious code in China was about 1.298 million, accounting for Zhejiang (14.7%), Shandong (13.3%), and Jiangsu (10.6% ). The number of IP addresses of overseas control servers that control smart devices in China is about 12.2 thousand, accounting for the largest among the US (30.3%), Russia (12.3%), and South Korea (5.5% ). There are 39 Trojans and botnets of more than 10 thousand smart devices with controlled devices. The control terminals are mainly distributed in the Netherlands (11), the United States (11), and Russia (7) and Italy (7) and other countries and regions, of which 5 are botnets with a controlled device scale of more than 50 thousand.

I. Collection of smart device Vulnerabilities

Software and Hardware vulnerabilities of smart devices may cause security risks and problems such as device data and user information leakage, device paralysis, zombie Trojans infected, and attacks against Intranet hosts and other information infrastructure. CNVD continues to track, record, and handle vulnerabilities on smart devices (IOT devices). The vulnerability information recorded in 2017 is as follows.

1. General Vulnerabilities

General vulnerabilities generally refer to vulnerabilities that pose security threats to software and hardware products. In 2017, CNVD included 2440 General IOT device vulnerabilities, up 118.4% from the same period last year. Statistics on the types of vendors, vulnerabilities, and affected devices involved in the vulnerability are as follows:

 

Figure 1 ranking of IOT device vulnerability count TOP vendors

Vulnerability types include Permission Bypass, information leakage, command execution, DOS, cross-site, buffer overflow, SQL injection, weak passwords, design defects, and other vulnerabilities. Among them, the number of Permission Bypass, information leakage, and Command Execution Vulnerabilities ranks among the top three, respectively accounting for 27%, 15%, and 13% of the total number of vulnerabilities publicly recorded, as shown in 2.

 

 

Figure 2 TOP distribution by Vulnerability Type

Devices affected by vulnerabilities include mobile phone devices, routers, network cameras, conferencing systems, firewalls, gateway devices, and switches. Among them, the number of mobile phone devices, routers, and network cameras ranks among the top three, respectively accounting for 45%, 11%, and 8% of the total number of vulnerabilities publicly recorded, as shown in 3.

 

 

Figure 3 Vulnerability (common) distribution by device type TOP

2. Event Vulnerability recording

Event-based vulnerabilities generally refer to vulnerabilities that pose security threats to a specific application. In 2017, CNVD included 306 IOT device event-based vulnerabilities. The affected devices include the smart monitoring platform, Network Camera, GPS device, router, gateway device, firewall, card, and printer. Among them, the number of vulnerabilities in the smart monitoring platform, webcams, and GPS devices ranks among the top three, respectively accounting for 27%, 18%, 15%, and 4 of the total number of vulnerabilities publicly recorded.

 

 

Figure 4 Vulnerability (Event Type) distribution by device type TOP

Ii. Cases of smart device vulnerability monitoring and analysis

1. Identity Permission Bypass Vulnerability attack for Network Camera wifict

Privilege Bypass Vulnerability ranked first in the number of vulnerability categories included in CNVD, this section on one of the attacks very frequent identity privilege Bypass Vulnerability (included number CNVD-2017-06897) were introduced, the affected device is the WirelessIP Camera (P2P) wifict, a remote Network Camera. The camera Web service does not correctly check the access permission of the. ini configuration file. Attackers can bypass the identity authentication program to download the configuration file and account creden。 by constructing an Http request with an empty account and password. According to CNCERT sampling monitoring data, during the period from January 1, October 22-12 to the 31st, such vulnerabilities were attacked more than 0.4 million times per day, of which November 7 were detected in 30 million, as shown in Figure 5.

 

 

Figure 5 wifict identity Bypass Vulnerability attack trend chart

According to the analysis, apart from a few vulnerability verification detection servers and malicious hackers, most of the IP addresses that initiate vulnerability attacks/scans are actually the IP addresses of controlled smart devices or controlled hosts, there are about 0.105 million IP addresses in China, and the top 5 are Hebei, Xinjiang, Liaoning, Jiangsu, and Jilin. See figure 6.

 

 

Figure 6 distribution chart of IP addresses of suspected controlled devices that have been exploited to launch wifict attacks

2. weak passwords of smart cameras of some brands

Weak Password vulnerability is a high-threat but easy-to-use vulnerability of online smart cameras. CNCERT continues to pay attention to the vulnerability fixing situation. At the end of December 2017, CNCERT conducted a sample monitoring and analysis on the vulnerabilities of smart cameras and weak passwords exposed by some brands on the Internet. The distribution of these smart camera network IP addresses in China is shown in the 2nd column of Table 1. There are more than 50 thousand smart camera network IP addresses in Jiangsu, Zhejiang, Shandong, and other provinces, the distribution of network IP addresses of cameras that may have weak password vulnerabilities in China is shown in the 3rd column of Table 1, Ranking Top 3 in Zhejiang, Guangdong, and Jiangsu. Considering the large difference in the total number of smart cameras connected to different provinces and cities, we select the percentage of cameras with weak password vulnerabilities (the percentage of cameras with weak password vulnerabilities exposed on the Internet in a province to the total number of camera IP addresses exposed on the Internet in the province) reflecting the proportion and repair of Weak Password Vulnerability cameras in provinces and cities, we found that the proportion of Weak Password Vulnerability cameras in Chongqing, Sichuan, Fujian and other regions is relatively high, as shown in Table 1's 4th.

Table 1 Distribution of IP addresses of connected smart cameras of some brands

Province/City

Number of IP addresses of some branded online cameras

Number of weak password cameras connected to some brands

Percentage of weak password cameras (%)

Jiangsu

79763

7024

8.81

Zhejiang

74253

17749

23.9

Shandong Province

63103

6647

10.53

Guangdong

49731

9745

19.6

Hebei

28746

5984

20.82

Fujian

27459

6847

24.94

Liaoning

27422

3240

11.82

Anhui Province

26402

4062

15.39

Henan

20184

3227

15.99

Yunnan

13585

1918

14.12

Chongqing

12651

4966

39.25

Shanxi

12595

1966

15.61

Sichuan

12503

3180

25.43

Jilin Province

12173

1894

15.56

Beijing

11271

2270

20.14

Shanghai

11050

1882

17.03

Jiangxi

9976

1122

11.25

Hunan

9221

1166

12.65

Guizhou

8512

230

2.7

Heilongjiang

7920

1667

21.05

Hubei Province

7620

1697

22.27

Inner Mongolia

7115

1099

15.45

Shaanxi

5988

840

14.03

Guangxi

5435

1184

21.78

Xinjiang

5029

601

11.95

Tianjin

4271

1048

24.54

Gansu

4059

941

23.18

Hainan

3912

808

20.65

Ningxia

1396

285

20.42

Tibet

1356

184

13.57

Qinghai

977

243

24.87

Malicious Code attack activity of smart devices

Malicious Code currently active on smart devices mainly includes Ddosf, Dofloo, Gafgyt, MrBlack, Persirai, Sotdas, Tsunami, Triddy, Mirai, Moose, Satori, these malicious codes and their variants can intrude into and control smart devices through Telnet, SSH, and other remote management service weak password vulnerabilities, operating system vulnerabilities, Web and other application vulnerabilities, and brute force password cracking.

I. Malicious Code features of smart devices

1. Malicious Code is infected with a wide range of hardware platforms and a wide variety of devices. Malicious Code of smart devices supports most embedded Linux operating systems with cross-platform infection capabilities and can intrude into devices infected with multiple hardware platform architectures such as Arm, Mips, X86, and Powerpc.

2. The structure of malicious code is complex, and the Division of functional modules is fine. Some malicious code has complex structures and fine division of labor. It has multiple modules, including worm scanning and brute-force cracking, vulnerability reporting and collection of device information, vulnerability attack and Trojan embedding, and C & C Command Control, each function module can be distributed on different servers or devices, which makes monitoring and tracking and coordination more difficult.

3. The number of malicious code variants is large, and updates and upgrades are fast. Because the source code of malicious code such as Mirai, Gafgyt, and Tsunami has been published, the update and upgrade of such malicious code are fast and the number of variants is large. Currently, the number of variants has exceeded 100. IoT_reaper, A Mirai variant that appeared in March October, has a total of nine Smart device vulnerabilities. The variant code integrates the latest batch of vulnerabilities into the sample using the code, one of these vulnerabilities is integrated and used only two days after being published.

Ii. Malicious Code attack activities of smart devices

CNCERT conducts sampling monitoring on malicious code attack activities such as Gafgyt, MrBlack, Tsunami, Mirai, Reaper, and Ddostf infected on smart devices. The details are as follows.

1. malicious code control the number and distribution of servers

In the second half of 2017, monitoring found that the total number of IP addresses controlling servers was approximately 15 thousand. About 81.7% of IP addresses were located outside China, and the top three countries and regions were in the United States, Russia, and South Korea. The number of IP addresses of control servers in China is 2806, and the top three provinces are Beijing, Shandong, and Guangdong in sequence. The detailed distribution is 7.

 

 

Figure 7 IP address distribution of the IOT malicious code control server in the second half of 2017

2. Number and distribution of controlled devices

In the second half of 2017, the total number of controlled smart device IP addresses detected by monitoring was 2.938 million, and the number of controlled IP addresses in China was 1.298 million, accounting for about 44.1%, the provinces with more than 50 thousand controlled IP addresses are Zhejiang, Shandong, Jiangsu, Liaoning, Hebei, Henan, Guangdong, and Chongqing, as shown in figure 8.

 

 

Figure 8 IP address distribution of controlled IOT malicious code devices in the second half of 2017

3. Trojan and botnet scale statistical analysis

CNCERT analyzes the network size of smart device Trojans and botnets. In the second half of 2017, the network size of Trojan botnets is controlled (the total number of controlled device IP addresses controlled by a single control server) there are 343 botnets of more than 10 thousand, 39 botnets of more than 50 thousand, and 5 botnets of more. The control terminals are mainly distributed in the Netherlands, the United States, France, Italy and Russia. For details, see table 2.

Table 2 statistics on the scale of smart device Trojan and botnet control in the second half of 2017

 

 

4. Trends of malicious code attacks

In the second half of 2017, sampling monitoring found that the average number of controlled smart device IP addresses per day was about 27 thousand, and the average number of Control Server IP addresses was 173, malicious Code attacks are more frequent from January 1, July 26-8 to January 3, October 17-11 to January 1, November 28-12, in October 26, the number of active controlled IP addresses per day reached the peak of 69584, and the number of Active Control Server IP addresses per day reached the peak of 616, as shown in figure 9.

 

 

Figure 9 trend of IOT malicious code attack activities in the second half of 2017

Iii. Controlled smart device DDoS attacks

Unlike PCs, vrouters, vswitches, network cameras, and other devices are always online. After being controlled, users are not easy to discover. This is a stable source of DDoS attacks, hackers use these "stable" Controlled smart devices to launch DDoS and other network attacks against other targets on the public internet. CNCERT conducts sample monitoring and analysis on DDoS attacks initiated by Trojans and botnets such as Gafgyt. It is found that overseas control terminals use a large number of controlled devices in China to launch DDoS attacks against targets inside and outside China, table 3 shows some DDoS attack event data with large attack traffic. The data shows that the IP address of the DDoS attack initiator is located in Denmark, the United States, the Netherlands, and other countries and regions outside China, the target IP address of the attacker is also located in the United States, Germany, Turkey, Denmark, Canada, and other countries and regions outside China, the exploited DDoS attack resource "zombie" is a large number of smart devices under intrusion control in China.

Table 3 events in which botnets such as Gafgyt initiated DDoS attacks (more than 10 Gbps) in 2017

 

 

Security Protection suggestions for networked smart devices

CNCERT recommends that related vendors and users pay more attention to the security of smart devices connected to the Internet and provide network security protection:

1. It is recommended that smart device manufacturers strengthen product security testing and certification and technical protection capabilities, improve the technical level of device product security protection, perform self-check on equipment products, and perform security testing before the products are put on the market, establish an active and effective emergency response mechanism to promptly fix device vulnerabilities.

2. It is recommended that users of smart devices and related users improve security awareness, standardize device security configuration, update firmware in time, and fix vulnerabilities to prevent devices from using the default password or weak password, disable unnecessary remote service ports. To enable remote ports, we recommend that you configure firewall policies, set NAT ing, and change non-default ports, if not necessary, try not to retain personal information such as name, ID card, account, phone number, and address on the device.

3. If any unknown device exception is found, contact the Security Agency or manufacturer in time to pay attention to the announcement issued by CNCERT and take countermeasures to avoid security risks and risks.