In recent years, security incidents of networked intelligent devices occur frequently, and CNCERT has carried out continuous tracking analysis on relevant situations. CNCERT monitoring found that in 2017, China's Internet connected smart devices (hereinafter referred to as "smart devices") mainly showed the following characteristics in terms of security vulnerabilities, malicious codes and attack activities:

1. In terms of vulnerabilities, the number of smart device vulnerabilities has increased significantly. In 2017, the national information security vulnerability sharing platform (cnvd) publicly included 2440 generic vulnerabilities of smart devices, an increase of 118% year on year. According to the statistics of vulnerability types, the top three types are privilege bypass (27%), information disclosure (15%) and command execution (13%). Router and gateway, camera and video system, set-top box and other types of equipment have a large number of vulnerabilities, which is an important target of vulnerability attack. Using vulnerabilities to invade office equipment such as printers is becoming a way for hackers to steal internal files and data of important units.

2. In terms of malicious code attacks, overseas control servers control a large number of intelligent devices in China. CNCERT sampling monitoring found that in the second half of 2017, the number of IP addresses of controlled smart devices infected with malicious codes in China was about 1.298 million, accounting for the largest proportion in Zhejiang (14.7%), Shandong (13.3%), Jiangsu (10.6%). There are about 12200 IP addresses of overseas control servers controlling China's intelligent devices, accounting for the largest proportion in the United States (30.3%), Russia (12.3%) and South Korea (5.5%). There are 39 Trojan botnets with more than 10000 controlled devices, and the control end is mainly distributed in the Netherlands (11), the United States (11), Russia (7) and Italy (7) and other countries and regions, including 5 botnets with more than 50000 controlled devices.

Smart device vulnerability

1、 Smart device vulnerability collection

The software and hardware vulnerabilities of intelligent devices may lead to security risks and problems such as device data and user information disclosure, device paralysis, infection of zombie Trojan programs, and being used as a springboard to attack intranet hosts and other information infrastructure. Cnvd continues to track, record and report the vulnerabilities of intelligent devices (IOT devices). In 2017, the vulnerability records are as follows.

1. General vulnerability collection

General vulnerability generally refers to the vulnerability that will constitute a security threat to a certain kind of software and hardware products. In 2017, cnvd recorded 2440 vulnerabilities in general-purpose IOT devices, an increase of 118.4% compared with the same period last year. The statistics are as follows according to the manufacturers, types of vulnerabilities and types of equipment affected by the included vulnerabilities:

The companies involved include Google, Cisco and Huawei. Among them, 948 IOT device vulnerabilities of Android manufacturer Google are included, accounting for 32% of the annual IOT device vulnerabilities; Cisco ranks second, including 250; Huawei and Youxun technology rank third and fourth respectively, as shown in Figure 1.

Figure 1 list of IOT device vulnerability number top manufacturers

Vulnerability types include privilege bypass, information disclosure, command execution, denial of service, cross site, buffer overflow, SQL injection, weak password, design defects and other vulnerabilities. Among them, the number of privilege bypass, information disclosure and command execution vulnerabilities ranks in the top three, accounting for 27%, 15% and 13% of the total number of publicly included vulnerabilities, as shown in Figure 2.

Figure 2 top distribution by vulnerability type

The types of devices affected by the vulnerability include mobile devices, routers, webcams, conference systems, firewalls, gateway devices, switches, etc. Among them, the number of mobile devices, routers and webcams are in the top three, respectively accounting for 45%, 11% and 8% of the total number of open vulnerabilities, as shown in Figure 3.

Figure 3 vulnerability (general) distribution by device type top

2. Inclusion of event type loopholes

Event vulnerability generally refers to the vulnerability that poses a security threat to a specific application. In 2017, cnvd included 306 event vulnerabilities in IOT devices. The equipment affected include intelligent monitoring platform, webcam, GPS equipment, router, gateway equipment, firewall, all in one card, printer, etc. Among them, the number of vulnerabilities of intelligent monitoring platform, webcam and GPS devices ranked in the top three, accounting for 27%, 18% and 15% of the total number of publicly included vulnerabilities, respectively, as shown in Figure 4.

Figure 4 vulnerability (event type) distribution by device type top

2、 Case study on vulnerability monitoring of intelligent devices

1. Identity permission bypass vulnerability attack for webcam

Privilege bypass vulnerability ranks first in the number of types of vulnerabilities included in cnvd. This section introduces one of the identity privilege bypass vulnerabilities (included No. cnvd-2017-06897) with very frequent attacks. The device affected by the vulnerability is wireless IP camera (P2P) WiFi cam. The camera web service does not properly check the access rights of the. Ini configuration file. An attacker can bypass the authentication program to download the configuration file and account credentials by constructing an HTTP request with an empty account password. According to CNCERT sampling monitoring data, during the period from October 22 to December 31, the number of daily attacks of such vulnerabilities is more than 400000, of which November 7 is up to 30 million, as shown in Figure 5.

Figure 5 wificam identity bypass vulnerability attack trend

According to the analysis, except for a few vulnerability verification detection servers and hacker malicious servers, most of the IP addresses that launch vulnerability attacks / scans are actually the IP addresses of the used controlled intelligent devices or controlled hosts, of which about 105000 are located in China, and the top 5 are Hebei, Xinjiang, Liaoning, Jiangsu and Jilin. See Figure 6 for the detailed data of each province.

Figure 6 domestic distribution of IP addresses of suspected controlled devices exploited to launch WiFi cam vulnerability attack

2. Weak password vulnerability of some brands of smart cameras

Weak password vulnerability is a high threat but very easy to exploit vulnerability of networked smart camera. CNCERT continues to pay attention to the repair of such vulnerability. At the end of December 2017, CNCERT again conducted sampling monitoring and Analysis on the smart cameras and weak password vulnerabilities exposed by some brands on the Internet. See column 2 of Table 1 for the distribution of these IP addresses of smart camera networking in China. There are more than 50000 IP addresses of smart camera networking in Jiangsu, Zhejiang, Shandong and other provinces. See column 3 of Table 1 for the distribution of IP addresses of camera networking that may have weak password vulnerabilities in China, and the top 3 for the number of Zhejiang, Guangdong and Jiangsu. Considering the large difference in the total number of Internet connected smart cameras in each province and city, we select the percentage of weak password vulnerability cameras (the percentage of the number of weak password vulnerability cameras IP exposed on the Internet in a province to the total number of cameras IP exposed on the Internet in that province) to reflect the proportion and repair of weak password vulnerability cameras in each province and city, and find Chongqing, Sichuan, Fujian, etc The proportion of weak password vulnerability cameras in the region is relatively high, as shown in column 4 of Table 1.

Table 1 IP quantity distribution of some brands of networked smart cameras

Smart device malicious code attack activity

At present, malicious codes active in intelligent devices mainly include ddosf, dofloo, gafgyt, mrblack, persirai, sotdas, tsunami, triddy, Mirai, moose, satori. These malicious codes and their variants can invade and control intelligent devices through Telnet, SSH and other remote management services weak password vulnerabilities, operating system vulnerabilities, web and other application vulnerabilities, password brute force cracking and other ways 。

1、 Characteristics of malicious code in intelligent devices

1. Malicious code infects a wide range of hardware platforms and devices. Most of the malicious codes of intelligent devices support embedded Linux operating system and have the ability of cross platform infection. They can invade and infect the devices with various hardware platform architectures such as arm, MIPs, x86 and PowerPC.

2. The structure of malicious code is complex and the division of function modules is fine. Some malicious codes have complex structure and fine division of labor, including worm scanning and brute force cracking, vulnerability device information reporting and collection, vulnerability attack and Trojan implantation, C & C command control and other modules. Each functional module can be distributed on different servers or devices, which improves the difficulty of monitoring, tracking and coordinated disposal.

3. The number of malicious code variants is large and the update and upgrade are fast. As the source code of Mirai, gafgyt, and tsunami malicious code has been disclosed, the update and upgrade speed of such malicious code is fast, and the number of variants is large. At present, the number of variants has exceeded 100. From September to October, the Mirai variant IOT hopper appeared, in which 9 smart device vulnerabilities were integrated. The variant code integrated the latest disclosed exploit code into the sample, and one of the vulnerabilities was integrated and exploited only 2 days after the disclosure.

2、 Smart device malicious code attack activity

CNCERT carries out sampling monitoring on the attack activities of some malicious codes infected on intelligent devices, such as gafgyt, mrblack, tsunami, Mirai, reaper, ddostf, etc. the details are as follows.

1. Number and distribution of malicious code control servers

In the second half of 2017, the monitoring found that the cumulative number of IP addresses of the control server was about 15000, and about 81.7% of the IP addresses were located outside the country. The top three countries and regions were the United States, Russia and South Korea. The number of IP addresses of the control servers located in China is 2806, and the top three provinces and cities are Beijing, Shandong and Guangdong, respectively. The detailed distribution is shown in Figure 7.

Figure 7 IP address distribution of IOT malicious code control server in the second half of 2017

2. Quantity and distribution of controlled equipment

In the second half of 2017, the cumulative number of IP addresses of controlled intelligent devices found by monitoring was 2.938 million, and the number of controlled IP addresses in China was 1.298 million, accounting for about 44.1%. Among them, the provinces with more than 50000 controlled IP addresses are Zhejiang, Shandong, Jiangsu, Liaoning, Hebei, Henan, Guangdong and Chongqing in turn. The detailed distribution is shown in Figure 8.

Figure 8 IP address distribution of IOT malicious code controlled devices in the second half of 2017

3. Statistical analysis on the scale of Trojan botnet

CNCERT analyzed the scale of smart device Trojan botnet. In the second half of 2017, there were 343 botnets with the scale of Trojan botnet control (the cumulative number of IP addresses of controlled devices controlled by a single control server), 39 botnets with the scale of more than 10000, and 5 botnets with the scale of more than 50000. The control end is mainly distributed in the Netherlands, the United States, France, Italy, Russia and other countries and regions. See Table 2 for details.

Table 2 Statistics of control scale of intelligent device Trojan botnet in the second half of 2017

4. Trend of malicious code attack activity

In the second half of 2017, sampling monitoring found that the average number of daily active IP addresses of controlled intelligent devices was about 27000, and the average number of IP addresses of control servers was 173, which was in a continuous active situation. Malicious code attacks were more frequent from July 26 to August 2, October 17 to November 3, November 28 to December 1, among which the number of single day active controlled IP addresses on October 26 reached a peak With a value of 69584, the number of active control server IP addresses per day reaches a peak of 616, as shown in Figure 9.

Figure 9 IOT malicious code attack activity trend in the second half of 2017

3、 DDoS attacks of controlled intelligent devices

Different from personal computers, routers, switches, webcams and other devices are usually connected online without interruption, and are not easy to be found by users after being charged. They are stable attack sources of DDoS attacks. Hackers use these "stable" controlled intelligent devices to launch DDoS and other network attacks against other targets on the public Internet. CNCERT carries out sampling monitoring and Analysis on DDoS attacks launched by botnet of gafgyt and Other Trojans. It is found that the overseas control end uses a large number of domestic controlled devices to launch DDoS attacks on targets at home and abroad. Table 3 shows the data of some DDoS attacks with large attack traffic. The data shows that the IP address of the control end of the DDoS attacker is located in Denmark, the United States, the Netherlands and other countries and regions, and DDO The target IP address of the victim of s-attack is also located in countries and regions such as the United States, Germany, Turkey, Denmark and Canada, while the utilized DDoS attack resource "broiler" is a large number of intelligent devices under intrusion control in China.

Table 3 some events of DDoS attacks (above 10Gbps) launched by botnets such as gafgyt in 2017

Suggestions on security protection of networked intelligent devices

CNCERT recommends that relevant manufacturers and users pay more attention to the security of networked intelligent devices and do a good job in network security protection

1. It is suggested that intelligent equipment manufacturers should strengthen the safety test certification and technical protection ability of products, improve the technical level of safety protection of equipment products, do a good job in self inspection of equipment products, do a good job in safety test before the products are put on the market, establish an active and effective emergency response mechanism, and timely repair equipment loopholes.

2. It is suggested that smart device users and relevant users should improve security awareness, standardize device security configuration, update and upgrade firmware in time, repair vulnerabilities, avoid using default password or weak password, and close unnecessary remote service ports. If it is necessary to open the remote port, it is recommended to configure firewall policy, set NAT mapping and change to non default port, etc., and try not to keep personal information such as name, ID card, account number, phone number, address etc. in the device when it is not necessary.

3. In case of any unidentified abnormality of the equipment, contact the safety organization or manufacturer in time, pay attention to the relevant announcement issued by CNCERT, and take countermeasures to avoid safety risks and hidden dangers.