The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Depuis l’apparition du malware IoT « Mirai », plusieurs incidents se sont produits au cours desquels des appareils IoT ont été infectés par des logiciels malveillants. Le malware cible les appareils IoT dont les services Telnet et SSH sont accessibles depuis Internet et dont les paramètres d'ID/mot de passe ne sont pas suffisamment forts. Plusieurs familles de logiciels malveillants IoT, dont Mirai, sont également connues pour restreindre l'accès à Telnet et à d'autres services afin d'empêcher les appareils d'être infectés par d'autres logiciels malveillants après l'infection. Cependant, selon les résultats de l'analyse du réseau, des dizaines de milliers d'appareils au Japon sont toujours accessibles aux services Telnet via Internet. Cela implique-t-il que ces appareils peuvent éviter les infections par des logiciels malveillants en définissant des mots de passe suffisamment forts, et ne peuvent donc pas être utilisés comme tremplin pour des cyberattaques ? En février 2019, nous avons lancé le projet National Operation Toward IoT Clean Environment (NOTICE) au Japon pour enquêter sur les appareils IoT dotés d'informations d'identification faibles et en informer les utilisateurs. Dans cette étude, nous analysons les résultats du projet NOTICE de février 2021 à mai 2021 et les résultats de la surveillance du darknet à grande échelle pour révéler si les appareils IoT dotés d'informations d'identification faibles sont infectés ou non par des logiciels malveillants. De plus, nous analysons les appareils IoT dotés d’informations d’identification faibles pour découvrir les facteurs qui empêchent ces appareils d’être infectés par des logiciels malveillants et pour évaluer le risque d’abus en cas de cyberattaques. Les résultats de l'analyse révèlent qu'environ 2,000 80 appareils peuvent être facilement connectés à l'aide d'informations d'identification faibles en un mois au Japon. Nous précisons également qu'aucun appareil n'est infecté par le malware Mirai et ses variantes en raison du manque de fonctions utilisées pour l'infection par le malware, à l'exclusion d'un seul hôte. Enfin, même les appareils connectés par le projet NOTICE ne sont pas infectés par Mirai, nous constatons qu'au moins 93 % et XNUMX % des appareils peuvent respectivement exécuter des scripts arbitraires et envoyer des paquets vers des destinations arbitraires.
Kosuke MURAKAMI
National Institute of Information and Communications Technology,KDDI Research Inc.
Takahiro KASAMA
National Institute of Information and Communications Technology
Daisuke INOUE
National Institute of Information and Communications Technology
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copier
Kosuke MURAKAMI, Takahiro KASAMA, Daisuke INOUE, "A Large-Scale Investigation into the Possibility of Malware Infection of IoT Devices with Weak Credentials" in IEICE TRANSACTIONS on Information,
vol. E106-D, no. 9, pp. 1316-1325, September 2023, doi: 10.1587/transinf.2022ICT0001.
Abstract: Since the outbreak of IoT malware “Mirai,” several incidents have occurred in which IoT devices have been infected with malware. The malware targets IoT devices whose Telnet and SSH services are accessible from the Internet and whose ID/Password settings are not strong enough. Several IoT malware families, including Mirai, are also known that restrict access to Telnet and other services to keep the devices from being infected by other malware after infection. However, tens of thousands of devices in Japan can be still accessed Telnet services over the Internet according to network scan results. Does this imply that these devices can avoid malware infection by setting strong enough passwords, and thus cannot be used as a stepping stone for cyber attacks? In February 2019, we initiated the National Operation Toward IoT Clean Environment (NOTICE) project in Japan to investigate IoT devices with weak credentials and notify the device users. In this study, we analyze the results of the NOTICE project from February 2021 to May 2021 and the results of the large-scale darknet monitoring to reveal whether IoT devices with weak credentials are infected with malware or not. Moreover, we analyze the IoT devices with weak credentials to find out the factors that prevent these devices from being infected with malware and to assess the risk of abuse for cyber attacks. From the results of the analysis, it is discovered that approximately 2,000 devices can be easily logged in using weak credentials in one month in Japan. We also clarify that no device are infected with Mirai and its variants malware due to lack of functions used for malware infection excluding only one host. Finally, even the devices which are logged in by NOTICE project are not infected with Mirai, we find that at least 80% and 93% of the devices can execute arbitrary scripts and can send packets to arbitrary destinations respectively.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2022ICT0001/_p
Copier
@ARTICLE{e106-d_9_1316,
author={Kosuke MURAKAMI, Takahiro KASAMA, Daisuke INOUE, },
journal={IEICE TRANSACTIONS on Information},
title={A Large-Scale Investigation into the Possibility of Malware Infection of IoT Devices with Weak Credentials},
year={2023},
volume={E106-D},
number={9},
pages={1316-1325},
abstract={Since the outbreak of IoT malware “Mirai,” several incidents have occurred in which IoT devices have been infected with malware. The malware targets IoT devices whose Telnet and SSH services are accessible from the Internet and whose ID/Password settings are not strong enough. Several IoT malware families, including Mirai, are also known that restrict access to Telnet and other services to keep the devices from being infected by other malware after infection. However, tens of thousands of devices in Japan can be still accessed Telnet services over the Internet according to network scan results. Does this imply that these devices can avoid malware infection by setting strong enough passwords, and thus cannot be used as a stepping stone for cyber attacks? In February 2019, we initiated the National Operation Toward IoT Clean Environment (NOTICE) project in Japan to investigate IoT devices with weak credentials and notify the device users. In this study, we analyze the results of the NOTICE project from February 2021 to May 2021 and the results of the large-scale darknet monitoring to reveal whether IoT devices with weak credentials are infected with malware or not. Moreover, we analyze the IoT devices with weak credentials to find out the factors that prevent these devices from being infected with malware and to assess the risk of abuse for cyber attacks. From the results of the analysis, it is discovered that approximately 2,000 devices can be easily logged in using weak credentials in one month in Japan. We also clarify that no device are infected with Mirai and its variants malware due to lack of functions used for malware infection excluding only one host. Finally, even the devices which are logged in by NOTICE project are not infected with Mirai, we find that at least 80% and 93% of the devices can execute arbitrary scripts and can send packets to arbitrary destinations respectively.},
keywords={},
doi={10.1587/transinf.2022ICT0001},
ISSN={1745-1361},
month={September},}
Copier
TY - JOUR
TI - A Large-Scale Investigation into the Possibility of Malware Infection of IoT Devices with Weak Credentials
T2 - IEICE TRANSACTIONS on Information
SP - 1316
EP - 1325
AU - Kosuke MURAKAMI
AU - Takahiro KASAMA
AU - Daisuke INOUE
PY - 2023
DO - 10.1587/transinf.2022ICT0001
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E106-D
IS - 9
JA - IEICE TRANSACTIONS on Information
Y1 - September 2023
AB - Since the outbreak of IoT malware “Mirai,” several incidents have occurred in which IoT devices have been infected with malware. The malware targets IoT devices whose Telnet and SSH services are accessible from the Internet and whose ID/Password settings are not strong enough. Several IoT malware families, including Mirai, are also known that restrict access to Telnet and other services to keep the devices from being infected by other malware after infection. However, tens of thousands of devices in Japan can be still accessed Telnet services over the Internet according to network scan results. Does this imply that these devices can avoid malware infection by setting strong enough passwords, and thus cannot be used as a stepping stone for cyber attacks? In February 2019, we initiated the National Operation Toward IoT Clean Environment (NOTICE) project in Japan to investigate IoT devices with weak credentials and notify the device users. In this study, we analyze the results of the NOTICE project from February 2021 to May 2021 and the results of the large-scale darknet monitoring to reveal whether IoT devices with weak credentials are infected with malware or not. Moreover, we analyze the IoT devices with weak credentials to find out the factors that prevent these devices from being infected with malware and to assess the risk of abuse for cyber attacks. From the results of the analysis, it is discovered that approximately 2,000 devices can be easily logged in using weak credentials in one month in Japan. We also clarify that no device are infected with Mirai and its variants malware due to lack of functions used for malware infection excluding only one host. Finally, even the devices which are logged in by NOTICE project are not infected with Mirai, we find that at least 80% and 93% of the devices can execute arbitrary scripts and can send packets to arbitrary destinations respectively.
ER -