Researchers discover over 170 million exposed IoT devices in major US cities

Webcams, medical devices, routers and databases are only some of the devices on show.
Written by Charlie Osborne, Contributing Writer

VIDEO: Major US cities are plagued by millions of exposed IoT devices

Researchers have discovered more than 178 million Internet of Things (IoT) devices visible to attackers in the ten largest US cities.

On Wednesday, researchers Numaan Huq and Stephen Hilt from Trend Micro revealed at the RSA conference in San Francisco, California, that many IoT devices are lacking basic security and are visible using services such as the Shodan search engine, which is used to discover devices which are accessible from the Internet.

While the research focuses on visibility rather than vulnerabilities, bugs, and security flaws, having millions of devices with open ports and viewing potential can leave them exposed to cyberattacks and use in DDoS attacks.

One such example is the Mirai botnet that harnessed millions of vulnerable IoT devices to launch debilitating attacks against online services last year.

The team found webcams, network-attached storage (NAS) devices, routers, printers, mobile devices and medical products, among others, which were visible through the search engine. In addition, Trend Micro says that the company found a "significant" number of web and email servers and databases.

Also: Internet of Things: CIOs are getting ready for the next big revolution | 16 questions CXOs should ask before starting an IoT project | The five industries leading the IoT revolution

Not only can these devices become compromised by cyberattackers looking to steal sensitive data, but exposed products could also be inadvertently leaking data such as personally identifiable information (PII) without the owner's knowledge through open directories on web servers, unauthenticated webcam feeds and exposed ICS Human Machine Interfaces (HMIs), among other systems.

There are a number of reasons why devices can end up exposed online. It may be that a device is hosted on incorrectly configured network infrastructure which allows direct device or system access, or it may be that devices are required to be connected to the web to function properly.

In addition, cyber assets may have remote access enabled for troubleshooting and general operation but are not secured properly.

These devices can end up being targeted by anyone, whether script kiddies, state-sponsored threat actors, hacktivists or business rivals. In today's society, knowledge is money, and whether they are targeted for the sake of stealing information to sell in the Dark Web or compromising larger systems to spy on competitors, today's often poorly-secured IoT devices have carved new paths for attackers to exploit.

The research team utilized scan data provided by Shodan for February 2016. In that time scale, a total of 178,032,637 records were generated from scanning 45,597,847 unique IPv4 and 256,516 unique IPv6 addresses. (Cloud service providers such as Amazon, Azure, Akamai, and CloudFlare were excluded from the results.)

Trend Micro then separated the data into different sets for the ten largest US cities by population -- New York City, Los Angeles, Chicago, Houston, Philadelphia, Phoenix, San Antonio, San Diego, Dallas, and San Jose.

In the graph below, you can see that populations are not necessarily proportionate to exposed device rates. Over three million exposed devices were discovered in the cities of Los Angeles and Houston, while New York -- with far more residents than Houston -- had 3.78 times fewer cyber assets exposed in comparison.

Trend Micro

The majority of exposed devices found by the Shodan crawler are primarily Linux-embedded IoT devices. However, a number of viewable servers also ran Linux, Apache, MySQL, and PHP (LAMP).

Mac OS X was present in a minuscule amount of devices, while Windows devices were "largely prominent," according to the team.

Trend Micro

The Shodan crawler also tests for certain vulnerabilities -- digital video recorder configuration disclosure (CVE-2013-1391), argument injection in PostgreSQL (CVE-2013-1899), Heartbleed (CVE-2014-0160), Freak (CVE-2015-0204) and Jetty remote unauthenticated credential disclosure (CVE-2015-2080).

However, the researchers are keen to note the vast majority of devices and servers scanned by Shodan are now patched against these vulnerabilities.

"Connected devices are an integral part of our daily lives. Ideally, device security should not affect availability and should be transparent to the user," Trend Micro says. "There is no "one size fits all" cybersecurity solution for connected devices. [..] Users must be able to rely on device manufacturers to enable strong security out of the box."

10 things you didn't know about the Dark Web

Editorial standards