PINDROP BLOG

IoTSeeker Scanner Finds Smart Devices With Dumb Credentials

With the Mirai botnet still wreaking havoc, and other IoT botnets appearing, security researchers are looking for ways to discover the insecure devices that are being targeted by attackers before they can be compromised. One such effort is a new scanner that will check networks for devices that are using default credentials, which often are exploited by attackers.

The IoTSeeker tool from Rapid7 is designed to comb through users’ networks and identify common IoT devices with default usernames and passwords enabled. Those are the devices upon which botnets such as Mirai feed, especially those with telnet exposed on default ports. Mirai searches for devices with telnet enabled and using default credentials and then compromises them and begins scanning again.

IoTSeeker can find many different kinds of IoT devices and is designed to run on large networks.

Last month, Mirai was used in a large-scale DDoS attack on DNS provider Dyn, which took many popular sites offline for hours at a time. The attack only used about 100,000 infected devices, researchers said, but was able to disrupt the availability of sites such as Twitter, Reddit, and many others for large portions of the U.S. IoTSeeker can help organizations find vulnerable devices on their networks and see whether they’re still using default credentials.

“This scanner will scan a network for specific types of IoT devices to detect if they are using the default, factory set credentials. The recent Internet outage has been attributed to use the IoT devices (CCTV Cameras, DVRs and others) with default credentials. It’s the intention of this tool to help organizations scan their networks to detect these types of IoT devices and to identify whether credentials have been changed or if the device is still using the factory setting. Note that Mirai malware, suspected to have been used to launch the massive internet outage on Oct. 21, 2016, mainly focuses on telnet services. IoTSeeker focuses on HTTP/HTTPS services,” the notes on GitHub for IoTSeeker say.

One of the characteristics of some botnet malware is that it will change the password on infected devices in order to prevent authorized users or other malware from connecting to and cleaning the device. IoTSeeker can find many different kinds of IoT devices and is designed to run on large networks. The scanner only runs on OS X and Linux.

Image: Danny Oosterveer, CC By-ND 2.0 license.