For most of the time since the cyber security firm begun operating them two decades ago, the “vast, vast majority” of traffic intercepted by F-Secure’s global network of honeypot systems has been generated by Windows malware and bots. But recently that has changed, the company’s chief research officer, Mikko Hypponen, today told the Cebit trade show in Sydney.
For the first time ever, the majority of traffic captured by the honeypots is Linux traffic. The source of most of that traffic is not infected servers or desktops: “This is IoT Linux distributions. This traffic is coming from infected doorbells, infected security cameras, infected coffee machines. This is what’s happening right now,” Hypponen said.
F-Secure’s Attack Landscape (PDF) for the first six months of 2019 revealed that of 2.9 billion hits on its honeypot servers, 2.1 billion were on TCP ports. Of those, 760 million were on port 23, which is typically used by Telnet.
“Telnet, which is rarely used anymore outside the realm of IoT devices, saw the greatest volumes during the period,” the report said. “Due to the continuing spread of infected IoT devices perpetrated by malware such as Mirai, Telnet continues the run it began in the last half of 2018.”
Mirai, which emerged in 2016, was the dominant strain of malware in the honeypots during the first six months of 2019.
“We tend to have these great innovations that initially seem like a great idea, so we’ve deployed everywhere, only to realise much later that it was a horrible mistake,” Hypponen said during his keynote address at Cebit.
The proliferation of insecure IoT devices is akin to “IT asbestos,” the F-Secure executive said. Asbestos was once considered a “great new material” that was cheap to manufacture and could be used for fireproofing, Hypponen said — “and it turned out to be a horribly bad idea.”
“Today’s IT asbestos is the idea of putting an outdated Linux distribution inside every device we manufacture, making sure that the end user can’t update or patch the outdated Linux kernel, have a built-in root password that they can’t change, leave all ports open, and then deploy these into the open Internet by the millions — because that’s what we’re doing right now,” he said.
“This is the asbestos problem of the future unless we do something about it,” he added. He said that one path forward may be a self-certification process by IoT vendors “because they do realise we have to change”.