IoT Exploits: Around The World In 120 Days

Executive Summary

Internet of Things (IoT) botnets commonly propagate by exploiting vulnerabilities in IoT devices. Telemetry from our IoT honeypots show the number of exploit attempts originating from bots continues to increase. The vulnerabilities they leverage are old, but clearly not obsolete. The most common exploit seen in our honeypots was first publicly disclosed over four years ago. Certain countries show an affinity for certain types of devices based on the exploit attempts originating from those countries.

Key Findings

  • Our data collection shows attacks targeting well-known IoT vulnerabilities. We witnessed a two-fold increase in the number of exploit attempts from December 2018 compared to January 2019.
  • CVE-2014-8361 dominated the list of IoT exploits to hit our honeypots for the past four months. The exploit vector, publicly disclosed in April of 2015, traces back to several high profile IoT botnets such as Satori and JenX.
  • Based on telemetry from our honeypots we gain unique insight into the geographic dispersion of IoT vulnerabilities and exploitation attempts against them.


Looking at data from our honeypots for the last four months we saw a huge onslaught of attacks related to the Hadoop Yarn exploit described in Mirai: Not Just For IoT Anymore. Disregarding the voluminous Yarn attacks, we start to see a pattern emerge of commonly used exploits targeting IoT devices. Fig 1 shows the top exploits seen by our honeypots in the past four months.

EDB ID Exploit Path
37169 (CVE-2014-8361) /picsdesc.xml
43414 (CVE-2017-17215) /ctrlt/DeviceUpgrade_1
37171 (CVE-2015-2051) /HNAP1/
44576 (CVE-2018-10561) /GponForm/diag_FORM
40500 /cgi-bin/nobody/Search.cgi
43055 /setup.cgi
40740 /UD/act
41471 /shell

Fig 1: IoT Exploits

Our data shows a range of new and old exploits being used to target IoT devices. As we talked about in Regifting Exploits, shelf life for an IoT based exploits can last for years. CVE-2014-8361 is just one such example.

Digging further into our dataset we can see which countries are likely to exploit certain vulnerabilities. Fig 2 shows a donut chart of exploit attempts from December 2018 on the inner ring, and the country of origin on the outer ring. We can see exploits originating from the United Kingdom tend to favor the use of the Realtek SDK Miniigd Command Execution (CVE-2014-8361) exploit. We’re also able to drill down and see only 10 unique sources were used for these attacks. This may indicate that the 10 source IP addresses are in the same botnet.

Fig 2: Exploits Attempts for the Month of December 2018

Unlike the Miniigd and Huawei Router exploits we see the use of the D-Link Devices HNAP Command Execution (CVE-2015-2051) exploit used across several different countries. By examining the payload from these attacks, we can gather if the exploit is being used by one botnet or several.

If we widen our lens back to a 120-day view of our data, we can see a different picture emerge. 94% of the attack traffic during this time frame is related to the Huawei Router exploit (CVE-2017-17215). Our numbers also indicate those attacks came from 59 unique countries as the table below shows.

Requested Path/Exploit Hits Countries
/ctrlt/DeviceUpgrade_1 36159 59
picsdesc.xml 1727 35
HNAP1 642 36
/cgi-bin/nobody/Search.cgi 443 29
shell 96 5
/GponForm/diag_Form 74 17

Fig 3: IoT related attacks for the last 120 days

When looking at the number of attacks for these specific exploits in December 2018 compared to January 2019, we see a 218% increase. More and more botnets are scanning for and attempting to exploit these vulnerabilities. In reviewing the payloads for these attacks, most of the malware being delivered is a Mirai variant, showing an old dog can learn new tricks.


While IoT bots that use default usernames and passwords tend to use a shotgun approach to propagation, bots that use exploits tend to be more targeted per country. As vendors address issues with default or hardcoded password, IoT bots need to adapt to the changing landscape. As evidenced by the increases in exploitation attempts against our honeypots, IoT botnet operators evolve with the changes in device security, continuing their shift to a hybrid approach.

As security practitioners we can learn from attacker’s tactics and figure out which devices tend to be targeted regionally in order to better defend them. It’s critical that IoT security be part of an organization’s security program – patching, testing, monitoring, and incident response.

Leave a Reply

Your email address will not be published. Required fields are marked *