Attila Marosi works as a Senior Threat Research at Sophos Labs in Hungary. His talk focused on vulnerable IoT devices that are exposed to the internet. His approach was to look for vulnerable devices with low cost tools and publicly available data.
He started his talk with the spoiler that he is not going to reveal any new attacks nor new techniques. But newer data are more adequate and we can see the current state of vulnerable devices connected to the internet. This means his approach was to test the state of IoT devices like Routers, NAS and so on with publicly available data.
As a first step to test the state of devices they need to be identified. This could either be done via tools like zmap, but these tools are noisy and the database will be obsolete in no time. Another way might be to use shodan.io to gather information about devices. Another platform that could be used for research is censys. It is open and free. But it does not cover as much data as shodan does, but for his research that is no problem.
Besides the scanning the devices had to be tested for vulnerabilities. No custom exploits were developed so resources like the full disclosure mailing list or exploitdb where used. The tested exploits had to be simple, no two step exploits like XSS or XSRF where tested. Attacks that used memory corruption attacks where neither used. In the end only HTTP Requests, FTP and telnet was used.
The results varied in great detail. One device type had 97% vulnerable devices and only 3% where patched. One the other hand one device did only count 1% unpatched devices. So the patch degree does vary widely. It was also interesting to see how routers from some manufactures are only used in one country, but are pretty wide spread there.
During his research he had could have had access to 878 TB of storage, to 1884 cameras and could have had 6909 devices under total control. Almost every device he found already had malware installed or in the case of the NAS devices malware was ready for download.
His conclusion was, that there are even more devices out there as he did not scan the entire net. Also some devices might already be part of a botnet and be patched. So it would be quite easy to gain access to a large botnet only powered by IoT devices.