Cyber security company F5 Labs has revealed the top 50 IP addresses responsible for cyber attacks launched by compromised IoT devices. Its headline findings: 36 addresses in China are responsible for 80 percent of attacks from the top 50 addresses and, overall, China was the source of 44 percent of attack traffic.

F5 Labs has published its finding in The Hunt for IOT The Growth and Evolution of Thingbots, produced in conjunction with data partner Loryka, saying it decided to disclose the top attacking IP addresses because they are not being dealt with. Thingbots are botnets comprising infected IoT devices.

“Ideally we would only see an IP address attacking for a short period of time before it was remediated by either the provider (suspended, disabled, or taken offline), or potentially by the device’s owner. Because these attacking systems are not getting dealt with, we are disclosing the top 50 attacking IP addresses for the first time,” the report says.

F5 concludes its report with a sombre warning: “When the majority of the world is online, smart homes with dozens of Internet-enabled devices and smart cities will be everywhere instead of only in the hands of the early adopters. At that point, IoT thingbots could threaten global stability if we don’t start doing something about it now.”

Also included in the report is a list of the top 50 username and password combinations used in telnet attacks when attempting to brute forcing the admin login, along with what should be a statement of the obvious: “Do not use any of these usernames and passwords for any device, anywhere, ever.”

The likely targets of future attacks

F5 says its hunt for thingbots has primarily focused on port 23 telnet brute force attacks — the ‘low-hanging fruit’ method — as they are the simplest, most common way to compromise an IoT device.  “Telnet brute force attacks against IoT devices rose 249 percent from 2016 to 2017,” it says.

However, it expects these types of attacks to give way to others that are equally easy from a technical standpoint.

“They just require a few more steps in the attack plan, and also affect fewer devices as they target non-standard ports and protocols, specific manufacturers, device types, or models,” F5 says.

“For example, at least 46 million home routers are vulnerable to a remote command injection attack against the custom remote management protocols TR-069 and TR-064. These protocols were created for ISPs to manage their routers deployed at customer homes and were exploited by the Annie thingbot, causing widespread outages for customers of the German ISP Deutsche Telekom and Ireland’s Eircom.”