Part of our mission here at the CyberSecurity & Networking Division is advancing applied cybersecurity and networking research and anticipating future security trends and threats. Working towards that end is the Science DMZ Actionable Intelligence Appliance (SDAIA) project—currently in development—which collects data from allocated but unused networking space. The data is analyzed for potential threats and shared with participating partners.
Large amounts of data have been collected from many thousands of unused IPs and we noticed several trends. All of the data collected so far have been SSH brute-force attacks, where automated attackers attempt to guess user and password combinations, giving them access to devices listening with an SSH service. We have noticed that a lot of the user/password combinations indicate an attacker preference for connected, embedded or “smart” devices—often referred to as the Internet of Things, or IoT. For example, within the 20 most common hits we found:
User | Password | Device |
ubnt | ubnt | "wireless networking equipment" |
root | openelec | "Linux based media center" |
root | dreambox | “Linux based set-top box receiver" |
root | raspberrypi | "single board computer, typically running Linux" |
root | 000000 | "imaging, webcam" |
pi | raspberry | "single board computer, typically running Linux" |
root | xmhdipc | "imaging, webcam" |
root | anko | "imaging, webcam" |
root | welc0me | “Linux based NAS device" |
root | rpitc | "raspberrypi thin client" |
root | uClinux | "linux on embedded microcontrollers" |
root | seiko2005 | “unknown" |
root | nosoup4u | ”Linux based NAS device" |
root | alpine | “smart phone" |
root | ubnt | "wireless networking equipment" |