物联网安全年报Annual IoT Cybersecurity Report2019关于中国电信网络与信息安全研究院中国电信网络与信息安全研究院，负责全面支撑中国电信大网的安全运营，发挥央企责任，营造清朗网络空间。终端安全研究所主要负责泛智能终端和设备的安全技术研究，包括物联网和智慧家庭等终端设备，以及终端安全检测、身份认证技术、密码技术的应用研究、工业互联网安全研究等。关于绿盟科技北京神州绿盟信息安全科技股份有限公司（以下简称绿盟科技公司），成立于 2000年 4月，总部位于北京。公司于 2014 年 1 月 29 日在深圳证券交易所创业板上市，证券代码： 300369。绿盟科技在国内设有 40 多个分支机构，为政府、运营商、金融、能源、互联网以及教育、医疗等行业用户，提供全线网络安全产品、全方位安全解决方案和体系化安全运营服务。公司在美国硅谷、日本东京、英国伦敦、新加坡设立海外子公司，深入开展全球业务，打造全球网络安全行业的中国品牌。版权声明为避免合作伙伴及客户数据泄露，所有数据在进行分析前都已经过匿名化处理，不会在中间环节出现泄露，任何与客户有关的具体信息，均不会出现在本报告中。2019 物联网安全年报A目录执行摘要 ··································································································································································· 21. 2019 年重大物联网安全事件回顾 ······················································································································ 51.1 委内瑞拉和纽约的大规模停电事件 ·········································································································································· 61.1.1 事件回顾 ······································································································································································································ 61.1.2 小结 ·············································································································································································································· 81.2 受远程代码执行问题影响的 D-Link 路由器将不会被修复 ···································································································· 81.2.1 事件回顾 ······································································································································································································ 81.2.2 原理简述 ······································································································································································································ 81.2.3 小结 ·············································································································································································································· 91.3 物联网僵尸网络再次发起大规模 DDoS 攻击 ·························································································································· 91.3.2 事件回顾 ······································································································································································································ 91.3.1 原理简述 ···································································································································································································· 101.3.3 小结 ············································································································································································································ 101.4 泄露代码暴露波音 787 系统中存在多个漏洞 ······················································································································· 111.4.1 事件回顾 ···································································································································································································· 111.4.2 原理简述 ···································································································································································································· 111.4.3 小结 ············································································································································································································ 121.5 LockerGoga 的勒索软件疑屡次攻击工厂 ······························································································································ 131.5.1 事件回顾 ···································································································································································································· 131.5.2 原理简述 ···································································································································································································· 131.5.3 小结 ············································································································································································································ 141.6 WS-Discovery 服务首次被发现用于 DDoS 反射攻击 ·········································································································· 141.6.1 事件回顾 ···································································································································································································· 141.6.2 原理简述 ···································································································································································································· 151.6.3 小结 ············································································································································································································ 151.7 黑客使用弱口令接管了 29 个 IoT 僵尸网络 ························································································································· 151.7.1 事件回顾 ···································································································································································································· 151.7.2 原理简述 ···································································································································································································· 161.7.3 小结 ············································································································································································································ 172019 物联网安全年报B1.8 日本通过法律修正案，允许政府入侵物联网设备 ··············································································································· 171.8.1 事件回顾 ···································································································································································································· 171.8.2 小结 ············································································································································································································ 171.9 总结 ····························································································································································································· 182. 物联网资产暴露情况分析 ·································································································································· 192.1 引言 ····························································································································································································· 202.2 国内 IPv4 物联网资产实际暴露情况 ····································································································································· 202.3 亚太部分地区 IPv4 物联网资产实际暴露情况 ······················································································································ 212.4 IPv6 物联网资产实际暴露情况研究 ······································································································································· 232.4.1 IPv6 地址简介 ··························································································································································································· 232.4.2 从已知 IPv6 地址集合中发现物联网资产 ············································································································································· 262.4.3 基于 IPv6 地址生成特征的启发式测绘 ················································································································································· 282.4.4 基于 UPnP 双栈服务的启发式测绘 ······················································································································································· 302.5 小结 ····························································································································································································· 353. 物联网威胁分析漏洞篇 ··································································································································· 363.1 引言 ····························································································································································································· 373.2 物联网漏洞及利用情况 ···························································································································································· 373.2.1 NVD 漏洞情况 ··························································································································································································· 373.2.2 Exploit-DB 的 PoC 情况 ··········································································································································································· 383.2.3 物联网终端固件风险分析 ······································································································································································· 393.3 物联网漏洞利用整体情况 ························································································································································ 423.4 重点物联网漏洞利用情况 ························································································································································ 443.4.1 Eir D1000 路由器漏洞利用情况 ····························································································································································· 443.4.2 磊科路由器后门利用情况 ······································································································································································· 473.5 小结 ····························································································································································································· 514. 物联网威胁分析协议篇 ··································································································································· 524.1 引言 ····························································································································································································· 532019 物联网安全年报C4.2 针对 Telnet 协议的威胁分析 ··················································································································································· 534.2.1 攻击源活跃情况 ························································································································································································ 534.2.2 攻击源国家分布 ························································································································································································ 544.2.3 攻击源开放端口分布 ················································································································································································ 554.2.4 攻击源设备类型分布 ················································································································································································ 554.2.5 攻击源爆破弱口令分析 ············································································································································································ 564.2.6 利用 Telnet 协议的攻击行为分析 ··························································································································································· 574.3 针对 WS-Discovery 协议的威胁分析 ······································································································································ 574.3.1 WS-Discovery 暴露情况分析 ·································································································································································· 574.3.2 WS-Discovery 反射攻击分析 ·································································································································································· 594.4 针对 UPnP 协议的威胁分析 ···················································································································································· 624.4.1 UPnP 暴露情况分析 ················································································································································································· 624.4.2 UPnP 端口映射服务威胁分析 ································································································································································· 654.4.3 针对 UPnP 漏洞的恶意行为分析 ····························································································································································714.5 小结 ····························································································································································································· 745. 面向物联网终端的安全防护机制 ······················································································································· 755.1 引言 ····························································································································································································· 765.2 物联网基础设施安全防护 ························································································································································ 765.3 物联网终端的防护体系 ···························································································································································· 775.4 物联网终端的信息保护 ···························································································································································· 795.4.1 防护思路 ···································································································································································································· 795.4.2 防护方式 ·····················································