Two years ago, IoT attacks were considered exotic, an aberration of interest mainly to those in the industry and conspiracy theorists. No longer. The recent “teddy bear” data breach, which exposed more than 2 million children’s and parent’s voice recordings along with emails and passwords, forcing IoT cybersecurity dangers to become a mainstream household concern. And the few who were still unaware certainly got the message earlier this month, with the WikiLeaks revelation of the CIA hacking tool that can turn Samsung TVs into eavesdropping devices.
The evolution of IoT malware mirrors that of PC-based malware, but at lightning speed. The first attacks were essentially pranks, tricksters seeing what they could do, like the 2012 “Internet Census” powered by a botnet of 400,000+ embedded devices. Bad actors were quick to see the possibilities, leading to the Mirai botnet-based DDoS attacks on Dyn, Deutsche Telekom and others. The latest transition is the monetization of IoT malware by hiring out these botnets, ransomware or ad-click fraud providers such as the Linux/Moose botnet operators selling Instagram followers.
IoT attack trends
While these attacks may be minor compared to the mega-record, mega-expensive breaches we’ve seen, the potential is huge. Gartner predicts IoT devices will reach an installed base of 21 billion units by 2020. And we’re not just talking toasters, teddy bears and TVs — by 2020, there will be 250 million “connected” cars on the road. This brings the problem to an entirely new level.
Given the sheer variety of IoT devices and opportunities to exploit them, IoT attacks will develop in several directions.
As IoT expands so will IoT botnets — and their capacity to launch large-scale DDoS attacks. The Mirai DDoS attacks on the Dyn network were the most massive in history, with reported attack strength of 1.2 Tbps and taking down more than 80 major websites. Dyn’s preliminary analysis found that tens of millions of discrete IP addresses associated with the Mirai botnet were part of the attack.
The same botnet interfered with heating distribution in Finland, knocked nearly a million Deutsche Telekom users offline, was used in a DDoS attack on WikiLeaks and disrupted operations of five major Russian banks.
With the public release of the Mirai source code by its creator last October, hackers have already begun developing more virulent and broader reaching strains. Mirai is not a simple attack tool but a development framework. Additional capabilities such as new credential stealing, IP anonymization, persistency and traffic hiding will expand its attack potential. New Mirai strains will also likely include obfuscation techniques that make it difficult to track activity and expanded infection capabilities to target more types of devices.
IoT ransomware attacks
Until recently, IoT ransomware was all theory. At the 2016 DEF CON conference, researchers demonstrated they could infect smart thermostats with ransomware. And in a Bloomberg interview, GM of Intel Security Chris Young sketched a future where hackers demand a ransom before allowing a car owner to drive to work. That future has come sooner than anticipated. In January, attackers locked the electronic key system and computers of a four-star Austrian hotel, demanding $1,800 in bitcoins to restore functionality. They paid up. One can easily imagine cybercriminals making similar ransom demands to unlock hacked medical devices such as insulin pumps or pacemakers.
Ironically, one reason that IoT ransomware is not yet a bigger problem is what makes IoT so difficult to secure — the variety of IoT devices and operating systems means hackers can’t write ransomware that spreads superfast or easily.
IoT as attack vectors to enter an organization
As edge devices proliferate, so do the opportunities to gain entry into the wider network to which they are connected. Unfortunately, in the rush to get to market, many IoT device manufacturers neglect security aspects. Even manufacturers that are conscious of security issues might unknowingly embed insecure third-party components into their products. Many of the webcams enlisted by the Mirai botnet utilized electronic components from the same manufacturer.
IoT for spying and surveillance
One of the most concerning IoT security issues is the ability to invade and expose our most private moments. First reported in 2014, tens of thousands of home security cameras are being hacked and streamed live online. In most cases, changing the default password blocks the feed. However, Senrio researchers discovered a security flaw in D-Link cameras that lets attackers overwrite administrator passwords, exposing thousands of users to hacks not only of their cameras, but the network it connects to.
Even more disturbing are the types of attacks revealed this month by the WikiLeaks CIA dump. According to the documents, Britain’s MI5 and the American CIA worked together to develop a smart TV app, Weeping Angel, that can turn televisions into spying tools. Targeting Samsung TVs specifically, the malware records audio from surrounding areas, including when the user has turned the set off. While it’s unclear at what stage of development this particular project is in, the potential for hacks of this type, when used by malicious hackers, are enormous.
Vendors need to step up
Vendors have been slow to respond to the push for better IoT security, particularly more advanced penetration testing. However, they soon may find the financial consequences persuade them. In 2015, Fiat Chrysler recalled 1.4 million vehicles to install a security patch to prevent hackers from gaining remote control of the engine, steering and other systems. And the FTC recently filed a lawsuit against D-Link for “failing to protect its customers against well-known and easily preventable software security flaws in its routers and IoT cameras.”
Nascent IoT antimalware holds some promise, however approaches that work for PC-based attacks will not work in the IoT world. The high level of device diversity and operating systems versioning pose a barrier for security vendors. Currently, most IoT security products focus on the network side, trying to detect and block attacks by analyzing the traffic. However, these techniques become less relevant when encrypted traffic is involved.
IoT brings new opportunities but also new challenges. Awareness was the first hurdle. Now manufacturers, legislators, cybersecurity vendors and end users all need to do their part.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.