By Graham Sharples | Threat Analyst
Internet of things (IoT) devices are now embedded in every part of our lives, with more and more devices becoming connected to the internet each day. This is a trend that can trace its origins back to the start of the 1990s wherein a toaster was created by John Romkey that could be turned on and off over the internet. This demonstrated what could potentially be achieved with everyday household appliances. Today, IoT devices are in nearly every electronic device we use and with IBM’s announcement in 2018 that they had made the smallest computer in the world measuring 1 millimetre by 1 millimetre, there is almost nothing an IoT device can’t fit into.
However, with the huge scale of IoT devices connected to the internet comes a wave of products that are potential targets for malicious actors. Given that many of the devices we use in our homes are now or may soon be IoT enabled, our homes now have a threat landscape all of their own. This is increased more so when multiple IoT devices are connected. In 2019 researchers from the University of Michigan identified that they could use lasers to interact with a variety of voice-activated devices including the Amazon Echo. With multiple devices potentially being connected to an Amazon Echo, an individual with a line of sight would be able to be a distance away from a property and activate any connected features such as open a garage door. What’s more, a post by the internet security company, Norton  , predicts that by 2025, there is estimated to be 21 billion IoT devices connected to the internet, creating a potentially worrying situation for both domestic and business security landscapes.
In this post, we’ll continue to explore how the IoT can be exploited if such enabled technologies fall into the wrong hands, as well as the potential impacts of this exploitation.
Why Are IoT Devices Targeted
IoT devices are a hugely attractive target for hackers because the IoT device industry is too convenient for business and individuals not to use. Every day more affordable IoT devices are created that are Wi-Fi compatible with the option to control them from your smartphone.
However, vendors for the longest time have not incorporated adequate IoT device security controls within their products. A lot of IoT devices are created by the cheapest means possible, including the firmware that is installed within the device. These devices are then shipped to the client. By the time the device reaches the customer, little to no security testing has taken place on the device, with ports usually left open to receive updates as required. Couple this with the fact that multiple IoT devices such as IP cameras and smart hubs may be using the same blueprints for the base components/firmware, and a vulnerability that affects one device may affect multiple.
Types of IoT Threat Actors
Botnet: Targeting IoT devices with malware for the purposes of creating an IoT Botnet is big business. With the sheer number of potentially vulnerable devices connected to the internet, a Botnet consisting of IoT devices could be much larger than a Botnet of compromised computers making them much more appealing.
Crypto-miners: Within recent years Botnet’s have been seen attempting to mine cryptocurrencies from IoT devices. While this sounds like a simple effective plan most IoT devices lack the hardware required to adequately mine cryptocurrencies. Botnet such as ‘LiquorBot’, ‘Mirai-variant’ and ‘Linux.MulDrop.14’ have all tried and failed in their attempts.
Ransomware attacks: Many have speculated that the next ransomware attacks may target IoT devices. Rather than holding single companies to ransom, a malicious actor may decide to target for example smart thermostats. One exploit targeting a type of smart thermostat could compromise thousands of devices.
IoT Threat Actors’ Targeted Areas of Interest
There are many ways in which a hacker could exploit an IoT device. Many of these vulnerabilities come as the IoT industry is currently geared towards mass production of IoT devices, mainly for cost benefits. The below bullet points should give a rough idea of what area’s hackers are interested in when they research IoT devices.
- Weak Passwords: These often need changing by the owner to something more secure but often never get changed.
- Hard-Coded Credentials: Master passwords sometimes set on devices which can sometimes be identified on start-up of the device through serial connections.
- Backdoors: Ports left open with simple passwords for manufacturer support and to receive updates.
- Insecure Network Services: Unneeded services exposed to the internet for no purpose.
- Encryption: Or lack of in rest, transit and or during processing.
- Outdated Components/Software: Deprecated software components/libraries.
- Web Interface: Often riddled with XSS and other vulnerabilities.
- Physical Access: Accessibility of UART/JTAG ports to connect via serial connection to the device.
Botnet for Hire
There are multiple reasons a hacker would decide to target IoT devices, such as the creation of a Botnet from which to launch distributed denial of service (DDoS) attacks against a target or to install ransomware for financial gain. Whatever the reason there is malware/ransomware available online to achieve these aims. BASHLITE is one such malware variant which was used widely in 2014 to exploit the Shellshock vulnerability. Again, in 2019, a similar variant of malware known as Gafgyt was identified as having been updated to target wireless routers such as Huawei’s HG532.
DDoS attacks on their own are not profitable but a new area has been opening up to accommodate a technique within the games industry. With IoT devices controlled by a Botnet once compromised, these botnets are being hired out to individuals under the label ‘Botnet for hire service’. In essence, individuals have the ability to launch DDoS attacks against their gaming opponents’ servers in revenge of gaming sessions lost. While first thoughts of the use of DDoS may have you thinking about a threat actor attempting to hold down financial services of an organisation or a hacktivist group targeting a website for a cause, the reality is demographics are changing and so is their ease of use. The demographic is now young gamers and the researchers from Unit 42 noted that the Botnet for hire services are being advertised on social media platforms for as little as $8 to hire.
Over the last 5 years ransomware has gained huge traction with hackers. The simplicity and anonymous nature of the risk to reward style of this attack can’t be ignored. Statistics vary but point to an increase in the number of business agreeing to pay the ransom in a hope that the malicious actor agrees to unlock their data. After all, this is a business for the malicious actor as well. If the malicious actor gets known for releasing encrypted data then the chances of future payments from other businesses potentially increase. The tricky part is finding a target. But as the WannaCry attack of 2017 showed, one successful attack could be all you need. Infecting more than 200,000 computers in more than 150 countries WannaCry showed the impact ransomware could have.
Now imagine an attack that is successful against IoT devices. You might return home to find your Hive thermostat locked so you cannot activate your heating or hot water. While not the end of the world you could be financially out of pocket and in the winter losing your heating or hot water would be something that needs addressing fast.
In recent years ransomware has been identified as being offered as a service in much the same way as Botnets. Known as ‘Ransomware as a service’, cybercriminals are trying to mitigate the time it takes to understand and compromise a target while increasing profits. This increases the number of potential users as novice cybercriminal will now be able to participate without too much difficulty. Essentially ransomware authors make quick money and crime groups don’t waste time writing malicious code.
To conclude, the IoT industry is changing slowly. Unfortunately, it takes cyber-attacks to make business think about how much time and money goes into the development and creation of these devices. With the ever-increasing attack surface, IoT devices potentially provide users should while difficult try to research and understand the IoT device before they purchase it. For example, is the company that provides the device reputable, what does the company do with your data and are firmware updates provided. Further security checks should include:
- Routers 4 to 5 years old should be changed for newer models.
- Change the default admin passwords to meet strong unique criteria.
- Do not leave devices in their standard configuration.
- Ensure you know what features are turned on and in use by the device.
- If you have an IoT device that you don’t use via the internet, turn if Wi-Fi connectivity off.
- Regardless of the device, backup your data!
Hackers have demonstrated in the past that they can leverage IoT devices for their own purposes. Combined with the ever-increasing threat surface and the number of devices becoming connected to the internet and you can be sure that the trend of attacks against IoT devices is sure to increase.
For more guidance on this topic, please don't hesitate to get in touch with the team.