“In the next century, planet Earth will don an electronic skin. It will use the Internet as a scaffold to support and transmit its sensations. This skin is already being stitched together. It consists of millions of embedded electronic measuring devices: thermostats, pressure gauges, pollution detectors, cameras, microphones, glucose sensors, EKGs, electroencephalographs. These will probe and monitor cities and endangered species, the atmosphere, our ships, highways and fleets of trucks, our conversations, our bodies–even our dreams.”
– Neil Gross for Business Week, 1999
Security specialists have been hinting at the hidden risks of unsecured devices connected to the Internet since the conception of the IoT as we know it today. It’s safe to say that the IoT has evolved so quickly that security (concerns and solutions) never really had the chance to catch up. At least not until things started going off-hand, each time at a bigger scale, as evident by recent DDoS attacks.
December 2013 is the time when the first proven IoT botnet was discovered by Proofpoint researchers.
It was indeed an IoT-based cyberattack that involved household smart appliances. The attack campaign was a global one and included over 750,000 malicious email communications coming from at least 100,000 consumer devices such as home-networking routers, connected multi-media centers, televisions and refrigerators. Even then researchers knew that these types of attacks will continue to grow – reports were suggesting that the number of connected devices would grow to more than four times the number of connected computers in the course of the years to come.
What is the biggest problem with IoT security?
The fact that all these smart devices are exposed to the Internet is one thing. These devices are powered by specific computer chips produced by corporations such as Broadcom and Qualcomm. The chips are typically cheap and the manufacturers differentiate themselves from each other just by features and bandwidth.
What manufacturers do is implement a version of Linux onto the chips, alongside other open-source components (the keyword here being open-source, a double-edged knife). However, the worst thing is that not much is done to update (patch) that “board support package”, at least not until patching becomes unavoidable. The worst thing? As time passes by, malicious hackers become more and more aware of how much easier it is to hack routers than computers.
Let’s fast-forward to 2016. This year has seen plenty of attacks that added up new shades of trouble to the “connected” security landscape. It’s that time of the 21st century when Iot is pairing up with DDoS.
Take Linux.Mirai Trojan which first appeared in May 2016. The Trojan can work with with the SPARC, ARM, MIPS, SH-4, M68K architectures and Intel x86 computers. How does it work, exactly?
Linux.Mirai searches the memory for the processes of other Trojans and terminates them upon its launch. The Trojan then creates a .shinigami file in its folder and verifies its presence regularly to bypass terminating itself. The malware is also designed to connect to a Command & Control server for further instructions.
Upon instruction, the Trojan can launch UDP flood, UDP flood over GRE, DNS flood, TCP flood (several types), and HTTP flood DDoS attacks.
As it turned out, Mirai was responsible for the attack on popular security blog KrebsOnSecurity – or one of the largest distributed denial-of-service attacks to date. The source code of the IoT botnet was even leaked online which raised the concerns even more.
Currently, the total number of IoT devices infected with Mirai has reached 493,000, up from 213,000 bots before the source code was dumped online at the beginning of October, as reported by Internet backbone provider Level 3 Communications.
Besides the threats that such IoT botnets bring to our homes, multiple industries are endangered, too. Take the healthcare sector. A recent ABI research suggests that millions of connected medical devices bring new devastating threat vectors into the IT infrastructure of healthcare (which was recently distressed by vicious ransomware attacks), and will critically erode patient safety and efficient care delivery if left in the hands of luck or chance.
The frequency and severity of record-breaking (DDoS) attacks from botnets powered by insecure routers, IP cameras, and a range of other susceptible devices is surely expected to grow, but can something be done to countermeasure the emerging threat?
Secure the IoT and respectively our lives: mission possible?
As security engineers had no chance but to think of immediate protection against ransomware, this sector is currently being improved, too. A good answer to these threats would be an IoT security solution that protects all devices connected to the Internet. Since it’s no longer only our computers that are connected to the Web, all Internet-driven devices should be sheltered against the risks the connectivity poses. All smart appliances should be protected – TVs, Wi-Fi thermostats, refrigerators, gaming consolers, IP cameras. In order for such a solution to be absolutely efficient, it should scan the network and identify the vulnerabilities in the connected devices. Those vulnerabilities can be exploited in remote attacks, because they grant unauthorized access to the network.
No matter if you are a home or business user unpatched vulnerabilities can cause a great deal of damages, varying from DDoS attacks to malicious software infiltration and sensitive data theft. And even physical damages brought by unsecure medical devices!
Sure, the 21st century computer still needs advanced and adequate antivirus software that leads the user safely through his daily online routines. But so does a 21st century smart home.