The Internet of Things is the latest in a long line of increasingly important technologies, and the number of connected objects within this web is growing at an exponential rate. Gartner predicted at the end of 2015 that the number of “things” in use in 2016 would grow 22 percent over numbers from 2015, and by 2020, the IT research firm projected that there would be as many as 20.8 billion connected objects in use. Companies and consumers alike are finding the benefits of the IoT to be astounding, and many are excited about its future.
Everyone is using the IoT – but is it safe from cybercrime? Recent events have answered that question with a resounding: “Probably not.”
The IoT is useful…
The uses for things inside the IoT continue to evolve. Whereas just last year, consumers may only have thought of the smart thermostat that allowed them to control their home temperature remotely from their phones, or of wearable activity trackers like the FitBit or Apple Watch. However, there are now many more uses for the IoT than we could have imagined – everything from internet-connected juicers to Barbie dolls to even mascara that collects and sends data back to L’Oreal, according to Forbes contributor Blake Morgan.
Consumers are using the IoT, but so are businesses. Enterprises are using radio-frequency identification devices to assess where products are in the supply chain, generating data that can be used to improve processes and help companies become more competitive in their respective industries..
However, the ubiquity of the IoT might make it a bigger target for cybercrime. TechCrunch contributor Ben Dickson wrote last year that the vulnerabilities of the IoT were being exploited left and right. Wearable devices could be hacked, and it was proven that internet-connected cars could be accessed and controlled from remote locations, opening the doors to that potential danger.
“The gateways that connect IoT devices to company and manufacturer networks need to be secured as well as the devices themselves,” Dickson warned. “IoT devices are always connected and always on. In contrast to human-controlled devices, they go through a one-time authentication process, which can make them perfect sources of infiltration into company networks. Therefore, more security needs to be implemented on these gateways to improve the overall security of the system.”
… but security problems abound
Recently, it’s become even more apparent that the IoT needs to be effectively secured. Near the beginning of October, the source code for the Mirai malware was released, according to Infosecurity Magazine contributor Phil Muncaster. The malware scans the web for IoT devices that haven’t been properly secured – i.e., their factory passwords were never changed – and infect them, as it’s easier to infiltrate these devices. What’s worse, after they’re identified and infected, the devices are used as part of a botnet that’s directed to launch distributed-denial-of-service attacks at the hacker’s behest.
Muncaster wrote that security researchers worried that since the source code for the Mirai malware was released on a popular hacker forum, this could mean an increase in DDoS attacks across the board for insecure devices. This could cause widespread brownouts, taking down large parts of the internet. One way to combat this kind of attack is to ensure every device has a unique password, but it’s difficult to follow through on that.
In addition to the increased chance of DDoS attacks, Trend Micro researchers detailed a number of exploits that could be used to infiltrate an IoT network earlier this year., essentially leading to the conclusion that the IoT can definitely be used for cyber extortion. For instance, man-in-the-middle attacks can be executed by exploiting a TCP/IP protocol to tap into a network and intercept traffic to and from an IoT device. This would ultimately give hackers access to these compromised devices, which inevitably leads to even bigger issues, like with the hacked Jeep Cherokee that Dickson mentioned.
The Internet of Unpatchable Things
The same password vulnerability being used by the Mirai malware – the one causing security researchers to warn about DDoS attacks – has recently come back into the limelight, as well. According to ZDNet contributor Charlie Osborne, the 12-year-old security flaw has been found and is being exploited by hackers. The flaw, which is in OpenSSH, has been referred to as “The Internet of Unpatchable Things” by security experts, and is the culprit of several recent SSHowDowN Proxy attacks.
“The security flaw being exploited to create IoT slave networks, CVE 2004-1653, relates to OpenSSH default configurations, which enables TCP forwarding and port bounces when a proxy is in use,” Osborne wrote.
In other words, the warning from Trend Micro researchers about exploits within TCP/IP networks being used to infiltrate IoT devices is coming true. The problem, again, is with manufacturers using uniform factory passwords on their connected objects and the fact that those passwords aren’t changed. CCTV, satellite equipment, routers and external storage products are all in danger of potentially becoming one of these botnets.
What’s the next step?
The fact that IoT devices are being exploited should spur vendors to implement unique passwords and greater security for their products, but what can companies and consumers do to improve their network security in case of an attack? By 2021, according to MarketsandMarkets, the IoT security market will be worth $36.95 billion, growing at a compound annual rate of 36.1 percent from 2016 – a testament to the importance of protecting IoT networks as they become more involved in the everyday technology landscape.
“While there is no silver bullet for completely securing the vast network of connected devices, countermeasures such as implementing a security audit when designing IoT software/hardware, setting up security gateways, adding endpoint monitoring and utilizing real-time log inspection can help mitigate the risks,” wrote Trend Micro researchers.
DDoS attacks and cyber extortion are dangers looming on the normally brilliant horizon of the IoT. Enterprises and consumers alike should take steps to ensure the security of their networks, so that these common IoT exploits don’t take them down. Check out Trend Micro’s IoT information center for up-to-date news on IoT security.