The Internet of Things (IoT)—the network of devices embedded with capabilities to collect and exchange information—has long been attracting the attention of cybercriminals as it continues to gain momentum in terms of its adoption. Gartner has estimated that more than 20.8 billion IoT devices will be in use by 2020; IoT will be leveraged by over half of major business processes and systems, with enterprises projected to lead in driving IoT revenue.
How can cybercriminals potentially take advantage of this? Despite being equipped with new applications and hardware, most IoT devices are furnished with outdated connection protocols and operating systems (OS). Remotely controlled lightbulbs and WiFi-enabled In-Vehicle Infotainment (IVI) systems, for instance, are mostly run in Linux and developed in C language without safe compiler options. They also use dated connection protocols such as TCP/IP (1989, RFC 1122), ZigBee (2004 specification) and CAN 2.0 (1991), which when exploited can open up the device to remote access.
For instance, exploiting a TCP/IP protocol can lead to a man-in-the-middle attack where malicious third parties can tap into an IoT device’s network, intercept its traffic and ultimately gain access to the device.
Figure 1. How a TCP/IP exploit can lead to a man-in-the-middle attack.
Hacking into IoT devices can involve several stages:
Reconnaissance and Proof of Concept (PoC)
Hackers can focus on researching about a target device, looking for vulnerabilities and studying PoCs from which they can find exploits to use against the target. Examples of these PoCs include vulnerabilities that can be found on Digital Audio Broadcasting radio receivers integrated in IVIs, as well as authentication flaws in connected lightbulbs which can let data be stolen even from air-gapped networks.
At this stage, they work on:
- Finding their default and/or embedded authentication
- Exploiting protocol bugs by running fuzz tools such as protocol and parameter fuzzers
- Searching for input validation bugs (i.e. buffer overflow, SQL injection)
There are also several open source research tools that can be abused by hackers to speed up the process, such as Modbus Fuzzer or the CANard tool. These are both found in Github, a web-based code hosting service.
Figure 2. american fuzzy lop 2.06b fuzzer at work; it feeds huge input data to the software it runs to check for bugs.
Taking Over the Device
Hackers can then use attack vectors to hijack the IoT device, some of which include:
- Using exploits or the default user/password to access the device, and finding an internal network from which they can conduct lateral movement
- Building a botnet by implanting one, and establishing the network of the bot for further control
- Launching a Distributed Denial of Service attack; DDoS needs a huge amount of data to make it effective—widely used IoT devices provide a good environment to conduct a DDoS attack. For instance, a botnet composed of thousands of compromised CCTVs were recently used as source of network traffic needed to perform a DDoS attack
Figure 3. How a TCP/IP exploit can lead to a SYN flood (a form of denial-of-service attack).
- Implanting a bitcoin-mining program; although a single IoT device has low CPU power, infecting them all can offset the strenuous processing power needed to mine for bitcoins. In April 2014, DVRs used to record video from security cameras were infected with a similar malware.
Maximizing the Damage
The hacker can then maximize all possibilities to cause distress to victim—locking a car’s brakes or steering system, distorting the screen and preventing normal program viewing of a smart TV, or even shutting down an entire rail system. In June 2016, we discovered FLocker, a known Android lockscreen ransomware variant, crossing over to other platforms and has recently been hijacking Smart TVs.
The security of IoT devices has been largely overlooked as most vendors focused mainly on their performance and functionality. This is exacerbated with the existence of search engines such as Shodan and ZoomEye, which readily provide repositories of potentially vulnerable connected devices and computer systems.
But as IoT adoption among consumers and businesses continue to grow, security in IoT devices is also gaining traction. In fact, global spending on IoT security has been projected to reach $547 million in 2018. Gartner also predicts that 25% of identified cyber-attacks on enterprises will involve IoT by 2020. Tesla and Fiat Chrysler are among those that took the initiative by launching bug bounty programs to improve the security of their connected cars. In the U.S., the Automotive Information Sharing and Analysis Center (Auto-ISAC) has collaborated with 15 automobile makers in setting up a list of best practices for their vehicles’ cybersecurity.
And while cyber extortion or even ransomware in IoT is technically feasible, it is unlikely to be done in the foreseeable future. Hacking IoT devices involve earmarking time and resources. It also entails personalizing the attack and targeting specific victims, enterprises or industries from which they can monetize their operations through extortion. It can also be unviable especially for malefactors such as ransomware operators whose hit-and-run business models work by trying to gain quick ROI from as many victims as possible.
Nevertheless, the growing adoption of IoT devices, the relative ease of exploiting their security flaws and the seeming profitability of extorting their owners, are a daunting combination. And while there is no silver bullet for completely securing the vast network of connected devices, countermeasures such as implementing a security audit when designing IoT software/hardware, setting up security gateways, adding endpoint monitoring and utilizing real-time log inspection can help mitigate the risks.
With additional insights from Martin Roesler.