The Internet of Things promises added convenience, efficiency – and insecurity.
This year will see a big increase in attacks on “things” connected to the IoT, believe many security experts.
“2016 will be the biggest year we have seen so far of ‘things’ being hacked. … The blood is in the water and hacking ‘stuff’ is more interesting than finding bugs in a Web browser,” said Chris Rouland, founder and CTO of Bastille, a provider of threat detection software for IoT devices. “Enterprises will start to find that compromises are entering their networks through things such as wearables, m2m communications and industrial control systems.”
Hackers are developing new techniques that leverage the IoT, said Tim Liu, CTO of network security provider Hillstone Networks.
“Traditionally, cyberattacks target companies to steal information. Today people are using more connected devices, home surveillance, wearable, home appliances and automobiles. Companies are also bringing control systems online to improve communication and increase productivity,” Liu said. “… For the past year, we have seen ransomware and extortion against individuals. We have also seen attacks on control systems in manufacturing and utilities that disrupt service and operation. In 2016, we will see more cyber-crimes that are committed by a combination of online hacking with offline activities.”
IoT and Network Backdoors
It didn’t take long. Less than two weeks into the New Year, security researchers from Vectra Threat Labs, part of automated threat management provider Vectra Networks, published a blog post that detailed how they used a $30 webcam to establish a persistent point of access into a network.
Such IoT-connected devices are of particular concern, wrote the researchers, because they can offer hackers full-time access to the network without having to infect a laptop, workstation or server, all of which are usually protected by firewalls, intrusion prevention systems and malware sandboxes in addition to running antivirus software that is updated regularly.
“On a tiny device, there is no anti-virus and no endpoint protection,” they wrote. “In fact, no one thinks of the device as having software on it at all. This makes these devices potentially inviting for persistent attackers who rely on stealthy channels of command-and-control to manage their attacks.”
To show the relative ease of launching such an IoT attack, the researchers bought a D-Link WiFi Web camera, which they then reprogrammed to serve as a network backdoor without affecting its operation as a camera.
“The irony in this particular scenario is that Wi-Fi cameras are typically deployed to enhance an organization’s physical security, yet they can easily become a network security vulnerability by allowing attackers to enter and steal information without detection,” said Gunter Ollmann, CSO of Vectra Networks.
While the research was conducted using a D-Link device, Ollmann said other Web-based cameras possess similar design vulnerabilities.
“The design of many mass-produced consumer-level electronics is very similar. Devices that can be easily attached to the network and remotely controlled or managed via the Internet tend to be soft targets,” he said. “The design of circuit boards, chipsets and the requirement for software updates combined into a simple and environmentally reliable package limits design options. It doesn’t help that many of the popular ‘small footprint’ operating systems popularly used for mass-produced network devices are poorly secured themselves.”
The biggest downside for attackers, wrote the researchers, is the lack of persistent storage in devices like webcams. “Instead, they use nvram to store configuration and the flash ROM to store the running code. So the attacker’s hope for real persistence rests on being able to control what will be in the flash ROM,” they wrote.
Despite this challenge, hacks on devices like webcams will likely be more widespread than attacks on devices such as networked refrigerators or automobiles, said Ollmann. While scary, the latter kind of attack is largely “stunt hacking,” he said.
In contrast, he said, “From a criminal hacker’s perspective, the prospect of subverting cheap and ubiquitous IoT technologies such as webcams – which are widely deployed in both residential and commercial capacities – is a highly desirable target. More to the point, devices that can be hijacked and serve as backdoors, yet be popular second-hand items or items that can be easily concealed and physically deployed or swapped with an existing installation, are vital tools in organized crime and espionage. “
While a wide variety of security products can be used to protect desktop computers, laptops and smartphones, such technologies are not yet available to protect the growing number of other devices now being added to networks, Ollmann said. “The whole realm of IoT security is in its infancy and, as a consequence, currently exposed to a rapidly expanding number of threats that cannot yet be efficiently mitigated.”
Vectra’s researchers disclosed the vulnerability to D-LInk last month, in early December. As of last week, the company had not yet provided a fix, the researchers noted in their blog post.
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.