FREEDOM AND SAFETY
Recent distributed denial-of-service (DDoS) attacks involving the use of thousands of compromised digital video recorders and IP cameras have highlighted the looming security threat posed by the Internet of Things (IoT).
Analyst firm Juniper Research estimates that between now and the end of 2020, the number of "things" connected to the Internet will grow from 13.5 billion to 38.5 billion units, an increase of over 285%.
Home appliances such as smart fridges, TVs, entertainment systems, security cameras, and smart heating and lighting systems will account for a lot of the growth. But a majority of it will come from the industrial and public sector in the form of network-enabled devices embedded in smart buildings, farm equipment, the utility grid, and other areas, according to Jupiter.
Security researchers worry that as more things get connected to the Internet, adversaries will have an almost infinitely larger surface from which to launch new types of attacks.
That’s because devices that are becoming part of the IoT have few security protections against network-borne threats and are often easy to exploit. For the moment at least, there are no standards prescribing security requirements for IoT devices, especially in the consumer space.
"Internet-connected devices are being churned out of factories and infected by malware or malicious code at an alarming rate,” says Jose Nazario, director of security research at content distribution network, Fastly.
IoT devices offer bandwidth and CPU resources at virtually no cost to the attacker. Over the next few years, "as non-secure IoT devices amass, cybercriminals will have much greater resources available to launch new attacks more rapidly and at larger scale," he predicts.
In the past few years, researchers have demonstrated various proof-of-concept attacks against everything from network-connected baby monitors to connected cars. The demonstrations have shown how attackers can exploit poorly protected IoT devices to cause physical damage, to spy on people, and to launch massive denial of service attacks.
The following is a list of IoT devices in no particular order that have either already been exploited by attackers, have been demonstrated to be vulnerable, or are the most likely candidates for future attacks.
Of all the Internet connected devices in homes these days, the network router continues to be by far the most targeted in attacks. "Most Internet routers — the keystone to your home network — are riddled with security issues, which makes them … easy picking for hackers," Avast Software said in a blog post earlier this year.
The blog pointed to a study of 653 IT professionals and about 1,000 remote employees conducted by Tripwire, which showed 80% of the top-selling small office home office wireless routers had security vulnerabilities. Published exploits were freely available for thirty-four of the top 50 SOHO routers in the study.
More than 50% of all routers worldwide had default or basic username and password combinations, like "admin" and “password” while an additional 25% had the user address, birthday or name as password, Avast had noted. "As a result, more than 75% of all routers are vulnerable to simple password attacks, which is basically an open invitation to malicious hackers."
Not surprisingly, attackers have begun taking advantage of vulnerable home routers to create botnets for relaying spam and launching DDoS attacks. One of the largest-ever DDoS attacks to date — on the KrebsOnSecurity website recently — is in fact believed to have been enabled by thousands of compromised home routers and IP cameras.
The near ubiquitous set-top boxes, which people use in their homes to record TVs shows, have become another favorite target for attackers. Compromised DVRs have been linked to recent massive DDoS attacks, and researchers have warned of attackers creating large botnets of such devices for use in various malicious ways.
As with home routers, DVRs often ship with poor- to nearly nonexistent security controls. Many are connected to the Internet with hard-coded or default passwords and usernames. Often DVRs from multiple manufacturers integrate components from the same supplier. As a result, a security flaw in one product is likely to exist in another vendor's product as well.
Security vendor Flashpoint recently analyzed malicious code that was used in DDoS attacks involving IoT devices. The company discovered that a large number of DVRs being exploited by the malware were preloaded with management software from a single vendor. The supplier sold DVR, network video recorder (NVR), and IP camera boards to numerous vendors who then used the parts in their own products. Flashpoint estimated that more than 500,000 network-connected DVRs, NVRs, and IP cameras were vulnerable to the attack code because of a vulnerable component from a single vendor.
In January 2014, a researcher at security vendor Proofpoint who was analyzing spam and other e-mail borne threats discovered at least one Internet-connected refrigerator being used to relay spam.
The incident was the first to offer proof of what analysts have for some time been stressing: the startling vulnerability of many network-enabled devices being installed in homes these days such as smart fridges, TVs, digital assistants, and smart heating and lighting systems.
"Refrigerators, personal assistants, and TVs have enough processing power to be used in botnets or to be used as access points to the rest of the network," says Lamar Bailey, senior director of security research and development at Tripwire, which has broken into many such devices in proof-of-concept attacks.
Such devices pose a threat in the enterprise context as well, says Pedro Abreu, chief of strategy at ForeScout Technologies. For example, a connected fridge in an office break room could provide an unexpected gateway to systems containing corporate data.
"This isn’t about hacking the fridge, it's about hacking through it to gain network access," Abreu says. "Since the connected fridge is on the corporate network, which also connects to enterprise apps, it can be leveraged and exploited by hackers to gain valuable corporate and customer data," he says.
“We are most concerned with the ‘unusual suspects’ – those devices that seemingly pose no security risk on the surface, but when you look closely, are dangerously vulnerable.”
Vulnerabilities in wireless-enabled implantable medical devices such as insulin pumps, pacemakers, and defibrillators make them tempting targets for malicious attacks. In recent years, security researchers have shown how attackers can take advantage of unencrypted and generally weak communications protocols in such devices to gain remote control of them and to get them to behave in potentially lethal ways.
In 2013, former Vice President Dick Cheney’s doctors even disabled the wireless capabilities on his pacemaker out of fear that attackers could break into it.
Just this October, consumer giant Johnson & Johnson was forced to alert users of its Animas insulin pump of a potential problem after a security researcher at Rapid7 showed how an attacker could take advantage of weaknesses in the device’s wireless management protocol and pairing protocols. The vulnerability would have let an attacker gain remote access to Animas pumps and get them to release lethal doses of insulin to the wearers of the device.
The effort needed to carry out such attacks is relatively low, says Sam Rehman, chief technology officer at Arxan.
“Innovation is driving a lot of products to the market, therefore increasing attack surfaces,” Rehman says. “With more and more devices connecting to and opening lines of communication, it’s clearly reducing the effort and skill set required for hackers to gain access and wreak havoc,” with medical devices.
Few people think of the Supervisory Control and Data Acquisition (SCADA) systems that are used to manage industrial control equipment and critical infrastructure, as being part of the IoT, but they are. And just like many other IoT devices, they are as vulnerable as well.
Until relatively recently, SCADA systems were not connected to the Internet and therefore didn’t really require the same kind of security controls that other Internet-connected systems have. However, with many of them getting network-enabled in recent years, the relative lack of controls, including hard-coded passwords and poor patching processes, has become a big problem.
"Industrial controllers — SCADA systems that have been in place that are difficult to update — are especially ripe for attacks,” says Rod Schultz, vice president of product at Rubicon Labs. “Any control system that controls any type of kinetic energy — water, electricity, nuclear power — or business critical information such as banking and financial data, should be assumed to be a target.”
Attacks on such systems could have substantial physical consequences. As far back as 2007, researchers have demonstrated how attackers could destroy power grid equipment by going after the SCADA systems controlling such equipment. But physical damage is not the only concerns.
Attackers could use compromised SCADA systems in DDoS attacks or in ransomware attacks, Schultz says. “IoT attacks will be turned into profit centers,” he says. “Financial systems are obvious targets of course, and we see SCADA systems as major and vulnerable targets too."
Consumer products that are used to monitor babies are another category of IoT devices that are vulnerable to attacks and compromise.
Security vendor Rapid7 last year examined several network connected video baby monitors and associated cloud services from multiple vendors and uncovered 10 vulnerabilities across them.
The problems uncovered included hard-coded passwords, unencrypted communications, privilege escalation, easily guessable passwords, backdoor accounts, and flaws that would have let an attacker alter device functions.
The vulnerabilities let attackers hijack video sessions, or view video stored in the cloud, or gain complete administrative control of the baby monitor. All of the flaws were easy to exploit and would have given attackers varying degrees of remote control over compromised devices.
In announcing the vulnerabilities, Rapid7 noted how such vulnerable devices could pose a threat to any computer connected to the home network, including those used by remote workers.
An infected IoT device could “be used to pivot to other devices and traditional computers by taking advantage of the unsegmented, fully trusted nature of a typical home network,” Rapid7 had warned.
Like SCADA systems, not many people are likely to think of cars as being part of the IoT. But the reality is that modern cars feature numerous components that are network-accessible and exposed to network-borne threats.
Like many other IoT threats, there have been no publicly known instances where attackers have managed to exploit a poorly protected electronic component in a connected car to wreak damage. But security researchers have demonstrated multiple times just how real the threat is.
The most dramatic examples continue to be from security researchers Chris Valasek and Charlie Miller from Uber’s Advanced Technology Center. Over the past two years the researchers have shown how they could exploit weaknesses in the controller area network of a Jeep Cherokee to gain remote control of the vehicle’s accelerator, braking, and steering systems. The researchers have demonstrated proof-of-concept attacks on Toyota and Ford models as well.