Threat Research

2019 predictions: The internet of (vulnerable) things

Threat Intelligence Team, 7 January 2019

Avast experts walk you through next year’s most menacing IoT threats in part 1 of our 2019 predictions.

A chain is only as strong as its weakest link. This is also true in the world of security. This year, we tracked a growing threat trend — that when just one device in a home or small business (usually the router) is compromised, then the rest of the devices on the network become easy to compromise. With connected devices — known as the internet of things — growing faster than any device category in history, it’s increasingly difficult to buy appliances and home goods that do not have a connection to the internet.

From connected lights to coffee makers and smart speakers to door locks, IoT devices will continue to drive a class of attacks aimed at exploiting their weaknesses in configuration, security flaws, and consumers’ low interaction with their settings. Therefore, the main theme of our predictions is based on how infiltrating an IoT device could easily lead to breaking into the perimeter where IoT devices with compromised modems reside.

As we begin the new year, we are publishing a 3-part series on 2019 predictions. We will cover IoT, mobile threats, and AI in these posts, all developed from insights and analysis by the Avast Threat Intelligence Team. In this first post, we are focusing on our top IoT threat predictions for 2019, including those from 2018 that continue to present challenges.

avast-protection
Summary of 2018 attempted attacks by device and types of attacks blocked on a monthly basis

The internet of (vulnerable) things

The category of IoT is rapidly expanding, and for good reason — while a person typically has one laptop and mobile phone, they may have a multitude of connected devices in their home from doorbell, to entertainment, to home security. According to Juniper Research, the number of connected devices is expected to top 38.5 billion by 2020.

Here’s a peek at the brands and services that a smart home like that could encompass:

Avast_Security_Predictions_Smart_Home

The trend toward smart devices will be so pronounced in the coming years that it will become difficult to buy appliances or home electronics that are not connected to the internet.   

As much of our research has shown, security is unfortunately quite often an afterthought in the manufacturing of these devices. While many of the biggest brand-name smart devices do come with reasonable security embedded, some developers skimp on security to keep costs low for consumers, a mistake considering a smart home is only as safe as its weakest link. History tends to repeats itself, and just as PC and mobile malware evolved, we expect to see IoT malware become more sophisticated and dangerous.

Router attacks

Anyone whose home is connected to the internet has a router to which they connect their computers, phones, and IoT devices. Routers are ubiquitous and important, but rarely maintained with the latest security standards. In fact, once an internet service provider installs the router, most people never give it a second thought, unless they experience internet disruptions.

Avast research shows that 60% of users worldwide have either never logged in to their router or have never updated their router’s firmware, leaving them potentially vulnerable to fairly simple attacks. The major problem here is that when an attacker uses a known vulnerability or weak authentication credentials to access a router, they gain access not just to the router, but to all devices connected to its network as well.

Routers have proven to be simple and fertile targets for a growing wave of attacks. While many attacks against routers use variants based on the Mirai codebase (which was released by the creator shortly after the successful attacks of September 2016), many are far more complex and point to a murky future for home network security.

Not only have we seen an increase in router-based malware in 2018, but also changes in the characteristics of those attacks. Where router-based malware has traditionally taken over a device for the purposes of carrying out a DDoS attack, such as the Mirai attacks, today’s attacks use malware to infect a device and open up a line of communication to a C&C (command and control server), without taking any immediate action.

We saw this with VPNFilter and Torii; once the router is infected, these malware strains listen to the network traffic, fingerprint the network and the devices on it, and allow for the C&C to send new payloads or instructions to the device. In this, the malware acts more like a platform and less like a virus. This “platform-ification” of malware opens up many possibilities such as pay-per-install as well as DDoS-for-hire or even good old-fashioned spam.

Downstream effects of router vulnerabilities

Routers will continue to be targeted, not just to run malicious scripts or spy on users, but also to be used as an intermediate link in chain attacks. In the case of the Mikrotik campaigns, a simple re-configuring of the router ended up affecting the entire internal network. The malware served JavaScript miners to all the browsers behind the router.

This attack also showed a potentially more worrisome trend, as these routers are not just in our homes, but also used by many smaller internet service providers. There is potential for an infected router to infect many hundreds or thousands of downstream devices. Further, it would be very difficult to figure out where the infection is coming from.

More modular IoT malware

Just as PC malware was very simple in its infancy, most IoT malware has been built for a very narrow purpose, such as to gather botnets for a DDoS attack. But like PC malware, IoT malware will learn and adjust its modus operandi from “one-trick” malware to multipurpose malware platforms capable of supporting organized pay-per-install campaigns.

There are benefits to infecting and then keeping a low profile, rather than immediately monetizing the network. After getting a large volume of IoT devices under control, malware authors can repurpose their bots to do whatever they see fit (or whatever would be most profitable).

More sophisticated spreading techniques

We expect to see more and more malware that will infect IoT devices from the browser. Browser-based attacks on personal computers and mobile phones, called Cross Site Request Forgery, are found in the wild, but are not yet very common. In this scenario, a user visits a page with malicious Javascript, which will scan the user’s local network, find a vulnerable device, and infect it. It could be a valuable way to infect a device that is not visible from the internet, for example a device behind a NAT (Network Address Translation).

IoT malware as proxy

Right now, IoT malware authors typically monetize their deeds through cryptomining or DDoS-for-hire attacks, but this is not the most profitable approach. We think more and more IoT malware authors will begin infecting more powerful and interesting devices, like mobile phones, tablets and PCs.

An example would be infecting the router to inject JavaScript or any other malicious payload into the traffic delivered to the user. It could also be used as a proxy to connect and carry out attacks on other internet users or devices. By using a chain of infected devices that barely have any logging capabilities, attackers can disguise their original location, similar to how anonymization proxies work.

IoT malware will drop support for x86 architecture

x86 is one of the most common backward-compatible instruction set architectures and has been in use since Intel introduced it in the late 1970s. However, as more devices operating on alternate frameworks become available, it is logical that malware authors will stop including the x86 step to make reverse engineering harder for security vendors. There are many sandboxes for PEs (portable executables) and x86 ELFs (Executable and Linkable Formats), but the majority of them struggle to support other architectures.

Despite the warnings inherent in these predictions, we believe the burgeoning IoT-verse marks a thrilling moment in our techno-evolution. Just make sure you stay smart and security-conscious with each new device you allow into your life. To be better prepared for the technological landscape ahead, download and read the full 2019 Avast Predictions report.