Threat Research

The dark side of IoT devices

Michal Salát, 16 October 2017

IoT devices offer so much convenience yet pose so much risk.

Internet of Things (IoT) devices can be anything from coffee machines to fitness watches to thermostats, all of which are designed to make our lives more convenient, but what happens when they turn bad? Hard to imagine, but these innocent devices, which we are welcoming into our lives, can be unwillingly infected or hacked and thus join the dark side.

Robot + Network

IoT devices can be forced to become bots that blindly follow commands, to commit crimes as part of a botnet. A botnet is a network of infected devices that are abused by an attacker to perform tasks like carrying out DDoS attacks, Bitcoin mining, and spreading spam emails. Pretty much any device connected to the internet can be infected and become part of a botnet. IoT devices are often recruited to become bots, because they are weak when it comes to security and are therefore easy targets to infect.

At the moment, botnets are mostly being used to carry out DDoS attacks and to mine for cryptocurrencies (which we have even seen run on DVRs), but they are capable of making hundreds of thousands of IoT devices do much more. Botnets can send spam messages, which can be anything from phishing emails that contain malware that can lead to password or financial theft, to pump and dump schemes that try to convince people into buying stock from certain companies. Botnets can also carry out click-jacking campaigns, distribute fake advertisements, and even worse, infect other IoT devices.

Dark things hide in dark places

Like most malware, botnets can be found on darknet marketplaces. Botnets can be rented, while botnet source codes can be purchased or even leaked, as was the case with the Mirai botnet. Prices vary between tens and hundreds of dollars, depending on the type of service, the amount of bots/devices available to use in the botnet, and in the case of a DDOS attack, pricing depends on the strength and duration of the attack.

Due to the competitive nature of the darknet, some botnets compete against one another. If an IoT device is already infected, another botnet can attempt to replace the infection with its own code and in some cases also "repair" the security vulnerability used by the previous botnet to prevent re-infection and persist its position on the vulnerable device.

IoT devices turning bad

At the moment, IoT devices performing tasks as a botnet may not seem too critical, but what can happen if cybercriminals decide to go a step further?

We already know that it is possible to infect entire IoT networks by infecting a single device, as proof-of-concept attacks that demonstrate this have been done. In one example, researchers modified the firmware of a light bulb and were then able to alter the firmware of neighboring smart light bulbs. In the other example, researcher Cesar Cerrudo proved he could hack a vehicle traffic control system to alter traffic flow. In his Def Con presentation, Cesar explained that he could infect traffic sensors located in streets with a firmware update worm, which could then further infect other sensors.

These proof-of-concept attacks may seem innocent, until we consider the fact that smart cities are being developed and in a few years, cities around the world could be completely connected. If these IoT devices and systems aren’t properly secured, hackers, nation states, and even terrorists could gain control of them and cause complete chaos in cities, by controlling all the lights or traffic flow, just to name two examples.

In addition to IoT devices being hacked to carry out attacks on cities, we could see IoT devices be the next targets for ransomware attacks. When a hotel’s computer system was infected with ransomware in February, guests were locked out of their rooms, because the system infected happened to also be the system used to program the electronic key cards. Now imagine if your smart thermostat were infected with ransomware, would you pay to the ransom to regain access to it to regain control of the temperature of your home?

Not only could cybercriminals target smart home devices with ransomware, but they could also carry out targeted attacks against high-profile persons or industrial plants and factories.

I(oT) spy with my little eye

A totally neglected risk when it comes to IoT devices is the possibility of personal data leakage as well as the tracking of movement of devices. Think about how much information an IoT device can collect: webcams can see whatever they are pointed at, smart TVs and personal assistants can pick up sound, and smart cars can give clues to whether or not someone is home.

The amount of data an IoT device collects depends on the device, but the way data is sent back to device manufacturers and how they store the data, is up to the manufacturers. The trend today is to have everything in the cloud, and this is the direction IoT devices are moving in as well. Basically, the sending of commands to an IoT device via a mobile phone can travel around half the world and go through several servers before an action is carried out. This information could be intercepted or rerouted to a malicious server, and be abused if not properly secured. Furthermore, hackers can breach data stored by manufacturers to collect a mass amount of personal information, which depending on the device, can include type of device, IP address, other devices connected to the network, location and more.

Hackers, of course, don’t need to hack into a company’s server to gather information about you, they can go directly to the source instead. IoT search engines where one can find a huge amount of vulnerable IP cameras that can be tapped into by just about anyone exist. These cameras are in stores, factories, warehouses, parking lots, but also in houses, garages, bedrooms, and living rooms. People who use these “public” cameras don’t have the slightest suspicion that others may be watching their every move.

Imagine if a hacker gained access to all or most of the IoT devices in someone’s home. They could track their movement, listen in on private conversations to then carry out a targeted attack against this person, or sell the information they collect on the darknet for others to abuse.

The future of IoT devices

The total amount of IoT devices is rapidly increasing and it is difficult to predict what other commonly used things will be connected to the wild IoT world. With the increasing amount of smart devices, there is a growing number of possible attacks. Many of these devices are essentially miniature computers connected to the internet or other networks, with their own operating systems and the ability to perform quite complex computational operations, making them more powerful than we sometimes think.

The more we surround ourselves with IoT devices, the more motivation cybercriminals will have to target them. We can all imagine how individual smart devices could be abused and the major problems that could occur if manufacturers do not begin to pay attention to securing their products. The IoT sector is still relatively young, and we hope that over time, we will reach a point where connected device security will dramatically improve.Previously published at IoT Institute.