In one of our predictions for 2018, we said the IoT threat was going to go mainstream. Not only can the industry expect to see IoT devices being used as a vector for attack, they also provide a means of creating an attack of potentially unbelievable size. The IoT threat is something most of us did not consider in the past, but today it is at the top of the list for threats the Internet faces.
There is no doubt that consumer IoT adoption is accelerating at an incredible rate. According to NPR and Edison Research, 16% of Americans own a voice-activated smart speaker (i.e. Amazon Echo, Google Home, etc.), this segment is up 128% from January 2017. That equates to over 50M people who have adopted this type of IoT device in the U.S. alone.
Although we’re not saying that the next IoT-based mega botnet will be made up of smart speakers, their rise in prevalence will certainly be a factor. Hackers have already begun developing new exploit kits designed to take advantage of the “vulnerabilities” found in the underlying operating systems and applications that IoT devices run, such as instead of using lists of default usernames and passwords which was found in the original version of the Mirai malware.
For example, hackers released Satori on Pastebin over the holidays. This particular malware was designed to take advantage of a zero-day vulnerability in Huawei home routers (model HG532). Satori is a variant of the Mirai malware that’s packaged with exploits that can cause remote code execution and easily compromise these vulnerable devices. Huawei has released a patch, however if ISPs who utilize these home routers do not patch ASAP, then the routers in their networks are likely to be compromised and added to a list of botnets.
Since IoT devices run commercially available operating systems and software in many cases, there are likely a large number of vulnerabilities that have yet to be discovered. Expect large numbers of exploit kits being released in 2018 that will enable hackers to exploit known and unknown vulnerabilities in IoT devices. Once exploited, hackers will be able to takeover large numbers of IoT devices worldwide and use them to attack others, often without the IoT owners even knowing it.
Earlier this week, security researchers have found yet another new variant of Mirai called Okiru. This Mirai strain is the first known piece of malware targeting devices that run ARC processors. These processors are found in a wide range of devices including smart phones, TVs, autos, cameras, and a host of other IoT devices. They are reportedly imbedded in more than a billion products every year.
In another interesting turn of events concerning IoT devices and botnets, a draft report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats was released for public comment on January 5th, 2018. The document highlights the following themes:
- Automated, distributed attacks are a global problem. The majority of the compromised devices in recent botnets have been geographically located outside the United States.
- Effective tools exist, but are not widely used. The tools, processes, and practices required to significantly enhance the resilience of the Internet and communications ecosystem are widely available, if imperfect, and are routinely applied in selected market sectors.
- Products should be secured during all stages of the lifecycle. Devices that are vulnerable at the time of deployment lack facilities to patch vulnerabilities after discovery or remain in service after vendor support ends, thus making and assembling automated threats far too easy.
- Education and awareness is needed. Knowledge gaps in home and enterprise customers, product developers, manufacturers, and infrastructure operators impede the deployment of the tools and practices that would make the ecosystem more resilient.
- Market incentives are misaligned. Perceived market incentives do not align with the goal of dramatically reducing threats perpetrated by automated and distributed attacks.
- Automated, distributed attacks are an ecosystem-wide challenge. No single stakeholder community can address the problem in isolation.
The draft report responds to the May 11, 2017, Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. That order called for resilience of critical infrastructure against botnets and other automated, distributed threats. This effort by the U.S. Government was initiated after the Mirai botnet attacks of late 2016.
According to the report, “The DDoS attacks launched from the Mirai botnet in the fall of 2016, for example, reached a level of sustained traffic that overwhelmed many common DDoS mitigation tools and services, and even disrupted a Domain Name System (DNS) service that was a commonly used component in many DDoS mitigation strategies. This attack also highlighted the growing insecurities in—and threats from— consumer-grade IoT devices.” The final report is due to the President on May 11, 2018.
If that isn’t somewhat concerning, just last week the World Economic Forum released their Global Risks Report for 2018. According to their website, “The World Economic Forum, is committed to improving the state of the world, is the international organization for public-private cooperation. The Forum engages the foremost political, business and other leaders of society to shape global, regional and industry agendas.”
In the report, they list Extreme Weather Events, Natural Disasters, and Cyberattacks as their top three most likely global risk conditions for 2018. Hearing that cyberattacks is in their top three is very disturbing, seeing that the other two risk conditions often result in the loss of innocent lives. Concerning cyberattacks, IoT, botnets, hackers, etc., no one can say for sure what will happen next in 2018, but one thing is evident; 2018 is going to be a tumultuous year.