History is a funny thing. It tends to repeat itself.
In the 1990s PC-based cybercrime started as "benign" DDoS attacks and pranks by young programmers showing off their skills - aided by the non-existent security posture in Windows-based computers. (We can all look back fondly on the benign worms like the "Kournikova Worm".) However, by the late 90s and early 2000s cybercrime organizations started to monetize vulnerabilities by releasing targeted malware and spyware viruses/worms that rapidly spread. "Phishing" became a highly lucrative business. "Love Letter", "MyDoom", "Confiker" these were a bit more nefarious. As the host of "Risky Biz" Patrick Grey has pointed out astutely on several of his shows, we are going to see the same evolution with regard to IoT! |
Just like with PC based malware, this evolution happens in waves as both the general public and cybercrime organizations collectively come to realizations about the impact of mass-scale compromises with botnets.
1st Wave: Curiosity and Novelty In 2012 a anonymous researcher performed the "Internet Census of 2012". This was an effort to not just scan the entire publicly accessible internet but also scan "internal" networks. To accomplish this, the researcher created a botnet of 400,000+ embedded devices and used those devices. While the ultimate use of the botnet was benign, many in the security industry saw this as the first rumblings of a imminent seismic shift. |
2nd Wave: Distributed Denial of Service Using IoT In October of 2016 we saw the of the largest DDoS attacks powered by IoT-enabled: Botnets comprised of consumer IoT devices first take down KrebsOnSecurity and a week later Dyn, which provides DNS services for websites such as GitHub, Reddit, Netflix, etc. While that was rather an inconvenience, future attacks may be far more costly. |
3rd Wave: Monetized IoT Malware There are several ways of monetizing an army of bots: DDoS for hire, ransomeware, email spam as well as ad click fraud. While botnets are not new, the abundance of insecure (and insecurable) Internet of Things devices gives this problem a new scale. A recent paper looked at how industrious botnet operators are tapping into society's vanity and social media obsession to profit from Instagram "follows". |
4th Wave: What's Next?
As we shift from unsophisticated actors to professional (and possibly state-sponsored) attacks on embedded devices, the stakes get higher. There have been reports of IoT device coming preinstalled with cryptocurrency miners and other kinds of malware. Cybercrime gangs are clever at finding ways to make money with different kinds of access. We sometimes forget that IoT is everywhere. Not just in our homes but connected industrial controllers (ICS) automate our factories and power plants. (Remember: "ICS is IoT"!) Our doctors rely on smart medical equipment and our cities are becoming "smart cities".
As we shift from unsophisticated actors to professional (and possibly state-sponsored) attacks on embedded devices, the stakes get higher. There have been reports of IoT device coming preinstalled with cryptocurrency miners and other kinds of malware. Cybercrime gangs are clever at finding ways to make money with different kinds of access. We sometimes forget that IoT is everywhere. Not just in our homes but connected industrial controllers (ICS) automate our factories and power plants. (Remember: "ICS is IoT"!) Our doctors rely on smart medical equipment and our cities are becoming "smart cities".
Imagine all the kinds of IoT or ICS specific ransomware that could exist. Scary stuff...
Until recently, IoT security was deemed superfluous and unnecessary - who would want to hack my WiFi camera? By themselves IoT devices don't have a lot of information or computational power; however, in the aggregate they are a force to be reckoned with as Mirai recently demonstrated. Also, how does that threat-model change if those cameras are pointed at point-of-sale devices or bank-safes? These devices "do more" in the physical world than our laptops/desktops do. So what happens when these innovative and clever cybercrime groups figure out ways to leverage the pervasiveness of IoT and ICS? Imagine all the kinds of IoT or ICS specific ransomware that could possibly exist!