The COVID-19 pandemic has supercharged the steady growth in IoT devices as people spend more time using tech for work and personal use and businesses seek new ways to increase efficiency. While IoT device security is already a major concern for cybersecurity professionals, this rise in usage has been accompanied by a surge in attacks on IoT devices and networks. Research shows that while other types of attacks are decreasing, attacks on IoT devices could be growing as much as 300%. One research firm counted nearly three billion attack events on their detection networks in the first half of 2019 alone.
Why IoT devices are vulnerable
Besides their increased popularity, a major reason hackers have started to shift their attention to IoT devices is their relatively weak security. IoT device security standards are still emerging and their limited processing power means typical security measures, like antivirus or malware protection, cannot be applied. What are some of the core vulnerabilities that affect IoT device security?
Once installed, IoT devices often get left to fend for themselves against attacks. Manufacturers may not build in easy update mechanisms for software and firmware or, if they do exist, they may not be secure. If update code is not digitally signed and transferred securely, the update code itself could be tampered with and used to deliver an attack.
Insecure data storage and transfer
Devices increasingly contain and transmit valuable data that makes them an attractive target for attack. Insufficient authentication controls and weak encryption can expose this data at multiple points. Not only can data be stolen, but it may include information that can be used for further attacks.
Though it might seem like Cybersecurity 101, security professionals still cite weak or easily guessable passwords as one of the biggest issues affecting IoT device security. Default login/password pairs such as support/support or admin/admin are still common, potentially handing over complete control of a device.
Poor device management
Monitoring and managing devices once they have been deployed is critical to ensure a secure environment. Inadequate device management can lead to vulnerable or even compromised devices in the network. It also puts the system at risk from rogue or counterfeit devices installed without authorization.
Top IoT attacks so far
Given these and other serious vulnerabilities in IoT device security, it’s no wonder that the attacks are racking up. Here are some of the most notable attacks on IoT devices that everyone in the field should know.
145,000 IoT devices attack French telecom
OVH is a French telecommunications company. In 2016, they suffered what was then the biggest DDoS attack ever, at 1.5Tbps. This attack originated from a botnet of around 145,000 IoT devices, including cameras and digital recorders, and signaled the huge destructive power of unsecured IoT devices. This botnet, known as Mirai, was initially thought to be the work of nation-state actors. Investigations later found it was actually some college kids who targeted this massive attack at OVH so they could knock out Minecraft servers.
Hackers selling private camera footage online
While home IoT cameras are supposed to improve security or help keep an eye on young children, they have rapidly become a security nightmare. Horror stories about IoT camera hacks abound, including the recent major revelation that a group of hackers claim to have control of over 50,000 cameras. The group is selling access online for $150, allowing “subscribers” to watch and record whatever the camera sees.
14-year old bricks thousands of devices
In this case, a young hacker created malware that searched for IoT devices with weak password controls. Once the malware gained access, it sabotaged the device and made it unusable. Though it ran only for a few hours, the malware affected over 4,000 devices, leaving their owners with a useless brick of former technology. The 14-year-old creator of the malware abruptly stopped as he reportedly hadn’t expected so much destruction.
Set of vulnerabilities could affect billions
JSOF, a small Israeli security firm, identified a package of IoT device security flaws in a TCP/IP software library from Teck, Inc., which they called Ripple20. The zero-day vulnerabilities affected a huge number of IoT devices, ranging from potentially hundreds of millions to billions. Without proper mitigation and a means to securely update these devices, they could lead to remote code execution, device hijacking, data theft, network breaches, and more.
Malware hiding in devices for years
Cisco uncovered at least half a million IoT devices infected with a deep-sleeping malware that can hide for years before activating and attacking its host. The hacking campaign targeted popular routing and networking devices. In its attack phase, it was capable of stealing and exfiltrating data as well as executing commands and ultimately bricking the device. The fact that it remained undetected for so long raised serious worries about which stage of the development process the infection had occurred.
Take control of your IoT device security
Attacks on IoT devices will only continue to grow, as will the consequences for both manufacturers and their customers. One of the most effective methods to secure IoT devices involves using PKI to establish cryptographically secure identities.
As one of the leading providers of PKI for IoT, Intertrust has more than a decade of experience in helping manufacturers and vendors build more secure IoT devices. To learn more about using PKI to create secure IoT device identities, read the white paper.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.