Bots vs humans : the mobile malware challenge

Is it possible to give manufacturers an incentive to secure IoT devices at production?

As news of botnet malware attacks becomes more frequent, it feels as if Artificial Intelligence is running wild while humans dither behind. But is it possible to give manufacturers an incentive to secure IoT devices at production – and will this stop hacks from taking place?

The Internet of Things has generated lots of excitement from consumers and businesses alike, so much so it has an almost mythical quality in terms of its potential. To take an example: A business showing off its AI-voice controlled office doors can often be too preoccupied with the innovative functionality on display to realise it can be hacked through unprotected WiFi and now a criminal can lock the door until a ransom is paid. And so we open the Pandora’s box of the IoT: the law of unintended consequences.

This example teaches us an interesting lesson. The IoT has known huge success in recent years but very little attention has been put on securing these devices. Indeed, the focus has been put on functionality and on the aesthetic aspect of IoT devices more than the mechanisms and processes which keep them secure. We can't really blame manufacturers, as these devices are spread in the entire world in massive quantities, which implies low-cost production. That means these devices only have a basic operating system and the minimal amount of application code to perform all their functions. Whether by design or ignorance, security has been an afterthought, if a thought at all, to IoT manufacturers.

Raising awareness

We no longer keep track of the number of botnet attacks deployed on IoT devices by cybercriminals as they see it as the low-hanging fruit to be used and abused for their vicious intentions. Connected devices can be a serious security backdoor people do not necessarily think about. For instance, a connected fridge is "not interesting" in itself. However, it becomes much more alluring for hackers when they realise it contains important information such as the Wi-Fi password in cleartext. Ill-intentioned people could use these details to access all the other connected devices in the house. This worrisome truth reflects the uncertainty of IoT devices and how unreliable it can be if not well protected. Just look at all the notorious malware attacks we have recently known. 

It is quite easy to be lost in the record-breaking list of IoT attacks. A new IoT botnet publicly known as Persirai emerged a week ago. This malicious successor of Mirai malware created a botnet to launch DDoS attacks on IP cameras, putting more than 12,000 devices at risk. These innumerable attacks remind us the importance of security due to the numerous vulnerabilities in IoT devices.

All these security issues have been responsible for raising awareness around IoT vulnerabilities. Consumer Reports, an influential US non-profit group that conducts extensive reviews of cars, kitchen appliances and other goods, recently announced it will start including cyber security parameters and privacy safeguards into its IoT products' reviews as a new evaluation criterion. This action was taken in response to notorious Mirai botnets leveraging easy-to-exploit vulnerabilities in webcams, routers, digital video recorders and other connected devices. The Mirai botnet was responsible for a series of massive DDoS attacks in late 2016. It was the first malware that placed IoT security at the forefront of the public stage.

Manufacturers under pressure

While pressure put upon manufacturers to improve the security of their devices can only help matters, it may only go so far. While we can expect a rising concern from manufacturers for IoT security, it is not certain that it will be sufficient to stop hackers from attacking vulnerable IoT devices. It will probably continue to offer a backdoor for hackers to control a device and turn it into part of a botnet that can launch a massive DDoS attack or be used to infect devices, increasingly mobile devices, with malware. Device ranking and an increasing investment in connected device security will not guarantee it becomes un-hackable. This is not a problem exclusively reserved for consumers; it’s also communications service providers’ issue.

As well as this, our research suggests mobile users perceive the service provider as the most appropriate person to provide security. The study found that when facing a security problem, 26 per cent of subscribers turn to their mobile operator even when the operator is not the one providing the security service. This implies a wish from mobile users to have security covered by the service provider. In that same survey, 61 per cent of the respondents admit they will likely buy security services from their service provider.

It is easy to think IoT security as a device-by-device process. Unfortunately, security needs to be thought in a more comprehensive way. Most devices are closed systems and don`t allow the installation of security client software or any other software after shipping from the factory. Even if the devices allow that, this approach is not the most convenient to choose. This requires a lot of flexibility, a massive investment and uninterrupted maintenance is needed to ensure devices are controlled.

To avoid all these barriers, connected device users need a comprehensive network-based security solution. Our survey revealed there is a growing demand for this level of security to be delivered by the communications service provider’s network. Unlike the practical process of securing the IoT device by device, the network will unify all security functions needed to control any device (whether an IoT device or mobile handset) and provide a simple, scalable way to protect the network with an ever-increasing number of connected devices.

The fact that mobile users demand for security together with the special limitations in protecting IoT device implies that communications service providers need to be proactive and seize this opportunity of offering mobile protection from their network if they want to stay in the game.

Guaranteeing this level of service will put the communications service providers in a good position to become the one-stop-shop that delivers, drives and protects the digital experience and stop everyday devices from becoming a threat.

Moshe Elias, Director of Products, Security Solutions, Allot Communications
Photo Credit: andriano.cz/Shutterstock