From botnets to ransoms – the rapid rise of IoT attacks

The Mirai botnet was the start. Reaper nudges things along with a significant step up in hacking techniques, but Internet of Things (IoT) hacks are going to get worse. This is only the beginning.

Mirai enslaved over an estimated two million IoT devices while Reaper is believed to have a million plus devices in tow with just as many queuing up to become part of the botnet.

The difference between the two signals an evolution of IoT hacks but also how these attacks are going to become more deadly and dangerous. 

Mirai used a table of more than 60 common factory default usernames and passwords to enslave millions of internet connected cameras, routers and other devices.

Advanced hacking techniques

Reaper is much more advanced in its techniques. It quietly targets and exploits known vulnerabilities to inject malicious code and hijack the device. Each time a device is infected, it spreads the malware to other vulnerable devices just like a worm.

From a historical perspective, cyber-attacks on traditional IT systems have followed a clear pattern. IoT hacks are following suit but with much more serious implications.

Just under 20 years ago, worms and viruses to one side, wide scale cyber-attacks tended to be characterised by distributed denial of service (DDoS) attacks launched from botnets and aimed at specific targets.

Mayhem and mischief

Around the year 2000, many businesses, financial institutions and government agencies were brought down as hackers flexed their coding muscles, either black mailed businesses or simply caused mayhem and mischief. One DDoS attack in particular was aimed at 13 of the internet’s root domain name service (DNS) servers. 

Cyber miscreants then discovered the lucrative opportunities available from stealing personal or financial information, ranging from credit card numbers and bank account details to medical records and sensitive company data. Today, we have a thriving cyber underground trading in all manner of stolen information.

And over the last few years there has been a notable and steadily building trend towards attacking power stations and water treatment plants, or in other words, different types of critical national infrastructure.

Of course these stages of cyber-attacks are not sharply delineated, for instance there has been resurgence in DDoS attacks and ransomware is the number one choice of malware for cyber crooks today.

Enormous target for cyber villains

Today, according to most estimates there are something like two billion PCs in the world and a similar number of smartphones. This is nothing compared to IoT.

Gartner predicts over 20 billion IoT devices in play by 2020 and this is a conservative estimate. Some claim 50 billion. What a massive target for cyber miscreants of all shades.

And be sure these attacks are coming. Mirai signalled the onset with its attack on the Dyn domain name system service which took down a raft of online services such as Twitter, Netflix and Facebook.

For many people this was perhaps little more than an irritant but not for Dyn. It lost an estimated 8 per cent of business in the aftermath of the attack, something like 14,500 web domains that went west at rapid speed. 

And we’ve already seen an endless stream of mischievous hacks on heating and lighting systems, baby cams and other assorted ‘smart’ connected devices, illustrating just how vulnerable many IoT devices are.

378 million vulnerable devices

According to our research at BullGuard some 378 million IoT devices are vulnerable to hacking. This figure is based on the percentage of vulnerable devices discovered when using our IoT scanner which identifies easily hacked devices.

Reaper is arming and it could be capable of creating significantly more DDoS traffic than Mirai. But as yet no one knows what it’s for or who is behind it. In this sense it’s similar to another IoT botnet first discovered late last year. Dubbed the mysterious Hajime botnet it consisted of 300,000 devices but to date has never been utilised.

But what is being done about IoT security?  It’s not impossible that Reaper and Hajime have been created by some kind of anonymous white hat vigilantes who understand that IoT security is often so appallingly lacking it needs to be addressed by unconventional means.  

Gone to sleep?

That said it seems that in some senses the security industry has gone to sleep. Of course, there is lots of talk and plenty of warnings, all of which are valid. But what is happening on the ground?

We’re doing our bit in the consumer space with a platform that incorporates machine learning, artificial intelligence and cloud-based security to provide a user friendly device that locks down home networks, identifies and stops attacks and flags up potential points of entry.

Consumer protection is important given the number of smart devices making their way into homes but just as pressing are safeguards in industry and important infrastructure? 

Aging control systems

IoT is now found in numerous networks including industrial control systems, building management systems, hospitals, traffic management, urban infrastructure, power systems and telecoms infrastructure. And there are serious issues that will be exploited if not addressed.

Many industrial control systems were designed to work independently on closed networks, so they were installed without secure defences against cyberattack.  IoT systems, comprising networks of sensors often overlay and connect with these control system networks.

For instance in a classic example of using IoT to leverage the value of connectivity, power companies are hooking up systems to the web and improving efficiency by letting data flow freely between back end systems and the remote substations. 

The burgeoning use of smart meters is also amplifying the issue. Connected to grids over the internet they create a spider’s web of network connectivity with each connection a potential point of entry for smart hackers to work their way through to the actual control systems.

Too little, too late

And this is being replicated across many areas of civic and industrial infrastructure. Added to this is the tendency to rely on wireless sensor networks which only increases the risks.

Government, which could have a more involved regulatory role in enforcing minimum security standards appears to be standing back, leaving it to the security industry and vendors to hammer out policies and standards.

But such is the rapid rate of IoT adoption it may be too little too late. It took almost 20 years for cyber-attacks to evolve from large scale DDoS attacks to today’s situation in which critical national infrastructure is persistently and cleverly being probed for weaknesses.

However, with IoT the time difference between IoT-powered DDoS attacks and critical national infrastructure attacks is negligible. How long before we see ransom IoT attacks in which organisations are held hostage? It won’t be that long.

Paul Lipman, CEO of BullGuard
Image source: Shutterstock/GlebStock