Skip to main content

Hackers graduate to financial gain as motivation for IoT attacks

(Image credit: Image source: Shutterstock/everything possible)

The phrase Internet-of-Things (IoT) has gone from buzzword to common speech, having had an impact on almost every industry and sector. Once an abbreviation that seemed bound for fad-status among the tech elite, even the average consumer now embraces “IoT” as a category of connected technology that’s increasingly all around us.   

In fact, it’s estimated that the IoT market hit a staggering $20.35 billion valuation in 2017 and is only set to continue past $75.44 billion by 2025. That means that the perception that IoT is “all around us” is going to go great leap further in under a decade – and the implications will be dramatic.   

Especially in the context of cybersecurity, what will an omnipresence of connected devices tracking our every move mean for the hacking community?

We’re already starting to get a taste of what the future holds today when it comes to hacked IoT, as headlines over the past year have consistently focused on ever-increasing “muscle-flexing” on the part of hackers. As with any major technological change that’s embraced so rapidly by the masses, cracks in the façade will inevitably emerge as best practices catch up with the rate of adoption. IoT devices are especially prone to this chain of events, as industries and individuals are often bringing IoT solutions into their workflows before security is assured or a defense against threats is even mapped.   

Evolving from DDoS to Financial Gain 

Take, as an example, the distributed denial of service (DDoS) attacks that leveraged common household and office IoT devices over the course of 2016 and 2017. The Mirai attack, for instance, was a DDoS operation that used an army of botnet-infected IoT devices to flood Twitter, GitHub and the PlayStation network – to name just a few victims – with “loud” network traffic that drowned out legitimate directives from network administrators. This overwhelmed the targets’ servers, forcing them to shut down. First detected in October 2016, active strains of the Mirai virus were still being reported as recently as December 2017. 

While the Mirai attack continues to be causing financial hurt for those affected parties, it was widely considered an exercise in showboating for the hacker Paras Jha, who recently pleaded guilty to hacking charges alongside two of his classmates. Jha and his cohorts made the vulnerabilities to IoT networks – even those connected to tech giants – glaringly obvious, which only opens the doors for “one-upsmanship” that will give IoT hacking over the next year a new motive: Malicious actors looking for financial gain will inevitably attempt to leverage those vulnerabilities, taking advantage of readily available ransomware and PII for big paydays. 

In fact, research group Forrester made this prediction one of its top forecasts for the next year. Instead of being motivated solely by political, social, or military reasons – as had been forecasted in previous years – cybercriminals will likely be driven by financial gain moving forward, as the black market for malware and the Dark Web continue to mature, Forrester noted.   

Bracing for the future 

Fighting the increasingly persistent threats that will affect enterprise IoT networks requires a similarly comprehensive approach to security that IT takes with their standard network connectivity. For starters, organizations need to immediately ensure the security of their existing IoT infrastructure by assessing their hardware for security gaps, including weak encryption implementation or inadequate patching functions. 

When it comes to encryption, IT teams need to ensure that data is encrypted while at rest and in motion. Full Disk encryption, for instance, is one method designed to prevent access to sensitive data only when that content is at rest – as soon as a a device or server is turned on and a user is logged in, anyone, including bad actors who entered the network during downtime, can access that data.   

Rather, teams need to ensure their security solutions are encrypting at all times using established industry standards (SSL, for instance). At the same time, businesses need to be sure their encryption keys are held privately and offline – not within a network-accessible server – to ensure that only necessary parties have access to the most sensitive network data.   

Organizations also need to be sure they are taking appropriate steps to stop bad actors from entering the network to begin with. This requires a “defense-in-depth” approach to network security that mirrors what’s often touted on the battlefield – putting as many layers between the enemy and the walls of the network as possible. That means not just relying on a next-generation firewall – which only look at packets of data entering the network rather than entire files – or standard proxies. Instead, secure web gateways that feature a consortium of solutions via a single management console are the best path forward. 

Stopping cash-grabs on the way out of the network 

With financial gain at the core of attacks going forward, businesses need to be extra critical of the vetting they do of content leaving the network as well. This is especially true in the context of IoT devices – which harkens back to our sentiments surrounding encryption – in that many of these devices spend a great deal of time “turned off” before being activated by a beacon or sensor. Sleeping trojans within the network could leverage the data collection of these newly “activated” IoT communications to conduct data exfiltration – essentially exiting the network with cash in hand – if they make it past robust gateway defenses. It’s almost like having all eyes on the front door and no insight into who might be leaving through the window, or a method to chase after them. 

Of course, IoT devices make network security more complicated than ever before, and even the most extensive security solutions can’t thwart every threat. But with the mindset of hackers evolving to meet these new threats, the financial downfall of entities who don’t do all they can to secure IoT tech that is otherwise a boon for business can be significant.     

Peter Martini, President & Co-Founder of iboss (opens in new tab) 

Image Credit: Everything Possible / Shutterstock

Peter Martini is President & co-founder of iboss. He co-developed the award-winning iboss Web and Mobile Security products, which are responsible for transforming iboss into a go-to global resource for proven, progressive Web security.