When people think of cybercrime, they tend to think of geeks in dark rooms staring into computer monitors trying to figure out some new way to infiltrate a network. And historically, that was a pretty accurate assessment.
Turning a profit drives a lot of cybercrime. For example, healthcare systems have been a prime target for ransomware: lots of interesting data combined with critical infrastructures that range from managing and assessing patients to actually running life-saving technology. If you manage to take a healthcare system offline, they are highly motivated to turn it back on.
But why spend all that time and money researching how to break into a healthcare system when there are new critical technologies with attack vectors that are much easier to exploit?
For example, a session at the recent Black Hat conference in Las Vegas discussed modern windmills being held for ransom. Why? Well first, a lot of the technology being used to run and manage these windmills was not designed with security in mind. And second, it’s all about the money.
The loss of a single windmill can cost an energy provider upwards of $30,000 a day. If an attacker is able to shut enough of these down, the victim is likely to fork over a huge ransom to get them back online. Looking at trends over the past year or so, we can see that attacks that target critical infrastructure based on new, interconnected technologies seem most likely to become part of the next generation of ransom-based attacks.
At the center of this target are IoT devices. They include such things as digital security cameras, DVRs, gaming systems, smart appliances, and even heating and ventilation systems. Many of them are being built using unsecured communications protocols and junk code. Many have hardcoded backdoor passwords built into them and pass data in the clear. And since manufacturers commonly use and share code from a single source, these vulnerabilities can crop up across a wide variety of devices sold by a single manufacturer, across multiple brands from manufacturing conglomerates, and even across devices produced by completely separate manufacturers who have used a common code set to connect their devices to the internet.
A perfect case study of what happens when these devices are exploited is the Mirai botnet of last fall that hijacked millions of DVR devices to create a massive denial-of-service attack that shut down huge segments of the internet. As an attack, it was pretty straightforward. What made it unique is that Mirai included worm-like characteristics that allowed it to spread rapidly, and it targeted connected devices that had been built and deployed with virtually no thought given to security.
But Mirai was just a shot across the bow. Newer iterations of IoT-focused attacks, like Hajime and Devil’s Ivy, not only use the same sort of mechanism to attack IoT devices, but have added sophisticated toolsets that allow them to identify different devices, select known passwords or exploit appropriate vulnerabilities, compromise a device and then use its communications protocols to spread infection to other devices. The potential for using multi-vector worms to create massive IoT botnets that span across multiple technologies is very real. And the results can be devastating.
And because these sorts of attacks can be done autonomously and at scale, the ability to impose ransomware on thousands of victims simultaneously, rather than targeting a single large network, is now a possibility. How much would you be willing to pay to turn your entertainment system or refrigerator back on? Fifty dollars? Now multiply that by millions of users and you get an idea of why cybercriminals are very motivated to invest in building these sorts of exploits.
In part two of this article, I will discuss how opportunity is the land of innovation for cybercriminals and how new legislation around IoT cybersecurity can protect consumers with stricter security standards in order to avoid massive market disruptions.
This article was originally published in IoT Agenda and can be found here.