Distributed denial-of-service (DDoS) botnets are not the only threat organizations need to worry about when it comes to the internet of things (IoT).
The Mirai attacks of 2016 engendered a pretty broad understanding of how botnets assembled from ordinary consumer IoT devices can be used to launch crippling DDoS attacks on enterprises. But organizations that assume such attacks are the only IoT security threat are making a big mistake.
The increasing use of internet-connected devices in myriad applications such as asset tracking, equipment monitoring and managing data center environmental conditions have significantly expanded the attack surface at many enterprises. To adversaries, enterprise IoT systems present a relatively easy target because the devices often lack basic security controls, don’t support security patching and are not always well-monitored.
“The majority of enterprises lack visibility into the number and type of IoT devices active on their corporate networks,” said Patrick Daly, an analyst at 451 Research. This often creates an inventory gap that leads to an incomplete assessment of the overall risk posture.
“The problem is that many devices were shipped without the native computing capabilities to run basic security functions like user and device authentication or even to receive software updates,” he noted. “It’s incredibly difficult to reduce risk later on, meaning that these threats aren’t going to go away anytime soon.”
The Ransomware Threat
IoT ransomware is one big issue. The threat here is not so much about attackers holding data for ransom, but rather the IoT devices and the IoT network itself.
As the non-profit IoT Security Forum explains, most IoT devices store very little data so attackers have little incentive to encrypt it. Rather, they are more likely to lock the devices and demand payment for restoring access. In an industrial IoT setting, for instance, attackers could hack a power grid and demand immediate payment or threaten a total blackout.
“The IoT ransomware model is fundamentally different from the computer and laptop paradigm, but no less dangerous,” the IoT Security Forum warned, noting it’s only a matter of time before attackers turn their attention to hacking IoT for ransom.
Another threat is attackers using IoT systems as an entry to the broader corporate network. “With many of these devices lacking native authentication capabilities, they act as the low-hanging fruit for would-be attackers trying to gain a foothold on the network,” Daly said.
An Entryway to IT and OT Networks
What’s particularly troubling is few organizations have any idea of the myriad devices on their network that are accessible on the internet. So they have no controls in place for protecting against attacks on them. “The exploitability of these devices is what is driving the hackers,” said Yevgeny Dibrov, CEO and co-founder of Armis. “They are looking for the path of least resistance to get to customer data, financial or personal information or device and network control.”
Last September, researchers at Armis discovered a set of eight Bluetooth vulnerabilities affecting billions of IoT devices running Android, iOS, Windows and Linux. This includes laptops, smartphones, TVs and audio systems in some automobiles. The vulnerabilities basically give attackers a way to connect to IoT devices and run malicious code on them without users having to do a single thing.
Such vulnerabilities enable a new class of airborne attacks against the IoT that bypass regular security controls, Dibrov said. “In this age of hyperconnectivity, attackers can connect directly to the device without ever being on the internet or having a user click on a link or download something,” he said. Hackers can directly connect with devices today at the WiFi, Bluetooth and chip level, making it relatively simply to launch attacks such as WannaCry, for example.
DDoS attacks, of course, continue to be a big threat as well, on two separate fronts. IoT botnets built with malware such as Mirai and Satori have allowed attackers to launch massive DDoS attacks against enterprises. Such attacks can be used to extort money from victims, disrupt operations and hide other malicious activities. At the same time, vulnerable enterprise IoT devices are at risk of being hijacked and used to build these massive botnets as well.
“Our concern is the attacks will become more sophisticated hitting critical infrastructure and even health care, where you move from impacting patient data to actual patient care,” Dibrov said. “The IoT security wave is coming. Enterprises need to be prepared for it.”