A chain is only as strong as its weakest link. This is also true in the world of security. This year, we tracked a growing threat trend — that when just one device in a home or small business (usually the router) is compromised, then the rest of the devices on the network become easy to compromise. With connected devices — known as the internet of things — growing faster than any device category in history, it’s increasingly difficult to buy appliances and home goods that do not have a connection to the internet.
From connected lights to coffee makers and smart speakers to door locks, IoT devices will continue to drive a class of attacks aimed at exploiting their weaknesses in configuration, security flaws, and consumers’ low interaction with their settings. Therefore, the main theme of our predictions is based on how infiltrating an IoT device could easily lead to breaking into the perimeter where IoT devices with compromised modems reside.
As we begin the new year, we are publishing a 3-part series on 2019 predictions. We will cover IoT, mobile threats, and AI in these posts, all developed from insights and analysis by the Avast Threat Intelligence Team. In this first post, we are focusing on our top IoT threat predictions for 2019, including those from 2018 that continue to present challenges.
Summary of 2018 attempted attacks by device and types of attacks blocked on a monthly basis
The internet of (vulnerable) things
The category of IoT is rapidly expanding, and for good reason — while a person typically has one laptop and mobile phone, they may have a multitude of connected devices in their home from doorbell, to entertainment, to home security. According to Juniper Research, the number of connected devices is expected to top 38.5 billion by 2020.
Here’s a peek at the brands and services that a smart home like that could encompass:
The trend toward smart devices will be so pronounced in the coming years that it will become difficult to buy appliances or home electronics that are not connected to the internet.
As much of our research has shown, security is unfortunately quite often an afterthought in the manufacturing of these devices. While many of the biggest brand-name smart devices do come with reasonable security embedded, some developers skimp on security to keep costs low for consumers, a mistake considering a smart home is only as safe as its weakest link. History tends to repeats itself, and just as PC and mobile malware evolved, we expect to see IoT malware become more sophisticated and dangerous.
Anyone whose home is connected to the internet has a router to which they connect their computers, phones, and IoT devices. Routers are ubiquitous and important, but rarely maintained with the latest security standards. In fact, once an internet service provider installs the router, most people never give it a second thought, unless they experience internet disruptions.
Avast research shows that 60% of users worldwide have either never logged in to their router or have never updated their router’s firmware, leaving them potentially vulnerable to fairly simple attacks. The major problem here is that when an attacker uses a known vulnerability or weak authentication credentials to access a router, they gain access not just to the router, but to all devices connected to its network as well.
Routers have proven to be simple and fertile targets for a growing wave of attacks. While many attacks against routers use variants based on the Mirai codebase (which was released by the creator shortly after the successful attacks of September 2016), many are far more complex and point to a murky future for home network security.
Not only have we seen an increase in router-based malware in 2018, but also changes in the characteristics of those attacks. Where router-based malware has traditionally taken over a device for the purposes of carrying out a DDoS attack, such as the Mirai attacks, today’s attacks use malware to infect a device and open up a line of communication to a C&C (command and control server), without taking any immediate action.
We saw this with VPNFilter and Torii; once the router is infected, these malware strains listen to the network traffic, fingerprint the network and the devices on it, and allow for the C&C to send new payloads or instructions to the device. In this, the malware acts more like a platform and less like a virus. This “platform-ification” of malware opens up many possibilities such as pay-per-install as well as DDoS-for-hire or even good old-fashioned spam.
Downstream effects of router vulnerabilities
This attack also showed a potentially more worrisome trend, as these routers are not just in our homes, but also used by many smaller internet service providers. There is potential for an infected router to infect many hundreds or thousands of downstream devices. Further, it would be very difficult to figure out where the infection is coming from.
More modular IoT malware
Just as PC malware was very simple in its infancy, most IoT malware has been built for a very narrow purpose, such as to gather botnets for a DDoS attack. But like PC malware, IoT malware will learn and adjust its modus operandi from “one-trick” malware to multipurpose malware platforms capable of supporting organized pay-per-install campaigns.
There are benefits to infecting and then keeping a low profile, rather than immediately monetizing the network. After getting a large volume of IoT devices under control, malware authors can repurpose their bots to do whatever they see fit (or whatever would be most profitable).
More sophisticated spreading techniques
IoT malware as proxy
Right now, IoT malware authors typically monetize their deeds through cryptomining or DDoS-for-hire attacks, but this is not the most profitable approach. We think more and more IoT malware authors will begin infecting more powerful and interesting devices, like mobile phones, tablets and PCs.
IoT malware will drop support for x86 architecture
x86 is one of the most common backward-compatible instruction set architectures and has been in use since Intel introduced it in the late 1970s. However, as more devices operating on alternate frameworks become available, it is logical that malware authors will stop including the x86 step to make reverse engineering harder for security vendors. There are many sandboxes for PEs (portable executables) and x86 ELFs (Executable and Linkable Formats), but the majority of them struggle to support other architectures.
Despite the warnings inherent in these predictions, we believe the burgeoning IoT-verse marks a thrilling moment in our techno-evolution. Just make sure you stay smart and security-conscious with each new device you allow into your life. To be better prepared for the technological landscape ahead, download and read the full 2019 Avast Predictions report.