Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

IoT Malware Will Soon Surround Us: Researcher

When it comes to Internet of Things (IoT) devices, everything from smart glasses to connected cars is susceptible to malware infection if not properly secured, Fortinet senior researcher Axelle Apvrille said in a presentation at the DefCamp 2016 security conference in Bucharest, Romania this week.

When it comes to Internet of Things (IoT) devices, everything from smart glasses to connected cars is susceptible to malware infection if not properly secured, Fortinet senior researcher Axelle Apvrille said in a presentation at the DefCamp 2016 security conference in Bucharest, Romania this week.

CCTV cameras, DVRs and network routers have made headlines recently as vulnerable IoT devices due to their connection to distributed denial of service (DDoS) botnets such as Mirai and Bashlite, but malware could target more devices, including smart toys, home appliances, wearables, and more. In fact, the future could be a dark one for such devices and for their users, the researcher says.

The only required trigger for such attacks to become norm would be for the cymbercriminals to find a way to monetize such infections. “Ultimately, the purpose of IoT malware is financial. It’s the money that their developers are after, the same as those behind other malware out there,” Apvrille told SecurityWeek at the conference.

The computing power of targeted devices doesn’t even matter, she explained. As long as these devices have an Internet connection that can be exploited to send spam messages or launch distributed denial of service attacks, malware authors will be interested in them, especially since Mirai has shown that they can be easily compromised.

“If a device has firmware, there could be some room left for an attacker to install malware, because it doesn’t have to be complex malicious code. In fact, such malware only needs 4 bytes of memory,” the security researcher explained.

With actors targeting less complex devices, it might not be too long before IoT malware completely surrounds us, Apvrille explained. It only takes a single vulnerable entry point for attackers to find and exploit, and entire home or corporate networks could be infected via a connected device.

Security researchers previously explained that the main purpose of IoT malware is to launch of DDoS attacks, but Apvrille says that these devices could be infected for other nefarious purposes as well, including ransomware, Trojans, and spyware.

During her presentation at DefCamp 2016, Apvrille not only theorized that all IoT devices are susceptible to compromise if exposed to the Internet, but also demonstrated how simple the malicious programs that would infect them could be. A functional piece of malware can have only a few tens of lines of code, the researcher explained.

Advertisement. Scroll to continue reading.

Apvrille demonstrated how a piece of ransomware on a pair of smart glasses running Android could render the device unusable or could be used to record users’ activity and subsequently extort them threatening to release the video online. The possibilities that a ransomware attack offers in such a scenario are diverse.

Malicious code could be installed via spam email, a popular distribution method these days. Other attack vectors could also be used, including malicious images. The researcher demonstrated how an attacker could pack malware inside a seemingly benign image that automatically triggers the installation when opened.

It’s not only ransomware that these smart glasses could be targeted with, but the entire range of malicious apps built for Android. There are around 5,000 new Android malware variants emerging each day and smart glasses could be vulnerable to them as well. The lack of Internet connectivity makes the operating system upgrades difficult on such devices, which means that patched vulnerabilities continue to haunt them for as long as they are used.

Smart watches are also vulnerable and are susceptible to even more diverse malware attacks, the researcher says. These devices have been designed as companions for the smartphone, and cybercriminals could try to compromise the smartphone through them. For example, a malicious app could turn the smart watch into a SMS Dialer so that a message would be sent to a premium number each time the user touched its screen.

All types of connected devices could be vulnerable to malware attacks, but their exploitation criticality increases with their price, because more expensive devices could pose higher interest to threat actors, thus increasing the risk of them being infected. An infection on some of these devices could even turn into a life-threatening situation.

Last month, Rapid7 researcher Jay Radcliffe revealed that Animas’ OneTouch Ping insulin pumps are plagued by several vulnerabilities that could allow an attacker to compromise devices and potentially harm diabetic patients. Despite being a serious security issue, however, the vendor doesn’t plan to rectify it via a firmware update, because the devices are considered to pose a relatively low risk.

According to Apvrille, malicious actors could install ransomware on insulin pumps or blood pressure monitoring devices and determine people to pay the ransom by threatening their lives.

Cybercriminals could also target connected cars and threaten to disable critical vehicle functions if a ransom isn’t paid in a given period of time. Instead of getting the car to a repair shop, which might take a lot of time and could cost as much as the ransom, the user might pay up. Security researchers have already demonstrated vulnerabilities in connected cars, which makes such scenarios plausible.

The security risks associated with IoT devices have been discussed before, but they returned to focus recently, when Mirai and similar botnets came into the spotlight. However, IoT devices shouldn’t fear only DDoS botnets, ransomware, spyware, and Trojans, but disruptive malware as well. Earlier this week, a group of security researchers demonstrated how an IoT worm could be used to hack all smart lights in a city and how setting up such an attack was rather cheap.

“There is a new path of least resistance, which Mirai so well illustrated. Consumer connected devices are generally not built with security in mind. The software that powers these devices isn’t tested to the same level that a financial institution will test a Web application. The hardware, firmware, and OS isn’t sufficiently hardened against attack. If a password exists, it is weak and widely published in support documentation that is broadly available on the Internet,” Cigital’s Jim Ivers noted in a recent SecurityWeek column.

Because of these vulnerabilities and lack of security standards, any IoT device in a smart home could represent a vulnerable entry poi
nt for a malware attack. By compromising a toothbrush, a toaster, or a refrigerator, an attacker could then spread malware to other devices on the network, including computers and smartphones.

Related: IoT Worm Could Hack All Smart Lights in a City

Related: The Connected Conundrum: Why I No Longer Trust My Toaster

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.