When it comes to Internet of Things (IoT) devices, everything from smart glasses to connected cars is susceptible to malware infection if not properly secured, Fortinet senior researcher Axelle Apvrille said in a presentation at the DefCamp 2016 security conference in Bucharest, Romania this week.
CCTV cameras, DVRs and network routers have made headlines recently as vulnerable IoT devices due to their connection to distributed denial of service (DDoS) botnets such as Mirai and Bashlite, but malware could target more devices, including smart toys, home appliances, wearables, and more. In fact, the future could be a dark one for such devices and for their users, the researcher says.
The only required trigger for such attacks to become norm would be for the cymbercriminals to find a way to monetize such infections. “Ultimately, the purpose of IoT malware is financial. It’s the money that their developers are after, the same as those behind other malware out there,” Apvrille told SecurityWeek at the conference.
The computing power of targeted devices doesn’t even matter, she explained. As long as these devices have an Internet connection that can be exploited to send spam messages or launch distributed denial of service attacks, malware authors will be interested in them, especially since Mirai has shown that they can be easily compromised.
“If a device has firmware, there could be some room left for an attacker to install malware, because it doesn’t have to be complex malicious code. In fact, such malware only needs 4 bytes of memory,” the security researcher explained.
With actors targeting less complex devices, it might not be too long before IoT malware completely surrounds us, Apvrille explained. It only takes a single vulnerable entry point for attackers to find and exploit, and entire home or corporate networks could be infected via a connected device.
Security researchers previously explained that the main purpose of IoT malware is to launch of DDoS attacks, but Apvrille says that these devices could be infected for other nefarious purposes as well, including ransomware, Trojans, and spyware.
During her presentation at DefCamp 2016, Apvrille not only theorized that all IoT devices are susceptible to compromise if exposed to the Internet, but also demonstrated how simple the malicious programs that would infect them could be. A functional piece of malware can have only a few tens of lines of code, the researcher explained.
Apvrille demonstrated how a piece of ransomware on a pair of smart glasses running Android could render the device unusable or could be used to record users’ activity and subsequently extort them threatening to release the video online. The possibilities that a ransomware attack offers in such a scenario are diverse.
Malicious code could be installed via spam email, a popular distribution method these days. Other attack vectors could also be used, including malicious images. The researcher demonstrated how an attacker could pack malware inside a seemingly benign image that automatically triggers the installation when opened.
It’s not only ransomware that these smart glasses could be targeted with, but the entire range of malicious apps built for Android. There are around 5,000 new Android malware variants emerging each day and smart glasses could be vulnerable to them as well. The lack of Internet connectivity makes the operating system upgrades difficult on such devices, which means that patched vulnerabilities continue to haunt them for as long as they are used.
Smart watches are also vulnerable and are susceptible to even more diverse malware attacks, the researcher says. These devices have been designed as companions for the smartphone, and cybercriminals could try to compromise the smartphone through them. For example, a malicious app could turn the smart watch into a SMS Dialer so that a message would be sent to a premium number each time the user touched its screen.
All types of connected devices could be vulnerable to malware attacks, but their exploitation criticality increases with their price, because more expensive devices could pose higher interest to threat actors, thus increasing the risk of them being infected. An infection on some of these devices could even turn into a life-threatening situation.
Last month, Rapid7 researcher Jay Radcliffe revealed that Animas’ OneTouch Ping insulin pumps are plagued by several vulnerabilities that could allow an attacker to compromise devices and potentially harm diabetic patients. Despite being a serious security issue, however, the vendor doesn’t plan to rectify it via a firmware update, because the devices are considered to pose a relatively low risk.
According to Apvrille, malicious actors could install ransomware on insulin pumps or blood pressure monitoring devices and determine people to pay the ransom by threatening their lives.
Cybercriminals could also target connected cars and threaten to disable critical vehicle functions if a ransom isn’t paid in a given period of time. Instead of getting the car to a repair shop, which might take a lot of time and could cost as much as the ransom, the user might pay up. Security researchers have already demonstrated vulnerabilities in connected cars, which makes such scenarios plausible.
The security risks associated with IoT devices have been discussed before, but they returned to focus recently, when Mirai and similar botnets came into the spotlight. However, IoT devices shouldn’t fear only DDoS botnets, ransomware, spyware, and Trojans, but disruptive malware as well. Earlier this week, a group of security researchers demonstrated how an IoT worm could be used to hack all smart lights in a city and how setting up such an attack was rather cheap.
“There is a new path of least resistance, which Mirai so well illustrated. Consumer connected devices are generally not built with security in mind. The software that powers these devices isn’t tested to the same level that a financial institution will test a Web application. The hardware, firmware, and OS isn’t sufficiently hardened against attack. If a password exists, it is weak and widely published in support documentation that is broadly available on the Internet,” Cigital’s Jim Ivers noted in a recent SecurityWeek column.
Because of these vulnerabilities and lack of security standards, any IoT device in a smart home could represent a vulnerable entry poi
nt for a malware attack. By compromising a toothbrush, a toaster, or a refrigerator, an attacker could then spread malware to other devices on the network, including computers and smartphones.