Uncovering Risks in Ordinary Places: A Look at the IoT Threat Landscape
Global manufacturers have made internet of things (IoT) devices incredibly easy to install and use. Many devices are designed to be plug-and-play, fully compatible with other machines, and easily managed from common applications. Their obvious benefits to enterprises and consumers, as well as their proliferation and affordability, have made IoT devices quite common. But as the IoT continues to become more integrated into enterprise and home spaces, the threat landscape also expands.
We look at the most significant threats and vulnerabilities in IoT devices on the edge of the network, within the network itself, and on the cloud; as well as gain insights from the cybercriminal underground.
Nowadays, interacting with IoT edge devices is virtually inevitable. Aside from smartphones and laptops, companies equip offices with devices that promote safety and efficiency, from smart lights to security cameras and connected printers. And many of these devices are also making their way into living spaces, from connected refrigerators in kitchens to smart thermostats in bedrooms.
As dependence on these devices grows, securing them must be a bigger priority. The first step is building an awareness of vulnerabilities and possible threats.
Smart home devices are notoriously vulnerable, and past incidents show how hackers readily compromise and abuse them. Vulnerabilities allow attackers to gain unauthorized remote control of affected devices, which can lead to compromised or even damaged devices.
With more complex IoT environments forming, attackers can use vulnerable devices as gateways into a user’s network. Devices integrated into the environment can include smart bulbs, smart locks, speakers, TVs, and many others. This connectivity opens up homes to intrusions, information theft, and spying—either through compromising the server where devices are connected or through devices themselves.
Although some hackers aim to compromise devices to make them part of a botnet for cryptocurrency mining or even denial-of-service attacks, recent news worryingly shows amateur hackers compromising devices for different reasons: Home security cameras were compromised for simple entertainment value, with hackers harassing victims for self-promotion and amusement. Smart thermostats have also been hacked — the victims were harassed for no discernible motive or goal.
Figure 1. Smart home devices create complex IoT environments
Enterprises are already aware of cybersecurity threats that may affect laptops, tablets, or smartphones that employees use. There are usually established security teams in place to protect company endpoints that connect to the enterprise network, as well as the network itself. However, employees are also bringing in their personal IoT devices, which they connect to enterprise networks and use while at work. Enterprises must also contend with risks and threats — from targeted attacks to hacking and data breaches — that arise from the increasing prevalence of miscellaneous consumer-grade IoT devices within enterprise premises.
Attackers have been known to choose and assess an exposed device, then use it to access the system to which it’s connected, to facilitate targeted attacks. Even simple online searches can provide attackers with enough information to find vulnerabilities in a company’s system and cause damage to the target’s network and assets.
Figure 2. Personal IoT devices in BYOD environments present a serious risk
As companies strengthen their cybersecurity, hackers try to locate any vulnerable IoT device to break into enterprise systems. The use of unpatched devices is a common risk — since they lack the latest security updates, hackers can use older (known) vulnerabilities to corrupt such devices and gain privileged access to corporate networks. Ultimately, unpatched devices can then lead to data breaches or exposed information, manipulation of other assets, access to servers and systems, deployment of malware, or even physical disruption of operations.
Attackers can even scan for other vulnerable devices or turn devices into parts of botnets, among others. Botnets are a significant problem — data from the Trend Micro™ Smart Home Network solution from 2018 to 2019 showed a 180% increase in brute force login attempts. These types of attacks are connected to botnets because cybercriminals use this tactic to break into IoT devices using a large number of consecutive password guesses.
[READ: First Steps in Effective IoT Device Security]
Compromising enterprise systems, disrupting operations, stealing information, accessing sensitive data — malicious actors with these goals in mind typically target IoT devices connected to public networks. Given the possible consequences of a successful attack or compromise, it is vital to protect commonly used features and typical devices used in enterprises and homes.
- Network Attached Storage (NAS) devices. These devices are historically vulnerable and have been prime targets for hacking groups for years. Exploiting certain vulnerabilities can allow attackers to bypass authentication, execute code on the device, and download or manipulate user data. They are also being targeted by ransomware and other malware to perform DDoS attacks or cryptocurrency mining.
- Universal Plug-and-Play (UPnP) devices. Many IoT devices today, like cameras, gaming consoles, and routers, are equipped with a Universal Plug-and-Play (UPnP) feature that enables networked devices to communicate, share data, and coordinate functions. Exploiting vulnerabilities in the UPnP features allow hackers to compromise or even take control of the machines. Routers and other devices can become proxies to obfuscate the origins of botnets, be used in distributed denial-of-service (DDoS) attacks, or even send spam.
- Internet protocol (IP) devices. Enterprises are increasingly adopting IP devices because of the easy installation and scalability, as well as the analytics they offer. Unfortunately, they are also prone to vulnerabilities. These devices usually come with default settings and credentials that users neglect to change, and hackers easily exploit this behavior. Many dedicated groups create malware that targets IP devices, such as TheMoon (one of the oldest such malware families), and Persirai. Like NAS devices, IP devices have been prime hacking targets for years, typically for use in DDoS attacks or cryptocurrency mining activities.
- Unsecure older technology. Newer devices are not the only machines that are vulnerable, oftentimes older technology in a connected network or system also exposes enterprises to certain risks. For example, the Faxploit vulnerability involved stack overflow bugs in the implementation of the fax protocol in certain printers. A special fax number could allow an attacker to hijack the network and connected systems, infect devices with malware or steal data.
The continuing adoption of IoT devices, which will only be fueled further by the coming 5G era, means that organizations and even ordinary users are now using cloud computing and cloud-based IoT solutions for easier device management and data storage. A look across the threat landscape reveals several potential attack vectors as these solutions are developed and deployed:
- API gateways function as doorways to the cloud and limit IoT device traffic. And because of the way they are used, misconfigured gateways could turn devices or services into security liabilities. Threat actors can use these gateways for malicious activities such as faking a command sequence by changing the logic between the APIs, invoking more vulnerabilities in the process. Other possible activities include user spoofing, man-in-the-middle (MiTM) attacks, and session replays.
- Developers customize the rules and policies for IoT devices connected to cloud servers for identity and access management (IAM). Misconfigurations within authentication roles, policies, or assigned keys, for example, can cause serious issues. Hackers can control data traffic and access, breach the server, perform more complex attacks, control the cloud service, or spoof a guest or legitimate device user.
- Apart from APIs, misconfigurations in other devices, cloud gateways, and infrastructures will also highlight weaknesses in the security of data traffic or path, exposing the device or the cloud server to attacks.
A look into the cybercriminal underground forums and sites shows a growing interest in IoT device hacking and many offers of services from compromised IoT devices. These underground platforms even had tutorials on how to exploit vulnerabilities and hack into devices. The available services ranged from access to compromised devices and the use of botnets to DDoS services and private IoT-based VPNs. This was not limited to English forums and discussions but also across Russian, Portuguese, English, Arabic, and Spanish sites as well.
Figure 4. Russian forum user offering VPN services
Figure 5. Posts offering botnets for sale
Figure 6. Access to compromised devices for sale
The number of devices in use, and the extent to which they are integrated into people’s lives, makes IoT attacks viable for hackers and consequential for users. Users will need awareness of specific threats, areas of vulnerability, and effective security solutions to defend against these threats. All IoT devices, from employee-owned machines and company assets to simple home appliances, should be secured.
Our research into the threat landscape of IoT delves deeper into specific threats and their corresponding solutions. Learn more here:
The IoT Attack Surface: Threats and Security Solutions
IoT Devices in the Workplace: Security Risks and Threats to BYOD Environments
From Homes to the Office: Revisiting Network Security in the Age of the IoT
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases