We continue to evolve to a wide distributed system of devices and interconnections. This evolution requires a corresponding evolution in our Cyber Security efforts. Recent articles reveal that DVR devices are being used to mine BitCoin and how binaries can infect routers. We need to change our way of thinking when it comes to sources of attack.
New Revelations about the “Internet of Things” (IoT) – Potential for Attack Devices
A recent article in RISK ASSESSMENT/SECURITY & HACTIVISM from April 2nd called “Internet of Things” is the new Windows Xheld many surprises. It revealed that researchers at SANS found a Bitcoin-mining Trojan that has infected DVRs. The SAN researchers were investigating the source of an automated script observed scanning the Internet for data storage devices. They found that the bot ran on a DVR with ARM processor, the DVR was on a system used to record video from security cameras. It was probably infected through an exposed telnet port and a default password of “12345”. This same article revealed additional SAN discoveries of the same binaries on infected routers even though the routers were configured to provide network address translation (NAT). This is some pretty chilling news. We think about attack surface as a major factor in determining risk. Usually we are thinking about the exposure of our device as the attack surface, but what happens if the attacker side drastically increases in size via the availability of new IoT devices. This particularly worrisome when thinking about Denial of Service (DoS) attacks.
Even more troubling news from this article was that researchers at the antivirus provider Eset found an 11 year old piece of computer malware for sending spam and performing denial of service attacks was recently updated to change the domain name system (DNS) settings of home broadband gateway routers. This was first identified as being used in attack in late October. Attackers are looking at lots of low hanging fruit in IoT devices that might be susceptible to attacks used previously on older OS’s and PC’s.
The third interesting piece of data from the article came from Nominum. Nominum is a provider of analytics software for telecommunications and services providers. Nominum identified 24 million home routers that have DNS proxies that are accessible to people on the Internet. 5.3 million of those routers were used to generate traffic used in DoS attacks. The conclusion drawn in the article, which I agree with is that attackers are now paying attention to routers, DVRs, or other internet connected appliances as devices they can exploit for use in their attacks on other systems. This begs the question do all these devices really need to be powered on and connected all the time, or should we just power them on and connect when we need to use them?
50 Billion Devices Potentially Coming with IoT
Continuing to think about the IoT and security I found more interesting material in another article I read in DARKReading titled ‘Thingularity’ Triggers Security Warnings. This could be the preamble to the “Zombie” attack all the new youtube videos are showing but it is a different kind of Zombie. DARKReading says – “The Internet of Things is a security nightmare waiting to happen.“ Cisco is the source for the prediction of 50 Billion different objects expected to be connected to the Internet by 2020. This will create an IoT with a potential market worth $19 trillion. DARKReading asks “But at what cost?” “Thingularity” is the phrase used by some pundits to describe the current rush to connect everything to the Internet. Once these devices are connected how will they be updated, patched and kept secure (will they just be Zombies)? If we think patching and securing desktop systems is hard, what about literally billions of devices under personal individual control or indeed no control and administration. The problem is not just software but what about the hardware. These devices will all be embedded in silicon, and a flaw in the silicon will be very difficult to fix in the field. By the way, the 50 Billion number does not include the 600 billion phones in the world.
We have a tremendous challenge for security coming around the bend. It will involve embedded systems of all types, with sensors collecting all kinds of information and data. How will we control our privacy, and the security of assets in this new IoT world?