So far, we’ve seen IoT Distributed Denial-of-Service (DDoS) attacks on a Death Star scale. Even if your organization wasn’t a direct target of these giant barrages, many others were caught up as collateral damage because they had services adjacent or dependent on the direct target. Because of this, many organizations are preparing or strengthening their DDoS response plans.
In any case, it’s wise to assume that DDoS is just the opening salvo of what can come from millions of compromised IoT minions. In some ways, we’re back to the days of Windows 95 when millions of home machines came online and became ripe for hacking. Now we have malicious people with their hands on millions of compromised IoT devices and lots of bandwidth. Are we only going to see denial-of-service attacks? No. If history follows a similar course, we’re just at the run-up to a tsunami of trouble that followed.
Let’s first look at the DDoS itself. It loomed large in the early 2000s and became an occasional threat to Internet-connected organizations. Over the years, it has surged and waned over time, finding uses in political activism, extortion schemes, and even punitive responses from angry hackers. However, DDoS itself is a big dumb attack. It’s loud and draws attention to itself. Useful for protests and extortion, but generally not something greedy crooks like. As we’ve seen, there are a lot of greedy crooks online. Big noisy attacks draw attention, which means people will work to fix the problem, find the sources, and throw people in jail. (Anyone remember MafiaBoy and what happened to him?) Smooth criminals want to get in, get their loot, and be gone before you realized you’ve even been hit.
Over the decades, we’ve seen a shift in general cybercrime, from loud and annoying (recall the ILOVEYOU virus) to stealthy, laser-focused, and profitable. Overall, DDoS extortion is an inefficient way to make money. You have to use (and expose) all your bots once you’ve flipped the switch to attack. You can’t “go viral” and franchise the business. Soon, your victims develop countermeasures instead of paying you off. We have seen that cyber crooks are very good at optimizing their profits. Why should IoT threats be any different?
What can we expect from our IoT botnet miscreants? In the past, computer viruses began as self-propagating malware used primarily for vandalism. This quickly evolved into malware designed to make money. This kind of malware was used for schemes that used hacked boxes for spam relay, click fraud, and theft of data. Things evolved again into tiered malware that could be repurposed and rented out for a variety of nefarious uses. Next, the schemes were honed to extract more money in more efficient ways: bank credential theft, fake anti-virus, Bitcoin mining, and ransomware. Point-of-sale terminals were found to be juicy targets and as weak as IoT devices are now. Soon, large scale theft of credit cards was happening.
Based on this, we need to expect similar monetized hacking to enter into the world of IoT. We have already seen an IoT device being used for spam relay1. Not a hugely profitable endeavor, but earning millions of pennies per day add up quickly. IoT is also already in use for Bitcoin mining2. Compromised devices have also been reported supporting darknet infrastructures3. With this much bandwidth, organized cyber criminals could build their own IoT Tor network even further below the radar than darknets.
IoT devices, especially ones sitting on home networks, are ideally poised for online advertising fraud and sniffing online login IDs. Moving up to the corporate level, there is a real threat to remote workers with compromised devices on their personal networks. A home-placed IoT device is in an ideal location for man-in-the-middle attacks to steal corporate credentials or silently copy data off of a laptop. We’re also seeing the rise of political hacking. IoT devices are excellent tools for spying, spreading fake news4, or blasting the opposition’s sites offline.
Hackers recognize the value of an IoT botnet. We’ve already seen IoT malware that cripples or locks out other variants so they can retain ownership of a device. This is common behavior in the usual world of general purpose computing malware. Overall, it’s a strong sign that an IoT resource is worth owning and protecting. It might be worth more to the crook than the physical owner.
So, yes, DDoS is just the beginning of the IoT crime wave. It’s a deep blue ocean of new market space. We need to be ready.