Introduction - Hunt or Turkey Shoot?
We are continuing our “Hunt for IoT,” although we’re tempted to say it’s becoming more of a turkey shoot than a hunt as IoT security incidents are becoming so prevalent. This research rounds out our third year of looking at the attacker’s hunt for vulnerable IoT devices, and their continual expansion of IoT targeting. We have expanded our research beyond just tracking telnet attacks to now tracking attacks against more than 150 ports used by IoT devices. Because this sixth volume in our research series is significantly larger than previous ones, we are releasing our latest research efforts as a series of articles. In future articles, we’ll introduce you to more than two dozen new Internet of Things botnets (thingbots) that have been discovered since our last report; the attacks building these thingbots; and the networks the attacks are launched from.
This first article explores the effects of compromised IoT devices on individuals, organizations, and the society itself. News headlines are already chock full of notices of breached computers and platforms. The effect of compromise amplifies once you consider that there are literally billions of IoT devices out there. You read that right: billions. In our Hunt for IoT Report Volume 4, we referenced analyst projections (see Figure 20) that estimated we were somewhere in the 8 billion deployed range with a total eventual market of 1 trillion. And these estimates assume we haven’t hit 1% market adoption. We’re still in the early adopter phase and yet we are already seeing devastating attacks from IoT botnets. Some that have been developed are capable of taking down the Internet.
According to DBS Bank, which looked at data from IoT research institutions, we will reach 100% market adoption over the next 10 years. 2019 is the tipping point1 between early adoption and the early majority, where sales and deployment of IoT devices take off at an exponential rate.
What is the Problem with IoT Security?
Security guru Dan Geer notes that the cybersecurity industry came of age with the introduction of Windows 95 and its built-in TCP/IP stack. Suddenly every home computer was on the Internet in a world “where every sociopath is your next-door neighbor.”2 These home computers were poorly administered by amateurs. At that point, malware and cybercrime became the Internet's fastest growing enterprise. Today, we are repeating that mistake with a global pandemic of compromised IoT devices. Specifically, the hockey stick growth maps of cyber-mayhem look unnervingly, similar to what we experienced 24 years ago with PCs.
To begin with, most IoT devices lack nearly all of the security features of a mature, robust, general-purpose home computer system. And that’s saying a lot, if you consider the “security features” of your average home computer. But IoT is even weaker. How weak? Well…
Most don’t have any automatic patching capability, much less a system to warn the operator of the need to patch. They use extremely poor authentication mechanisms—our IoT Security is dependent on a telnet password of 12345. They usually don’t have forensic capability and, in many cases, not even logging functions. If they do, logging is lightweight or easily compromised by an attacker. Manufacturers rarely provide “secure” modes of operation or hardening procedures to lock down features. In fact, most IoT devices rarely offer any precautions to their users about placing these devices on the Internet or that any dangers exist at all.3
The Monoculture Problem
Nearly all IoT operating systems are derived from Linux, because of its portability, speed, and open, free license. A decade ago, Linux malware was very rare. With the growth of IoT and Android, Linux malware is rivaling Windows malware in prevalence. And like the old worries about Windows, we have a serious “monoculture” problem. In agriculture, a monoculture refers to a single species of crop or livestock that is vulnerable to a single disease that could wipe out the entire population in a single pandemic. In 2003, security pundit Bruce Schneier noted, “The basic problem with a monoculture is that it's all vulnerable to the same attack.”4 A single IoT exploit or malware/thingbot is a weapon that can be used to attack thousands, if not millions, of IoT devices with a click of the mouse.
Lack of Security Tools
Since we just talked about the power and prevalence of IoT malware, we should mention that, if an attack were to strike, you don’t have much recourse except to reflash the software (assuming it’s possible and you can figure out how) or throw the device away. The anti-virus market for Linux-based systems, much less IoT devices, is not nearly as mature or sophisticated as the Windows market. Of course, anti-virus is highly unlikely to be installable on an IoT device. Because of the size and limited capability of these devices, there are no on-box security tools available for IoT devices. Those that are available mostly work off box, on the network to which the IoT device is connected, which provides significantly less visibility and control over the device itself.
Abundance of Long-lived, Unpatched Vulnerabilities
The average lifespan of a refrigerator is 17 years.5 Can you imagine how quickly a 17-year old operating system would be hacked when connected on the open Internet? IoT devices may or may not have more vulnerabilities than any other nascent platform. But as we said, these devices are rarely patched and poorly managed, but also ubiquitous and numerous.
Let’s look closer at the lifespan of an IoT vulnerability.
|Step||Parties involved||What Happens||Magnitude||If not?|
|Blissful Ignorance Zone|
|1. Discovering the IoT vulnerabilities||Researchers and attackers||Who finds these holes? Those incentivized to do so: security researchers and the attackers.||Likely a large number of disclosed and undisclosed vulnerabilities||Vulnerability remains undiscovered|
|2. Disclosing the IoT vulnerabilities||Researchers and attackers||Attackers will not tell anyone about the holes they’re exploiting. Responsible security researchers will only tell the IoT manufacturers.||A subset of the previous||The vulnerability remains known only to the attacker community|
|Danger zone – Zero-day territory|
|3. Accepting the Vulnerability||IoT manufacturers and security researchers||Tell the manufacturer about the vuln… but, can you find the right company? does company still exist? Will they listen to vuln reports?||A subset of the previous||The vulnerability is published as a zero-day in a free-for-all hacking extravaganza|
|4. Publishing the IoT Vulnerabilities||IoT manufacturers and security researchers||Does IoT manufacturer even consider this a vuln? Are they willing to disclose?||A subset of the previous||The vulnerability remains hidden or released as a zero-day|
|Extreme Danger Zone – Vulnerability known|
|5. Creating the patches for the IoT vulnerabilities||IoT manufacturers||Is IoT manufacturer willing and able to create patch?||A subset of the previous||The vulnerability remains unpatched but now becomes widely known amongst attackers|
|6. Awareness of the patch||IoT manufacturers and IoT owners||Does IoT manufacturer have a mechanism to notify owner? Are the IoT listening?||A subset of the previous||The vulnerability remains unpatched but now becomes widely known amongst attackers|
|7. Applying the patches to the IoT vulnerabilities||IoT owners||Is IoT owner capable of applying the patch correctly? Even at best, many organizations can only patch 1 in 10 holes||A subset of the previous||The vulnerability remains unpatched but now becomes widely known amongst attackers|