The exponential increase of unmanaged 'headless devices' driven by the Internet of Things will make these types of devices a tempting target for hackers looking to secure a beachhead into more traditional devices and corporate infrastructures.
Evidence indicate that M2M attacks are on the rise, and that concerns about the security of IoT are well founded. Breaking into these devices is far too often not that difficult, mostly because user names and passwords or other security settings are still using default settings or are easily discoverable.
Known as the search engine for the IoT, Shodan allows users to search for specific types of computers, devices, and connected systems. It looks for systems that have specific open ports, such as FTP servers, web servers, video cameras, and other things. It also indexes systems with default passwords, including home routers. Using information from this site, we have been able to successfully hijack home surveillance systems and other devices from thousands of miles away.
Regional trends show such information is used to ascertain not only whether a family is home or not, but also how far away they are or how long they are expected to be gone. That information is then relayed to burglars, who can safely break in because the monitoring app has been compromised. What also emerged, is the hijacking of IoT for ransom. IoT devices allow ransom-based attacks to expand beyond just traditional targets such as hospitals and police stations to individual users. We predict that we will soon see things like access to one’s car or even home, held for ransom.
Given the widespread nature of IoT vulnerabilities and their growing ubiquitous deployment, cyberterrorism is quite real.
The 'headless devices' driven by the IoT will also become a focus of worms and viruses that are designed to independently target and automatically propagate to other devices via trusted communication protocols. These viruses could be designed to cause the systematic failure of devices, and the damages would be far more substantial as the numbers of IoT devices grows into the billions.
Controlling swarms of dumb devices is the fantasy of botnet hackers. This past June a botnet was discovered powered by over 25,000 compromised CCTV devices located around the world. These IoT devices were then used to launch coordinated distributed denial-of-service (DDoS) attacks against websites. Analysis shows that these attacks were made possible by exploiting a remote code execution flaw using a viral headless worm that affected surveillance cameras sold by more than 70 different vendors.
This example goes right to the heart of the IoT security problem. Far too often, the communications software and protocols used by IoT devices were never built with security in mind.
As cybercriminals become the focus of investigation and prosecution in the criminal justice system, careful hackers will develop a new variant of malware that is designed to achieve its mission and then erase all traces before security measures can detect that a compromise has taken place.
In a blog post published 15 June, 2016, someone using the handle Guccifer 2.0 published hundreds of pages of documents that the author claimed were taken during a hack of servers owned by the US Democratic National Committee. What is interesting about this attack is that the original infection and indicators of compromised were never seen or found. And information around the hack was not pieced together until a similar attack on a different group was caught.
These sorts of attacks go beyond prevention techniques and tools. Detection in real time is essential, which requires an integrated security architecture approach which allows devices to share attack data in real time, correlate and generate actionable threat intelligence, and coordinate a response to isolate malware and identify all instances of that attack deployed anywhere across the network.
Malware has continually evolving features to avoid detection as security measure like sandboxing become more prevalent. As sandboxing becomes more resistant to these countermeasures, we anticipate the development of two-faced malware designed to execute an innocent task to avoid detection and then execute a malicious process once it has cleared security protocols.
While we haven’t seen full-blown two-faced malware yet, we have seen its precursor: malware designed to look for and evade sandbox technologies. For example, recently we have seen new variants of the Locky ransomware exploit that employs a new anti-sandbox technique. In these new variants, the malware code is encrypted to evade detection. Locky’s loader code then uses a seed parameter provided by its JavaScript downloader to decrypt its embedded malicious payload and execute it.
We have also seen a nearly 700% increase in infected mobile device applications in the past year. We expect to see additional development of evasion-based attack software over the coming months, eventually leading to the development of true two-faced malware.
