Smart, but Not so Safe: IoT Devices & Cybercrime

The number of connected devices around the world is exploding, threatening security and privacy, according to the recent Microsoft Digital Defense Report. As you turn on your printer at home or smart lock on your car, you’re also opening yourself up to numerous risks – if not by design, then by virtue of the ease with which hackers can gain access via weak protocols and default passwords.

Reading Time: 5 minutes

iot devices cybercrime

Illustration: Milica Mijajlovic

What makes IoT devices vulnerable to cyber-attacks? 

The Internet of Things is the new frontier for hackers, who can use everything from printers to web cameras, climate control devices, and building access controls to cause chaos. Although IoT solutions are critical to many organizations’ operations, they can quickly become a liability and security risk. The rapid adoption of smart solutions in almost every industry has increased the number of attack vectors and the exposure risk of organizations. 

While IT hardware and software have become harder to hack over the years, the security of Internet of Things (IoT) and operational technology (OT) devices is lagging behind. Threat actors are taking advantage of this situation to establish access to networks and enable lateral movement, to establish a foothold in a supply chain, or to disrupt the target organization’s OT operations. 

According to the recent Microsoft Digital Defense Report, enterprises are aware of how IoT can improve their businesses, but are not quite sure how to secure them properly. 

image-1

While 68% of respondents believe the adoption of IoT/OT is critical to their strategic digital transformation, 60% recognize that IoT/OT security is one of the least secured aspects of the IT/ OT infrastructure.

Microsoft Digital Defense Report, 2022

While all organizations struggle with IoT and OT vulnerabilities, critical infrastructure faces an increased risk because threat actors have learned that disabling critical services is an efficient way to cause harm. The example of a ransomware attack on the Colonial Pipeline Company in 2021 proved that criminals are able to disrupt a critical service to increase the likelihood of a ransom payment. 

Furthermore, Russia’s cyber attacks against Ukraine are a clear example that certain nations, as a way of fulfilling military objectives, perceive cyberattacks against critical infrastructure as a legitimate option. 

The most prevalent IoT attacks 

Now, you may ask – How does someone know if a certain device is exposed? 

If a device is left exposed, anyone can find it by searching the internet for services listening on open network ports. These ports are commonly used for the remote management of devices. 

If an IoT device isn’t secured correctly, it can be used as a back door into the rest of your network. 

As Microsoft reports in its official annual report from 2022, attacks against common IoT protocols, such as Telnet, have dropped significantly, up to 60%. 

However, there are still reasons to be worried. 

The most prevalent IoT attacks are against: 

  1. 46% Remote management 
  2. 30% Web 
  3. 18% Databases 
  4. 4% Email 
  5. 1% Industrial control systems 
  6. 1% Other 

What’s common for all IoT vulnerabilities is that they’re highly elusive to identify. 

A common risk that is often overseen is firmware hacking within the supply chain. 

By that we mean that the vast majority of devices use software and hardware components from a wide range of sources, including open-source libraries. Device operators usually don’t have control over the hardware and software bill of materials to evaluate the supply chain risk of devices on their network. 

We’ve seen many consequences of this over the years. For example, millions of IoT devices were affected in June 2020, when vulnerabilities were disclosed in a networking stack used by many different manufacturers. 

In some instances, the device’s operating system was rebranded and there was no indication that the product was vulnerable. We see this trend growing into a threat as malicious actors target these supply chains to compromise organizations. 

Mirai as the most common IoT malware 

top iot malware

Over time, Mirai has become so sophisticated that it is now very efficient when it comes to infecting the most diverse IoT devices, such as security cameras or routers. It bypasses legacy security controls and poses a risk by exploiting additional vulnerabilities and moving laterally within the network. 

It’s evolved over time and is highly adaptable to different CPU architectures and is able to compromise new attack vectors by exploiting both known and zero-day vulnerabilities. 

In the last year, Mirai’s prevalence grew equally among 32- and 64-bit x86 CPU, providing nation-state and criminal groups with new capabilities. Now these groups are leveraging new variants of existing botnets in distributed denial-of-service (DDoS) attacks against foreign adversaries. 

Is there something we can do about it? 

Yes. 

These are actionable insights, recommended by Microsoft’s team: 

  • First and foremost, regularly upgrade devices by applying patches, changing default passwords, and default SSH ports. 
  • Another pretty simple step is to disconnect from networks and open ports that are unnecessary at the moment, block ports in order to restrict remote access, and, if applicable, use VPN. 
  • Use an IoT/OT-aware NDR solution to detect devices communicating with unfamiliar hosts and a SIEM/SOAR solution to monitor for anomalous or unauthorized behaviors. 
  • Even if the attacker does intrude, you can still prevent your assets from compromising by segmenting your network and limiting his ability to move laterally. On that note, good advice is to use firewalls to isolate corporate IT networks from IoT devices and OT networks. 
  • You shouldn’t leave ICS protocols directly exposed to the internet. 

Routers as easy targets of botnet attacks 

Botnets have made targeting IoT devices so much more powerful, at least in terms of the number of affected devices and how quickly the attack can be spread. This type of attack can usually happen if the router is unpatched and left exposed directly to the internet.  

That way, cyber attackers can gain access to the networks, execute malicious attacks, and even support their operations. Especially vulnerable attack vectors are routers since they are so widespread across internet-connected homes and organizations. 

We’ll present you with one case study on the subject, when the Trickbot trojan leveraged default passwords and vulnerabilities in MikroTik routers. This is an example of how attackers can abuse vulnerabilities in IoT device firmware to infiltrate a network and bypass corporate defense systems. 

How is it done? 

We’re gonna explain it step-by-step. 

  1. Attackers obtain credentials to IoT devices through brute force attacks, exploiting known vulnerabilities with readily available patches, or by using default passwords.
  2. After obtaining the credentials, they use the router to communicate with Trickbot infrastructure. 
  3. When they access the device, they can issue unique commands and redirect traffic between two ports in the router, establishing the line of communication between Trickbot-affected devices and the C2.  

Here’s a visual representation of it: 

trickbot botnet attack

Crypto criminals abusing IoT devices 

The popularity of crypto is going from highs to lows, and so is the preference for Proof of Work (PoW) or Proof of Stake (PoS). Nonetheless, both require a decent amount of investment, whether in equipment or in crypto assets. 

However, with PoW, miners are required to invest in computational power and network resources (e.g. routers) to increase the probability of success. Still, it’s a time-consuming and resource-intensive process, and the probability isn’t even that high. 

So, what did the crypto criminals think of to improve their chances of mining a coin

To abuse routers for redirecting cryptocurrency mining efforts. 

image-1

Cybercriminals compromise routers connected to mining pools and redirect mining traffic to their associated IP addresses with DNS poisoning attacks, which alters the DNS settings of targeted devices. Affected routers register the wrong IP address to a given domain name, sending their mining resources (or hashes) to pools used by threat actors. These pools might mine anonymous coins associated with criminal activities or use legitimate hashes generated by miners to acquire a percentage of the coin that they mined, thus reaping the rewards.

Microsoft Digital Defense Report, 2022

If you’re more of a visual type of person, we’ve got you covered. 

crypto criminals iot

Policy developments in IoT device security 

For things to really change, it’s not enough for individuals or single organizations to implement security techniques for preventing IoT devices. It needs to be done nationwide, after consulting with experts in the field. 

And there are initiatives like this throughout the world. We’ll name a few. 

The European Commission proposed the Cyber Resilience Act, a law that would require standalone software and connected devices to be secure. Software vendors are advised to follow a secure software development lifecycle and provide a Software Bill of Materials with their products. 

The UK has drafted a Product Security and Telecommunications Infrastructure Bill that will make it illegal for manufacturers to use easy-to-crack default passwords on consumer-facing products such as smart TVs. The bill will also require companies to establish vulnerability disclosure policies and to provide details on the length of time they will offer security updates. 

internet of things

In the EU, new security standards are being implemented in the form of many laws and a delegated act to the Radio Equipment Directive that applies to wireless devices, including smartphones and some TVs. The law aims to protect consumers’ privacy and reduce the risk of monetary fraud. 

In addition, it might be required to use a cloud certification scheme, currently in development as a result of the 2019 EU Cybersecurity Act

A journalist by day and a podcaster by night. She's not writing to impress but to be understood.