Why Enterprises Should Care about IoT Malware
According to Gartner, the number of worldwide Internet-connected devices will grow to 11.4 billion by 2018. That’s an enormous number of new devices on our networks—and many, perhaps the majority of them, are extremely vulnerable to IoT malware attacks.
Recently, self-propagating malware has infected IoT devices to create large-scale botnets that execute crippling distributed denial-of-service (DDoS) attacks. In October 2016, the Mirai botnet, consisting of nearly 150,000 compromised smart cameras, routers and other IoT devices, flooded Dyn’s network, a major DNS provider. The attack, described by TheGuardian as the largest DDoS on record, brought down a multitude of sites across Europe and the United States. But even more significant, this was the first time compromised IoT devices have been known to carry out a large-scale attack.
Last year’s attack on the San Francisco Municipal Transportation Authority serves as another wake-up call for organizations to start taking IoT security seriously. Hackers planted malware that shut down all of the rail system’s payment terminals over the busy Thanksgiving weekend. The culprits demanded a ransom to unlock the terminals. Passengers received free train rides all weekend long, amounting to more than a million dollars in lost revenue to the city of San Francisco. The incident is yet another poignant reminder that IoT malware infected gadgets pose a serious threat to businesses everywhere.
IoT Devices are Very Vulnerable to Malware
Why are these devices so vulnerable to malware infection? A number of reasons, but primarily because manufacturers have hastily created insecure products in their rush to benefit from the financial opportunities made abundant by inexpensive IoT technology. Under pressure to be competitive and quickly bring products to market, security has received very little attention. As a result, IoT devices commonly suffer from:
- Weak authentication: Passwords and login credentials are frequently left in their default state, many of which are weak and easily guessed. Some devices have solitary, fixed passwords, or virtually no authentication requirements whatsoever.
- Numerous security vulnerabilities: In many cases, products are designed by engineers with very little security expertise. History has repeatedly shown that all code has vulnerabilities. Software that’s hastily developed, or produced under extreme budget pressure has, even more, vulnerabilities.
- Limited upgrade capabilities: Inexpensive devices, like many IoT products, often have very low-profit margins, which can make it difficult or even impossible for manufacturers to afford to update firmware or send security patches.
- Limited encryption: A significant percentage of IoT devices are completely void of any encryption, either in transit or at rest.
- Not on the security radar: Not very many IT security personnel spend any energy regarding the security of smart thermostats, security cameras, DVRs, vending machines, or other “gadgets” connected to the company’s network.
Lack of IoT Security Poses a Real Threat to Business
Unfortunately, the lack of security in most IoT devices creates a real threat to businesses today. Malware infected smart gadgets are capable of inflicting harm in a number of ways, including the following:
- Denial of Service attacks against the organization’s own networks and assets (and the Internet at large).
- Ransomware attacks, achieved by directly shutting down services or propagating additional malware.
- Identity theft accomplished by packet capture, or launching attacks assaults on corporate data repositories.
- Account takeover by sniffing user logon credentials, particularly privileged accounts.
- Theft of IP via packet sniffing or attacking other hosts and data repositories.
It’s time for enterprises to take IoT security seriously, and implement policies and tools to detect advanced malware that already has, or is attempting to establish a foothold in their organization. By investing a reasonable amount of time and effort to thwart IoT malware now, businesses will be much better prepared for the ever-increasing number of vulnerable devices that will surely be connecting to their networks.