What Lures Cyber Criminals Towards the Internet of Things?

IoT is a term coined by John Chambers, Cisco’s CEO, which has become synonymous with a variety of products and devices like Smartwatches, smart home and smart metering devices, augmented reality devices, and the likes. There are currently 16.3 billion IoT connected devices which are said to exist globally, and by 2020, the number will spike to 28.1 billion.

How does this affect our cyber threat landscape? And by what means? What can past examples of IoT-caused threats teach us for the future, so that we can begin to understand the hacker’s mindset in planning these attacks?

The IoT Revolution

Bruce Schneier calls the IoT revolution that we’re witnessing a “world-sized robot”, which society is collectively building, without even realizing it’s doing so.

Schneier elaborates:

“With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete.”

We’ve put together a few examples to try and understand the extent to which the IoT revolution poses a risk to society.

1.  Augmented Reality → Remote Access Trojans

In mobile gaming, for example, augmented reality games are all the rage, such as the famed Pokemon Go which is now considered “the most popular augmented reality game yet created.”

But as many know from past experience, augmented reality is often an open invitation for cyber threats.

Remote Access

From the hacker’s perspective, unofficial app stores are a sound attack vector for hackers to gain full control over a victim’s phone. All they need to do, says Graham Cluley, is sneak their infected (unofficial) version of the app into the Google Play Store, which, as Cluley reminds us, “doesn’t have a spotless record when it comes to keeping malware out”.

This is the case with Pokemon Go, whose scam ‘wannabe’ app versions allow APKs that include remote access tools such as DroidJack (also known as SandroRAT) into the Google Play Store.

DroidJack is a malware that specifically targets Android users and once it’s installed, can access everything on the device.

Once the hacker gets this far on a victim’s Android phone, all of the user’s data can be accessed: email, contacts, photos, videos, text messages, or even the user’s device camera or microphone.

This task becomes even simpler when unofficial marketplaces for apps are used. We’ve been witnessing a lot of cases where this happens, especially when there’s a geographical restriction on the usage of certain apps (like Pokemon Go).

User Data → Company Data

Keep in mind that because the Pokemon Go app (along with many other apps out there) access the phone’s GPS, clock and camera along other data, it can also access Google’s location data.

By virtue of its use-case, Pokemon Go is “an app that is designed, from scratch, to track its users’ whereabouts and behavior”.

But the risks aren’t posed against the end users (players) alone; the game endangers companies all the same, even if they have no involvement or interest in the game itself. 

It goes without saying that if the phone also contains (or even accesses) sensitive corporate information at some stage, and not on a frequent/recurring basis, then the company lies at risk as well.

2. Critical Infrastructures → Data Exfiltration and Theft

Cyber attacks against critical infrastructures are not only referred to as “nightmare scenarios”, they’re also considered a matter of “when, and not if”.

Because critical infrastructures all depend on giant IT networks, that incorporate IoT devices,  they require cyber defenses that are just as powerful as they are large.

Just how big of an issue are we talking about? In 2015, the U.S Department of Homeland Security’s Industrial Control Systems Cybersecurity Emergency Response Team (ICS-CERT) responded to 295 cyber incidents (a 20% increase from the previous year).

Operation Dust Storm

A particularly notorious cyberattack on critical infrastructures was Operation Dust Storm, a multi-year, multi-attack campaign against companies in Japan, South Korea, the U.S. and Europe. Different targets included: electric utilities, oil and gas, finance, transportation and construction.

The attack began in 2010 (and continues to this day), when the criminal group began a series of attacks tactics to breach corporate networks and Android-based mobile devices. The attack methods included: spear phishing, waterholes, unique backdoors, zero-day variants, to name a few.

A true case study for a particularly gruesome example of the Cyber Kill Chain in its fullest sense, Operation Dust Storm teaches us the dire need to prevent materializing threats from their earliest stages of reconnaissance, to avoid being in a case of “too little too late”.

3. Smart Devices (i.e. Smart Fridge) → Man-in-the-Middle Attacks

An SSL vulnerability was recently found on a line of Samsung Smart Fridges, in a penetration test that was part of an IoT hacking challenge, at the recent DefCon “IoT Village” hacking conference.

Because the inter-connected fridge is programmed to download Gmail Calendar information to an on-screen display, it threatens the Google credentials of the smart fridge users.

(Background: the smart fridge runs Google calendar so that its users can manage and view events from the fridge screen).

For this particular smart device (Samsung’s RF28HMELBSR smart fridge), the weakness lies in its failure to validate SSL certificates — enabling man-in-the-middle attacks between the fridge and Google’s servers.

Because the Gmail calendars on the smart fridge are downloaded from Google’s server, it becomes a lucrative attack vector for attackers to gain user credentials.

During this specific series of penetration tests, other vulnerabilities were found as well: firmware attacks (a fake firmware update), TCP services and certificate challenges (found in the smart fridge’s mobile app code).

4. Webcams → Remote Access Trojans

(source: 9to5mac.com)

Be it the small cameras we have on our laptop screens, as in Zuckerberg’s case above or baby monitoring cameras getting hacked into (scary!), webcams are vulnerable to remote access hacks. These are often appealing to cyber criminals, as they can be an easy way to steal sensitive corporate data or even worse, spy on our kids.

Once threat actors manage to install a malware on a computer, they can turn on that computer’s camera and record or take a screenshot of what’s going on.

Well-known public figures, such as Mark Zuckerberg has each raised cyber awareness around the security threat behind webcams — In Zuckerberg’s case, he did so inadvertently — when posing for a picture that was taken in front of his desk, and his taped-over webcam and microphone appear (by coincidence) in the background. From there, further inquiries were made…

(source: hackread.com)

Unlike hacks that stem from geo-location data, this malware can also exist on URL links, and as soon as a user clicks on one, his computer is open to vulnerabilities galore.

In addition to spying on users, hackers can send malicious emails on behalf of the hacked computer owner, or launch a massive RAT attack to harm other computers on his behalf, too.

Most recently, a webcam hack sob story was suffered by none other than Russia’s Vladimir Putin, as part of the ongoing hacker blame game that’s being exchanged between Russia and the DNC as part of the U.S Presidential Election Campaign.

5. Commercial Aircrafts → DDoS and Botnets

The aviation industry is a well-known destination for cyber criminals, or in other words, “a privileged target for hackers that are interested in the intellectual property of many companies in the sector.”

But the reach of cyber attacks on airplanes are unprecedented; last year, a hacker hacked into the in-flight entertainment system on a United Airline’s aircraft, (and was able to do so 20 times during one flight), and overwrite the code on the plane’s “Thrust Management Computer” while it was in the air, allowing him to monitor traffic from the cockpit system. Finally, he issued a climb command and made the plane briefly change course — “and caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights”.

In other instances, hackers can flood flight management systems and control systems with a network of botnets, and cause the platform to crash.

At the end of the day, I don’t truly think that this is a dooms day scenario where all the IoT devices will gang up and get rid of us humans. However, the IoT revolution does certainly expose us to additional (substantial) risk we were not accustomed to several years ago. We should be aware of these risks and manage them accordingly.