The evolution of IoT threats, and drawing parallels with the conventional malware landscape

Ankit Anubhav , Principal Researcher , NewSky Security

Abstract Idea When it comes to CyberSecurity, one of the most agreed upon opinions is “change is the only constant”. The start of a CyberSecurity issue originates from researchers discovering methods to compromise technology and is usually done to increase awareness. However, with time, this theory is also implemented by attackers (with a motivation to cause destruction). To counter this, White Hat hackers and AV come up with certain measures. From here the race is between attackers and defenders, where the more evolved side “wins”. While such a scenario happened with Windows malware decades ago, we begin to see a similar young IoT CyberSecurity space rapidly evolving.

“Intelligent Attack” i.e. to go for the weakest link in a security chain

A fresh IoT device may be threat-free and patched from known vulnerabilities, but can still have an unchanged default password. On the other hand, there might be an older router with a strong password, which is not updated and can be controlled by a known exploit. Rather than creating two separate bits of malware, IoT threat coding has evolved by including a toolkit with a combination of different attack vectors, such as password brute force attacks, and vulnerability usage in the form of attacking the weakest link.

Mirai with three modules (will be discussed in detail)

We observed an evolved Mirai variant which had 3 modules; CVE-2014-8361 vulnerability, TR-64, and default passwords attack. The malware will first attempt the easy way by taking control of the device using a table of known passwords. If successful, great. If not, it will try to run two known exploits to get control of the IoT.

Knowledge is a dual edged sword even for IoT: NbotLoader

Despite the good intentions, any publicly disclosed IoT bug has the risk of being used by an attacker for their own purpose. We observed that such known IoT bugs are polished in hacking forums, and converted to working modules as discovered in NBotLoader. (will be discussed in detail). This module became integrated into a well-known IoT botnet, QBot(will be discussed in detail).
Future Implications

We observed the first ever incidence of proof that hackers used an exploit against an IoT thermostat to increase the temperature of the room to a hot temperature. While such an exploit was discovered before, now we see how easily it can go in the wrong hands, and change the theory to a scary reality (will be discussed in detail)

Solutions / Conclusion

The low hanging fruit for IoT hardening is to abolish weak passwords. However, this is still an issue. We took one router model as a case study and with Shodan observed that 48% of devices still had weak passwords. The situation was bad in the U.S. and Israel with 97% and 88% default passwords. We discuss the solutions regarding IoT patching and how researchers can collaborate for a safer IoT world.

Ankit Anubhav

Ankit focuses on making the Internet of Things safer by disclosing organizations about IoT security issues and tracking IoT threat actors for harvesting intelligence. He focuses on both red and blue approach by finding exploitable flaws in IoT as well as tracking which flaws have already been weaponized by the IoT attackers. His devices of interest include but are not limited to routers, printers, smart homes and security cameras. Presently he works as a Principal Researcher at NewSky Security. Prior to shifting to IoT security, he has worked on threat hunting, evasion and static/behavior based detection for FireEye/McAfee.