The Russian Government Hacking IoT Devices… Again
A recent Forbes article reports that the Russian Federal Security Service (FSB), is using an external contractor to develop exploits and attack tools that target IoT (Internet of Things) devices such as NVRs (network video recorders) and internet protocol (IP) cameras.
IoT devices are becoming exponentially popular, and have been on the security spotlight many times due to their inherent insecurity, which exposes them to various cyber risks. Does this new report come as a surprise to anyone? Given the mass, attractiveness and low security of IoT devices, it’s only obvious that actors such as the Russian government would target them.
What Do Cyber Attackers Look For In IoT Devices?
In order to truly understand the dynamics of the IoT security problem, we must first understand:
What do cyber attackers look for in IoT devices? Why are they valuable for cyber attackers?
Why are IoT devices not secure? Why can’t device manufacturers just “make them secure”?
IoT devices are everywhere. They record videos, they measure and sense the surrounding physical environment, they manage industrial processes, they manage processes in commercial buildings and they’re even found in your own home.
What Do Cyber Attackers Look To Achieve By Hacking IoT Devices?
IoT devices that are used in an enterprise may be targeted by cyber attackers in order to achieve goals such as:
Attacking Other Devices – Even if the exploited IoT devices are not valuable to the attackers by themselves, in many cases they are connected to a network, directly or indirectly. This network might contain something that the cyber attacker is after. In this case, the IoT devices provide an easy access vector to the other resources.
Persistency – computers, and servers connected to enterprise networks are regularly monitored by endpoint security products, which are updated regularly and therefore likely to eventually detect and remove malware installed on these systems. IoT devices, however, in most cases are not protected by such security solutions. IoT devices, therefore, allow attackers to remain persistent for long periods of time and allow them to regain access to the network even if their malicious agents installed on traditional systems are eliminated.
Ransomware – If certain IoT devices are used in important business processes, businesses will pay substantial sums of money in order to regain access to the devices and to the information stored on them. For example, the SCADAfence Incident Response team has responded to a ransomware attack on a video surveillance network, in which all cameras have been disabled.
Process Manipulation – If the IoT devices are part of a business process, they can be sabotaged to cause damage or to achieve some other creative outcome. For example, hackers have locked hotel guests outside their rooms in an attack on a building management system.
Botnet/DDoS – As in the case of the Mirai malware, IoT devices can be used to perform DDoS attacks on other targets.
Leak Data – If the devices have access to valuable information, such as credit card readers, security cameras, VOIP phones, printers, and others, gaining access to them allows the cyber attackers to collect that information and leak it as they please.
Why Are IoT Devices Not Secure?
There are many reasons why IoT devices are not secure.
The main reasons are:
Market Maturity – While the issue of IoT devices’ security has only become a considerable problem recently, IoT devices have already been in use for many years, with many large scale deployments already in place. Achieving inherent security requires radical changes to the entire ecosystem, which has taken years to decades in the case of PCs and servers, and are likely to require a similar time scale in the case of IoT devices. It is bound to happen eventually, but we still have a long way to go.
The people who purchase and install IoT devices in organizations have limited awareness and understanding of the risks. Enterprises have yet to evolve to include the right processes and procedures in purchasing, installation and maintenance which are necessary to achieve adequate security. Many IoT vendors also have a limited understanding of security. Many of them are trying to improve their security, but are struggling due to lack of knowledge and experience.
Unmanaged – According to Gartner, “IoT Manageability is a throwback to IT of 20 years ago”. In comparison to servers, PCs or cloud instances, IoT devices are either unmanaged or have a very limited support for centralized management. When something is unmanaged, there is hardly any way to control and standardize policies across all devices, which in turn increases the risk without the knowledge of the enterprise.
Inherent Insecurity – Many IoT devices contain vulnerabilities in their built-in firmware, which in many cases the vendor doesn’t provide a patch for, or that the end-users can’t apply at scale. In many cases, the end-users are not even aware that they have a vulnerable device.
Diversity – IoT devices are far from being identical – There are thousands of different products with different kinds of hardware, from CPUs to chipsets, as well as different firmware and different underlying operating systems since requirements are different for each device. It is therefore hard to find one solution to fit them all.
Cloud-Connectivity – Many IoT devices have an optional or mandatory cloud connection, which creates an additional attack vector.
Price & User Friendliness –Secure products tend to be more expensive because they’re more difficult to develop and support. Secure products can be more difficult to install and maintain, and many features present a tradeoff between security and user-friendliness.
The IoT security problem is increasing exponentially: New devices are rapidly installed, and existing devices and configurations are found to be vulnerable, with limited ability to reduce the risk.
The current market dynamic dictates that actors such as crime organizations and intelligence agencies (the FSB in this case) will continue using the issue of IoT security to their advantage. By addressing the security challenges, we’re able to change the cost-benefit balance of these criminal/intelligence organizations, and make IoT devices less attractive to them.
SCADAfence, who has changed the OT Security market with state of the art technology, has yet again, created a ground-breaking security solution for IoT Security, which includes the orchestration and management of all IoT devices in the network. SCADAfence uses a unique and innovative technology that has yet to be seen in the security world that was specifically built to solve the most difficult problems in the IoT world.