For Cybercriminals, IoT Devices are Big Business, Part Two

In part one of this article, Anthony Giandomenico described how cybercrime has become not only a business, but a big business, designed to generate revenue with predesigned attacks focused on attack vectors that are easy to exploit: IoT devices.

Opportunity is also the land of innovation

Because cybercriminals are focusing more on attacks that target critical infrastructure based on new, interconnected technologies, they don’t have to spend enormous resources and development cycles on figuring out how to break into these systems using complex zero-day attacks. Instead, they can spend more of their resources on making their exploits more difficult to detect, more effective by introducing things like worm capabilities to spread infections further and faster, adding multivector capabilities in order to run exploits on a wider range of vulnerable systems, and developing intelligent, multilayered malware that provides a lot of options for stealing data or compromising systems.

The recent WannaCry and NotPetya ransomworm exploits were remarkable not only for how fast they spread, but also for their ability to target a wide range of infrastructures and industries. But the dirty little secret about these attacks is that they could have been entirely prevented if IT folks simply practiced good network hygiene. That’s because these attacks targeted a vulnerability for which a critical patch had already been issued months earlier. Most organizations that were spared from these attacks had one thing in common: They had simply applied the security patch from Microsoft when it was released.

Here at Fortinet, we refer to these sorts of attacks as “hot exploits.” Cybercriminals know from experience that many organizations simply don’t have the time, resources or initiative to patch vulnerable systems. So they build effective exploits and they wait. WannaCry proved that. And NotPetya proved that even after a large attack managed to exploit a well-known vulnerability, far too many organizations were still unlikely to patch their systems. Catch me once, shame on you. Catch me twice…

Our FortiGuard threat analysis team sees this all the time. Nearly every week we record several attacks successfully targeting vulnerabilities for which patches have been available for months — and often, even years. In fact, our latest quarterly threat report showed that the average age of a known vulnerability that is successfully targeted by an exploit because it wasn’t patched is five years. Seriously.

Everything is connected to everything

And now, as infrastructures becomes more interconnected and begin to adopt new, cutting-edge technologies, the risk is being compounded. Windmills and unpatched operating systems are just the tip of the iceberg. Smart cities are beginning to interconnect energy grids, traffic control, emergency response systems and other critical infrastructure resources and services into a giant, integrated web. Smart cars are run using onboard computers that are increasingly able to make split-second, autonomous decisions. But they are also soon going to connect your car to your financial system in order to automatically pay for things like fuel, tolls, onboard Wi-Fi and streaming entertainment. Smart buildings managed by huge property management conglomerates are being designed with automated heating and cooling systems, lighting, secure access doors and smart elevators that can recognize tenants and deliver them to the appropriate floor. And building supervisors will manage all of this remotely.

The list goes on and on: smart homes, smart appliances, interactive gaming and entertainment systems, online security systems and monitors, interactive and intelligent mall kiosks, online medical consultation and even surgery using remotely controlled tools are all either here now or just over the horizon.

Security isn’t just a good idea — it may soon be the law

Because many of these manufacturers have failed to implement necessary security into their devices, it’s like we have handed the cybercriminal community our ATM cards and PINs because they don’t have to figure out how to bypass security or crack open a hardened operating system. Instead, in the rush to push out new technologies to enterprises and consumers — and even critical infrastructure systems — with little to no security attached, that job has been done for them.

While security devices and strategies can go a long way towards protecting organizations and individuals, security developers can’t solve this problem alone. IoT manufacturers have a role to play, and unfortunately, many have traded responsibility for expediency. The clock is ticking, however. The next step will be to hold manufacturers accountable for selling solutions that can be easily exploited.

Recently, U.S. Senators Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, introduced a new bipartisan bill known as the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017.” This bill prescribes that devices purchased by the U.S. government must meet minimum security requirements, and that vendors who supply the U.S. government with IoT devices have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed and are free of known security vulnerabilities, as well as other basic security requirements.

California’s recent Senate Bill 327 would go much further by codifying the State of California’s ability to bring enforcement complaints against companies that do not build adequate security safeguards into their devices. This law has teeth, and because California is such a massive economy, its passage could significantly impact the entire IoT industry.

Such regulatory scrutiny and legislative action targeting the data security of IoT devices is likely to continue to grow, because the alternative is to continue to feed the growing cybercriminal economy. IoT device manufacturers need to prepare now to either develop security standards or conform to legislation in order to avoid massive market disruptions and consumer mutinies. Because the digital economy will continue to move forward, with or without them.

The original article was published in IoT Agenda and can be found here.