How to protect your organization from IoT malware | TechTarget

Why IoT devices are susceptible to malware

An IoT device is categorized as any nonstandard computing device. They can be consumer products, among them smart TVs and wearables, or they can be industrial, such as control systems, surveillance cameras, asset trackers or medical devices. Regardless of their focus, IoT devices have changed the way the world works and lives.

Thousands of different types of IoT devices exist, but they all share the ability to connect to a network. Connectivity enables these devices to be controlled remotely and enables their data to be accessed and collected.

Despite their many benefits, the data they generate, collect and share, as well as the operations they perform, make IoT devices extremely attractive to malicious hackers. The fact they are connected to a network leaves them open to being attacked remotely, and their form factors mean they lack the necessary built-in security to protect themselves from threats and exploitation.

IoT weaknesses and vulnerabilities

According to Bitdefender's 2023 IoT Security Landscape Report, homes in the United States have an average of 46 devices connected to the internet and experience an average of eight attacks against those devices every 24 hours. And that's just consumer IoT devices.

Nozomi Networks' distributed IoT honeypots witnessed between hundreds and thousands of unique attacker IP addresses daily during August 2023.

IoT attacks aim to gain control of the device, steal or erase sensitive data, or recruit it into a botnet. Successful attacks -- particularly if lodged against connected devices running critical infrastructure or medical systems -- can result in severe physical ramifications.

The following security issues make IoT devices susceptible to malware:

• Device constraints. Most IoT devices are designed with minimal hardware and software capabilities sufficient to perform their tasks. This leaves little capacity for comprehensive security mechanisms or data protection, making them more vulnerable to attacks.
• Hardcoded and default passwords. Hardcoded and default passwords give attackers employing brute-force tactics a strong chance of cracking a device's authentication. The HEH botnet, for example, infects devices using hardcoded credentials and brute-forced passwords.
• Lack of encryption. Data stored or transmitted in plaintext is vulnerable to eavesdropping, corruption and hijacking. Important telemetry information sent from an IoT device, for example, could be manipulated to provide erroneous results.
• Vulnerable components. The use of common hardware components means anyone with knowledge of electronic circuit boards and communication protocols, such as Universal Asynchronous Receiver/Transmitter and Inter-Integrated Circuit, can take a device apart and look for hardware vulnerabilities.
• Device diversity. Compared to desktops, laptops and mobile phones, IoT devices vary significantly in form factor and OS. The same is true of the network technologies and protocols IoT devices employ. This diversity requires more complex security measures and controls to provide a standard level of protection.
• Lack of audit capabilities. Attackers compromise and exploit IoT devices without fear of their activities being recorded or detected. Infected devices might not show any noticeable degradation in their performance or service.
• Poor update mechanisms. Many devices lack the ability to update firmware or software securely. This shortfall requires companies to commit significant resources to keep IoT devices protected against new vulnerabilities, leaving many devices exposed. In addition, IoT devices usually have long deployments, so it becomes increasingly difficult to secure them against new attack models.
• Lack of security awareness. Organizations often deploy IoT devices without fully understanding their weaknesses and the impact they have on overall network security. Likewise, most consumers lack the knowledge to change default passwords and settings before they connect a new device to the internet, making the gadget an easy target for attackers.

IoT malware and attacks

IoT devices can be involved in any number of cybersecurity breaches and malware infections, and their effects can be immediate, cascading and cause major disruptions. Attacks include botnets, ransomware, destructionware and rogue devices.

• IoT botnets. Botnet malware is often open source and freely available on underground forums. It is designed to infect and control as many devices as possible while at the same time blocking other botnet malware from taking control of the device. Due to their poor security, IoT devices enable threat actors to recruit them as bots and create enormous botnets to launch devastating DDoS attacks. In fact, according to the 2023 Nokia Threat Intelligence Report, IoT botnets generate more than 40% of all DDoS traffic today, a fivefold increase over the past year. The first major IoT botnet attack came in 2016 Mirai botnet attack. More than 600,000 IoT devices were infected, including CCTV cameras and household routers. Several major websites were knocked offline for hours. IoT botnets can launch other attacks, including brute-force attacks, phishing attacks and spam campaigns.
• Ransomware. Although plenty of IoT devices don't store valuable data locally, they can still fall victim to a ransomware attack. IoT ransomware locks a device's functionality, freezing smart devices and shutting down business operations or critical infrastructure. FLocker and El Gato ransomware, for example, target mobile phones, tablets and smart TVs, with attackers demanding payment before unlocking infected devices. While it might be possible to just reset infected IoT devices, doing this to hundreds or thousands of devices before a major situation unfolds gives the attacker a lot of leverage. A ransomware attack at the right time or place gives the victim little or no option but to pay the ransom.
• Destructionware. This is a made-up term, but it captures the intent of this IoT malware. Destructionware is an attack designed to cripple infrastructure for political, ideological or simply malicious purposes. Case in point: The 2015 attack against Ukraine's power grid. The sophisticated and well-planned attack took down an entire power grid; it was months before operations were fully restored. Part of the attack involved overwriting the firmware on critical serial-to-Ethernet converters, keeping genuine operators from being able to issue remote controls. The infected devices had to be replaced by new ones. A similar attack occurred in 2022.
• Rogue devices. Instead of trying to take control of IoT devices, many cybercriminals simply connect a rogue device to the IoT network if it is not fully protected. This creates an access point from which the attacker can pivot further into the network.

How to detect IoT malware attacks

IoT devices are now essential components of virtually every major industry. Security teams must understand the complex risk factors specific to their deployment and use. IoT malware detection techniques, however, are very much still a work in progress. For example, standard onboard dynamic and static analysis techniques are not possible due to the diverse architectures and resource constraints of IoT devices.

The best approach to detecting IoT malware is a central monitoring system that combs through device activities, such as network traffic, resource consumption and users' interactions, and then uses AI to generate behavioral profiles. These profiles can help detect any deviations stemming from cyber attacks or malicious software modifications, regardless of the type of device. Devices that generate or handle confidential data should use a decentralized federated learning model to ensure data privacy while the models are being trained.

Future IoT detection methods could include electromagnetic signal analysis. Security researchers working at IRISA, for example, identified malware running on a Raspberry Pi device with 98% accuracy by analyzing electromagnetic activity. A big advantage of this technique is that it can't be detected, blocked or evaded by any malware.

How to prevent IoT malware

Until there is a viable and effective method to quickly detect and block malware, the best approach is to ensure devices are fully protected before and during deployment.

Take the following steps:

• Enable strong authorization. Always change default passwords. Where possible, use multifactor authentication.
• Use always-on encryption. Encrypt all data and network communication channels at all times.
• Disable unnecessary features. If certain features aren't used -- for example, Bluetooth if the device communicates via Wi-Fi -- disable them to reduce the attack surface.
• Apply patches and updates. As with all other network assets, keep all IoT applications and devices up to date, particularly firmware. This could be problematic for older devices that cannot be patched. If upgrading isn't possible, place devices on a separate network so they don't put other devices at risk. Gateway appliances can help protect these types of devices from being discovered and attacked.
• Secure APIs. APIs are an important part of the IoT ecosystem. They provide an interface between the devices and back-end systems. As a result, stress test all APIs used by IoT devices and check them to ensure only authorized devices can communicate via them.
• Maintain a comprehensive asset inventory. Add every IoT device to an inventory management tool. Record ID, location, service history and other important metrics. This improves visibility into the IoT ecosystem, helps security teams identify rogue devices connecting to the network and flags abnormal traffic patterns that could indicate an attack in progress. Network discovery tools can also help teams keep on top of large and rapidly expanding IoT networks.
• Implement strong network security. Segregate all networks IoT devices connect to and deploy dedicated perimeter defenses.
• Monitor IoT back-end applications. Set alerts to warn of unusual activity and regularly scan for vulnerabilities.
• Be proactive with security. Implement mitigations when new attack methods or malware are discovered. Stay abreast of developments in the IoT threat landscape. Put a well-rehearsed plan in place to detect and respond to ransomware and DDoS attacks.
• Establish work-from-home policies. As more people connect consumer IoT devices to their home networks, employees who work from home must strictly follow policies that govern how they access corporate networks and resources. Smart home devices might also have weak security, opening the risk that an attacker could create an entry point into a company's network. Make employees aware of the security risks their smart devices create and how to ensure they are safe from attacks.
• Put a bug bounty program in place. Offer rewards to ethical hackers who successfully discover and report a vulnerability or bug within the IoT ecosystem's hardware or software.

The future of IoT attacks

Establishing a plan to mitigate IoT malware vulnerabilities and determining how to counter IoT attacks is a priority for all organizations. The frequency of IoT attacks will only increase as the world becomes increasingly reliant on smart technologies.

IoT ecosystems are naturally complex with a large attack surface; malicious hackers rightly view IoT devices as low-hanging fruit. The lack of globally accepted IoT security standards makes keeping IoT devices secure much more challenging. Initiatives, such as those from NIST, ENISA, the European Telecommunications Standards Institute and the ioXt Alliance, will lead to greatly improved built-in security for future IoT devices. The EU's Cyber Resilience Act, meantime, aims to ensure manufacturers improve the security of their digital devices.

Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 20 years of experience in the IT industry.