The motivation of hackers sometimes can be plain as day. Other times, not so much.
As attacks on Internet of Things (IoT) devices and deployments escalate, it is important to understand what these attackers are trying to accomplish. Understanding these motives, after all, can help us to pinpoint why a security vulnerability represents a risk, to prioritize mitigation and defenses, and to focus responses to attacks.
This analysis is especially important if you provide products and platforms to companies deploying IoT and need to ensure that your embedded system security is strong enough to protect your customers.
Every year Verizon publishes the highly informative Data Breach Investigations Report, a compilation of the characteristics and trends of cyberattacks and threats in the previous year.
In 2018’s edition, the 11th annual, Verizon’s researchers characterized the motivations of attackers and “threat actors” in these ways (where the motivations can be discerned):
- Financial gain is the dominant motivation of attackers.
- Espionage — such as obtaining corporate or government secrets for strategic advantage — ranks second highest as a motivation.
- Financial gain and espionage account for almost 90% of attack motivations. Other motivations — such as attacking a company because of a grudge, or simply for fun — are far down the scale in terms of motivations.
This seems pretty straightforward and intuitive. The majority of attacks, malware coding, and exploit attempts are likely to be geared toward making money.
But motivations for attacks might have multiple layers. Blindly assuming your system is safe because there is no obvious path to financial gain would miss the motivations behind some of the prevalent attacks against IoT and similar small smart devices.
After all, how can an attacker make money by taking control of a surveillance camera or a home appliance? As it turns out, there are plenty of ways.
Attack of the Botnets
The wave of botnet attacks involving compromised IoT devices is the posterchild for the multi-layered attack motive.
The famous Mirai botnet attack was one of the first widely documented attacks against IoT devices. Two years after the attack took down much of the Internet, researchers are still analyzing Mirai and the copycat botnets it spawned.
As described in an excellent retrospective on Mirai in CSO, botnets are traditionally used by attackers to take control of poorly protected PCs and other systems. The “bot” malware code enables the attacker to use the PC remotely for a range of purposes, typically undetected by the devices authorized user.
The individual compromised device becomes part of a large array of such compromised machines, enabling the attacker to harness distributed computing power to launch other attacks. These might be attacks such as Distributed Denial of Service (DDoS) attacks to take down web sites or deny access to other networked resources.
Mirai was the first high profile example of such botnet malware being used to target IoT devices. Many copycat variants of Mirai followed and have played a big part in the industry’s move toward improving IoT security.
Layers of Motives
Mirai illustrates the multiple layers of motives that might mask a reason an attacker will go after your devices. The IP video surveillance camera you make probably seems like a trivial target for a hacker. How much damage could someone actually do if they got control of it?
But when that camera is compromised along with thousands of similar devices, it becomes part of an aggregated attack tool that can have devastating power. Mirai is blamed for an Internet outage that knocked millions of users and web sites offline.
But the motivation of the three young hackers who allegedly introduced Mirai was simply financial, according to reports. Their aim was to create a botnet that could be rented to players of the popular online game Minecraft, and those players could use the botnet to hamper the play of their opponents. In a latter effort, the perpetrators allegedly attempted to harness the botnet for “click fraud” to create fake clicks on advertisements to generate income.
So the infection of IoT devices with Mirai was simply a steppingstone attack in a broader scheme.
While Mirai and how it came to be is still being dissected, researchers are warning that the next generation of IoT botnet is emerging.
As reported late last year in CSO, the Torii IoT botnet is described as a “much more sophisticated Internet of Things botnet boss” when compared to Mirai.
Among the troubling revelations about Torii is the fact that it uses at least six ways to maintain its presence in an infected device, as reported by Dark Reading. That means that the traditional catch-all method of dealing with an IoT device infection — rebooting the device — supposedly will not work against Torii.
Enhancing Embedded Device Security
The lesson we should take away from Mirai and its variants is that any online system can be a target for an attacker who has a broader objective in mind beyond simply getting control of that system.
This means device hardening, secure boot and other IoT device security best practices are essential requirements, no matter how minor the device’s function may seem or how limited its processing power may be.
At Timesys, we help device manufacturers to implement embedded system IoT security using the industry’s best practices for designing and maintaining secure products.
Our Product Protection Solutions can help you to bring to market products that are Secure By Design and that Stay Secure over time.
We work with companies on embedded system security, embedded Linux security, IoT security, open source software security, and secure system development with Yocto.
Contact us today for a demonstration or to learn more.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.