Internet security has had a rough year. The Internet of Things (IoT) contributed to a DDoS attack that affected most of the internet. The biggest single ransomware attack crippled UK hospitals via IoT devices. Even toys fell victim to a database breach. What can we learn about internet security from these incidents?
Let’s start back in Oct. 2016. The October Mirai Distributed Denial of Service attack, which caused a widespread slowdown of the internet, was the first major, widespread attack to utilize IoT devices. Many were webcams and CCTV cameras, using a chipset made by Chinese manufacturer Hangzhou Xiongmai Technology Co., or XM. The company recalled millions of devices, suspecting only about 10,000 were vulnerable. The cameras, manufactured up to 2014, were attacked by Mirai, a malware that automatically sweeps IoT devices and attempts to hack the device.
Security analyst Brian Krebs noted one large problem with the devices: the password, “xc3511,” that all the XM devices use by default, is hardcoded into the firmware. The password still works even after the user changes it, unless the user sends in their device as part of a recall.
Mirai malware was able to commandeer some 460,000 IoT devices, which then launched a DDoS attack on Dyn’s DNS servers, the “phone book” of the internet translating text URLs to IP addresses. This slowed or blocked access to major websites including Paypal, Twitter, Spotify, Reddit, and Netflix.
In short, a company didn’t update firmware or software on their old chipset, leaving it vulnerable to being enslaved to a botnet. This is not the last time an update will be vital, as we’ll see later.
CloudPets, IoT stuffed animals from Spiral Toys, were hacked in February. The hackers leaked information from 800,000 user accounts. Rather than using malware, hackers hardly had to do any work: the database used to store CloudPets accounts was not behind a firewall, nor was it password-protected. Accounts were hash encrypted, some were weak enough to be cracked by a competent hacker. The data was released in January, and the database was overwritten twice by hackers.
The account information being leaked wasn’t even the worst part. The stuffed animals themselves could be remotely hacked and turned into spy devices, or used to harass toddlers with audio output.
There’s a few simple lessons here. First, go through the effort of encrypting databases, particularly with your users’ data. Second, if you have an IoT-enabled audio or video device, patch vulnerabilities. Maryville University noted that incidents of IoT-enabled audio and video devices are on the rise — such as through the malware Meterpeter — and a hacked webcam could lead to a burglary while you are away from home.
NSA and EternalBlue
And then even more ransomware struck. Affecting more than 300,000 computers in 150 countries and compromising many hospitals via IoT devices, WannaCry malware demanded between $300 and $600 to decrypt locked by the malware. If the hackers were not paid, the computer’s data would be deleted. While the Locky ransomware attack last year locked out patient records, WannaCry did not. It did, however, cause hospitals to cancel thousands of appointments.
Europe was targeted first, soon followed by Japan and China. Major corporations, including car manufacturers Nissan and Renault, were hit. It is the single largest ransomware attack to date.
WannaCry’s story started with an exploit kept secret by the NSA, known as Eternal Blue. A backdoor into the Windows operating system, Eternal Blue was stolen from the NSA and leaked by a group known only as The Shadow Brokers the month before the ransomware attack. Using the Eternal Blue backdoor, hackers created WannaCry. A month before that, however, in March 2017, Microsoft patched the exploit. They took an unprecedented step in stopping the infection — the ransomware spread itself through networks of connected computers — by patching the exploit in Windows XP, which is no longer supported by the company.
Possibilities for the Future
Extrapolating what all this could mean for the future, let’s revisit medical devices — specifically health trackers. With the use health trackers on the rise, and with 96 percent of users believing health apps are improving their lives, and 55 percent of health professional believing trackers can help even healthy users, they are a perfect target for ransomware. Ransomware could lock out a user’s information, with a few potential outcomes. If malware masks information, the user could believe themselves to be perfectly healthy, when in fact, they are not.
Or, in the case of actual ransomware, their health statistics could be revealed to the world should they not pay. This could be catastrophic for both the user, at best suffering embarrassment, at worst potentially damaging information released, but tainting whichever company did not secure their devices.
Physical harm in their own home could be another side effect of malware on IoT devices. Imagine this scenario: Using cheap software, a hacker scans unsecure home networks. He finds an IoT thermostat, and, simply because he can, turns the heat to the maximum in the middle of summer. Even worse, the homeowner is on vacation, unable to save anything that could melt in the house. Via the thermostat’s phone app, the user is given the option to pay up, or face astronomical energy bills when they return, plus the clean-up and loss of the melted belongings.
Or worse, turning off heat in the dead of winter. While this was a bug in the system, not from malware, hackers could in theory harness the bug and use the cold for ransom. If there are those susceptible to the cold, such as the elderly or infants, they could be put in serious danger.
But this narrative isn’t done yet. The user pays the ransom, grumbles, and heads to their car to go to work. Unfortunately for our hapless user, hackers can remotely hack internet-enabled cars. The autopilot function is highjacked, the doors are remotely locked, and they are driven out out of the city to the desert. The user is forced to pay for access to the steering wheel. While only 10 percent of cars were connected 2013, estimates show about 90 percent will be connected by 2020.
The Business Side and Lessons Learned
On the business side, out of 1,845 business polled by Cisco, 73 percent used IoT data to improve their business, with 46 percent using the data to help make decisions. Ransomware could hamper a business’s decision-making skills, or even lock a business out of its own devices. The losses, whether it’s sales or stock, from such an attack would be devastating. Or, if the information itself is what the company sells — take the information collected by Nest and sold to utility companies for example — a large part of revenue could simply disappear.
There are two lessons here: Keep backups of data segregated from your main servers, somewhere an intrusion will not be able to reach and encrypt. Utilizing a third-party, offsite server can make data recovery easier in the event that a business is affected by ransomware. Just rewrite over the old data, and your problem is solved. This will be of little use if the business plans to sell the information or if the information is confidential like medical or financial records, but for companies simply looking to make decisions based on the data, it can prevent a headache.
Second, companies should always be on the lookout for exploits that can be patched in their software or firmware. The NSA sat on Eternal Blue for five years, not telling Microsoft about the vulnerability, though it was there and ripe for exploiting. The CloudPets servers and toys were hardly secure; exploiting them was child’s play for a hacker.
Even as attacks by WannaCry and its successor, the NotPetya ransomware/data wiper, are dying down, researchers are finding a hidden cryptocurrency miner embedded in systems. NotPetya, which masquerades as ransomware while instead wiping hard drives, is still spreading. The spotlight is shining on internet security, proving some lessons are learned the hard way.