Internet of Things devices including routers, IP cameras and even smart locks and connected doors are being targeted by cyber criminals who are looking to exploit them as a gateway for hacking and other cyber attacks, the FBI has warned.
An alert from the FBI details the dangers of unsecured smart devices and how they can be abused by attackers, particularly when it comes to accessing them as part of criminal campaigns and a means of remaining anonymous while doing so.
The latter is particularly useful for foreign hackers, who can use the hijacked devices to hide where they’re really attacking from – or that the attack is happening at all.
“Devices in developed nations are particularly attractive targets because they allow access to many business websites that block traffic from suspicious or foreign IP addresses. Cyber actors use the compromised device’s IP address to engage in intrusion activities, making it difficult to filter regular traffic from malicious traffic,” said the alert.
IoT devices make easy targets for attackers because many are still shipped with poor security, often enabling attackers to gain access with the use of default username and passwords, or by using brute force attacks to guess passwords – and that’s if the devices even have authentication processes in the first place.
When security loopholes are uncovered in IoT devices, some vendors will push out firmware and software updates in order to prevent vulnerabilities being exploited – but given how large numbers of smart devices are connected to the internet then forgotten about, it’s not guaranteed that users will apply the patches required to protect them from attacks.
In the worst case scenario, some vendors have been known to not act on security vulnerabilities which have been uncovered and carry on as if nothing happened.
Some of the malicious activities the FBI warns compromised IoT devices can be used to for including spending spam emails, hiding network traffic, generating ad-revenue click fraud, and the ability to use credential-stuffing attacks to use the compromised device as an entry point onto a wider network.
IoT botnets can also be sold or leased for financial gain and their power leveraged for DDoS attacks – as demonstrated by the Mirai botnet which slowed down or took down large sections of the internet in late 2016.
To ensure IoT devices can’t be abused by attackers, the FBI recommends rebooting smart products regularly, because “most malware is stored in memory and removed upon a device reboot”.
Users are also told to change default usernames and passwords, ensure patches are applied when issued and if necessary, to keep connected devices on a segmented network. The Bureau has also provided a link to US-CERT security tips on securing the Internet of Things.
The growth of the Internet of Things, while providing legitimate benefits to consumers and businesses, remains an ongoing issue for cyber security and the United States isn’t the only government which has examined the potential risks.
The UK government is looking into security rules for IoT products, while ENISA, the European Union’s cybersecurity agency, is also working towards legislation around securing the Internet of Things.