IoT device security flaws are not new. Sophos has revealed that IoT device attacks will take off when criminals figure out how to monetize them – much like they have with their very lucrative ransomware scams – or align them to their goals. While there has not been any direct financial gain with this widespread attack, it does show you how powerful vulnerabilities in IoT devices are when in the wrong hands.
Until now, IoT devices have been protected by a lack of attacker interest. Clearly, this has changed. With the release of this malware code and its use in these recent attacks, cybercriminals have smelt the blood in the water and the sharks are circling. It’s possible an attack this large might have been used as a decoy to hide other attacks of a more financial nature. We hadn’t seen evidence of this as yet, but historically, cybercriminals have used DDoS to distract security teams while conducting other attacks with bigger financial motives. It could also have been plain old political hactivism, cyber vandalism or some other fraud.
Sophos experts have been studying and reverse engineering IoT devices for years now, revealing how vulnerable they are to hacking and DDoS attacks. Many have asked why CCTV/DVR cameras represent the majority of devices used. These devices auto negotiate to expose themselves to the Internet, so in many cases when consumers simply connect their camera to a network, they can be found online. Other devices are exposed and vulnerable in the same way, so this attack shows only the tip of the iceberg of potential devices cyber criminals could leverage for attacks.
We’ve also researched and demonstrated how IoT devices could be compromised and used to control other devices and proxy traffic (for example for a DDoS) and, in some cases, used to access the local network of the user – which might allow cybercriminals to use IoT devices to attack laptops or desktops where more conventional fraud data resides.