The widespread sharing of IoT malware is having a significant effect on the broader threat landscape, with source code and even tutorials now freely available on Darknet forums. For starters, the hacker economy is maturing – their communities have been growing for some time now. It’s little surprise to those of us in the security industry that forum and source sharing models have begun to develop, as has been seen in the open source communities.
The sharing and leveraging of open source code was inevitable, as people work together to accelerate and advance the quality and development of new features. As open source has been proven successful in the ‘clear’ world, replicating the success in the ‘dark’ world was to be expected at some point. It is yet another step in the development process of the black hat communities.
The Darknet has grown into a thriving and mature economy, with vendors doing research and developing new innovative tools, service providers offering Darknet hosting and XaaS, combined with a healthy customer ecosystem that can pay and (ab)use the services offered for differing motivations.
But now we are seeing tutorials being shared by forum members to grow their reputation and brand and get recognition from the community. The tag-line “only for educational purposes” gives them a sense of protection against liability from someone using their methods to perform bad things and getting caught in the process.
Unfortunately, I don’t think there is much that can be done to stop this. Forums may close sections or are taken offline completely, but you can expect the community to find alternatives and new forums to share their latest and greatest.
Another concerning evolution is how IoT hackers are leveraging security researcher’s hard work and their newly found and disclosed vulnerabilities. Some vendors are behaving irresponsible by ignoring reported vulnerabilities. Take Pierre Kim, who fully disclosed no less than 10 0-day vulnerabilities in D-Link 850L routers. It’s the Persirai botnet all over again, anticipate finding Mirai based botnets exploiting these vulnerabilities in the coming weeks and months.
The deplorable security posture of IoT devices such as IP cameras and DVRs provide for easy victims. But the fault is not on the consumer or the end-users; some of the devices do not even allow a user to change the factory default credentials through the admin GUI or even allow disabling of the telnet service.
Analysts expect up to 20 billion, some say 50 billion, smart devices to be connected by 2020. While consumers are not aware of the dangers of deploying the new smart technology that are invading their homes, they are exposing themselves to cyber-attacks and cyber ransom campaigns, while at the same time participating in the large-scale DDoS attacks against online businesses and corporations.
What we are seeing today is the first generation of IoT botnets. As hackers start to harness the power of their botnets, we expect to see much more sophisticated attacks at high volumes. As hackers get access to larger botnets they are not limited anymore by simple attack vectors and they can now launch very sophisticated attacks at high volumes.
But even when vendors are picking up on the reports and providing firmware updates, the question still remains how many users are actually updating their devices regularly and in timely manner. Built-in security standards and a change in buying behaviour from organisations and consumers against vendors that expose irresponsible security behaviour is the only way that might put an end to this growing threat of IoT.
The great work by security researchers in this field is an asset and should not become a liability. The research is done to improve the overall security and demonstrate the need for more attention to security by IoT vendors. Let’s not make this hard work only profit the bad guys!