Always-on IoT devices will create a hacker’s paradise

19 Aug 2015

Home routers and other similar internet-connected devices are easy access points for hackers

Behind the silver-lined clouds of opportunity posed by the internet of things (IoT) lurks the harsh reality that a large number of these IoT devices are vulnerable to hacker attacks, particularly distributed denial of service (DDos) attacks.

Depending who you talk to, by 2020 anything between 35bn and 50bn devices could be connected to the internet of things (IoT).

A new report commissioned by Nexusguard and conducted by Cybersecurity Ventures warns that many IoT devices, especially routers, are likely to be targeted as a jumping-off point for hackers.

DDoS is often the first wave attack by hackers who use it to distract companies from more targeted intrusions. They can be exploited during software updates and used as proxy servers to launch attacks on businesses and extort cash.

“IoT brings new layers of interconnectedness and efficiency, but the risks cannot be ignored,” said Steve Morgan, CEO at Cybersecurity Ventures and editor-in-chief of the Cybersecurity Market Report and Cybersecurity 500 list of the world’s hottest and most innovative cybersecurity companies.

Vulnerable routers will be the IoT’s Achilles heel

Routers are also being used in Simple Service Discovery Protocol (SSDP) reflection attacks, which target unpatched or un-patchable routers.

These SSDP attacks are especially dangerous because they can utilise vulnerable routers to amplify an attack beyond normal bandwidth limits while also hiding the original source of the attack.

“Home routers and other similar internet-connected devices are easy access points for hackers, who can use them to launch DDoS or setup proxies for internet fraud that can shut down ISPs or cripple a business,” said Terrence Gareau, chief scientist at Nexusguard.

“These attacks can be especially harmful to the providers of IoT services, for example if an alarm system is controlled by an app, the attack could completely shut down this capability, rendering the entire service unusable. We’re the dominant player in DDoS and IoT attack prevention and believe it is important to raise industry awareness about the persistent IoT threat.”

Cybersecurity Ventures predicts that, by the end of 2017, 20pc of businesses will use security services to protect IoT initiatives.

It says the multi-trillion dollar IoT market will increase security research and spending up to 2025.

Many of these devices will rely on shared libraries for firmware and, as older devices are no longer supported by manufacturers and patches and fixes cease, there will be increased opportunities for hackers.

According to Nexusguard, in the past seven days the company saw 64 internet-based scans for SSDP services.

In a recent attack the company tracked 559 edge devices — devices that provide an entry point into enterprise or service provider core networks – that were being exploited, with more than half located in the US, China, Bulgaria and Russia.

Hackers image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years