Endpoint

12/13/2018
10:30 AM
Ariel Kriger
Ariel Kriger
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Economics Fueling IoT (In)security

Attackers understand the profits that lie in the current lack of security. That must change.

2018 might be remembered as the year security truly made its entry into the minds of enterprise Internet of Things (IoT) users. As a consequence, device manufacturers have learned to appreciate the value that security brings to their brand and its impact on their sales, while customers — specifically, enterprise users — have started to use the power of their wallets to demand security be baked into the products they buy.

Earlier this year, Bain & Company reported that enterprise IoT customers would be willing to pay 22% more for and buy 70% more of IoT devices if security was better. For an industry valued at $157 billion just over a year ago, the economic growth that could follow improved security would be astronomical.

But it isn't only the manufacturers who see security as a key source of increased income; attackers have begun to understand the profits that lie in the current lack of security. Cybercriminals are noticing the security flaws in the ever-growing connected devices world that can lead to handsome profits.

Ransomware, the Proven Route
It seems every discussion about the profitability of cybercrime starts with ransomware, and with good reason. In the first half of 2018 alone, a total of 181.5 million traditional ransomware attacks took place. Furthermore, the average duration of an attack is now 23 days, leading most to believe the situation couldn't get much worse. However, IoT ransomware is only now starting to take flight, meaning that those numbers could still grow considerably.

IoT ransomware is different than its IT counterpart. While ransomware installed in a computer usually leverages the risk of data loss to compel victims to pay, most IoT devices upload their data to the cloud continuously, forcing attackers to rethink what will force the victim's hand. If past attacks are any reference, cybercriminals are learning that different devices require different approaches. For example, an attack on smart TVs can be performed at any time but has relatively low value, as seen by the late 2016 breach of LG TVs, in which victims were asked to pay $500 to free infected TVs. While an attack on a hotel should be done at peak season to maximize impact, such as in 2016 when an Austrian hotel paid 2 bitcoins to open its rooms' hacked smart locks.

Although ransomware has proven fairly profitable over time, it has multiple downsides. Two main things are that the attacker's malware is revealed upon performing the attack, making it difficult to replicate, and the uncertainty as to whether the victim will actually pay. As a result, we might be reaching the dawn of a new age, one of cryptocurrency miners aimed at IoT.

Cryptocurrency Mining
Miners leverage computers' processing power to mine for cryptocurrencies, so the more processing power, the more crypto that can be mined. As such, attackers prefer leveraging high-power devices such as computers, but they come with a higher risk of detection. IoT devices, on the other hand, usually lack user supervision for CPU usage, making them even better targets. In the first half of 2018, total cryptomining detected attacks grew to a reported 787,000 from only 74,547 in 2017's first half.

For enterprises and users, the damage done by a cryptocurrency mining malware comes from the additional energy consumption and devices' burnout, which reduces lifespan, leading to faster renewal cycles and increased costs. For cybercriminals though, the rewards can be incredibly high. Reports earlier this year estimated that a compromised device could generate $0.28 in Monero, a cryptocurrency, per day. Although this number might seem low, an attack such as the one on MikroTik routers from this past August, where over 200,000 routers were infected, could generate a tidy $56,000 per day. And with attacks going unnoticed, this healthy revenue stream could go on for days at a time.

Reducing IoT Cybercrime Profitability
Cybercriminals targeting IoT devices have begun to uncover the benefits described above, and that is before even discussing data theft, where something such as a single electronic medical record could be worth $1,000 in the black market. Ransomware, crypto-mining or data theft attacks are having greater repercussions for the victims and rewards for the attackers. And this might only be the beginning, as attackers find new creative ways to leverage the existing flaws for their personal gain.

To reduce IoT cybercrime, its profitability must be reduced as well. However, as the current landscape is proving, the solution doesn't lie at the enterprise or user level. It must lie with the manufacturers of the connected devices. Only when these manufacturers begin to build truly secure-by-design products that follow standardization guidelines and best practices, will we begin to see the trends reversed and cybercrime reduced.

Related Content:

 

Ariel Kriger joined VDOO from Palo Alto Networks, where he headed the global Channel G-T-M strategy and management for the company's entire emerging technologies portfolio. He previously led the global channels for Cyvera, which was acquired by Palo Alto Networks in April ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
arielkriger
50%
50%
arielkriger,
User Rank: Author
12/19/2018 | 2:59:10 AM
Re: Profitability is Key
PxMx, thank you for sharing insights. I definitely agree with your assessment of the challenges given IoT devices' sheer volume. However, I don't believe the onus for providing security can or should be on the regulators and enterprises alone. For example, even if stricter regulations were to exist, even today, many of the manufacturers of IoT devices find it challenging to level up due to a lack of in-house knowledge and understanding of which regulations to favor/follow. And as you mention, organizations that use these devices are very limited in their ability to control the devices' security; because it is simply not enabled by design.

I strongly believe that the device manufacturers are best situated in the supply chain to own a large portion of the responsibility to solve this security challenge, and need to find the support (including through third parties) to develop more secure devices as well as look into ways to continue to protect them once deployed.
PxMx
50%
50%
PxMx,
User Rank: Apprentice
12/18/2018 | 8:03:14 AM
Profitability is Key
Great summary of this problem space. Reducing profitability truly is key. However, given the size of IoT, and IoT is only just getting started, it will be a great challenge. I'm not one for more regulation, but given the size and potential impact of IoT, regulation may be appropriate. Specifically, regulation that requires products to meet secure design requirements before going to market. In addition, while enterprises may not be able to change the design of IoT solutions, in their environments they can take steps to increase the cost to attackers by effectively making their security programs more agile. Some examples, real-time monitoring for active defense, security instrumentation, and deception.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9962
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to VCRUNTIME140!memcpy.
CVE-2019-9963
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlFreeHeap.
CVE-2019-9964
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlpNtMakeTemporaryKey.
CVE-2019-9965
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlReAllocateHeap.
CVE-2019-9966
PUBLISHED: 2019-03-24
XnView Classic 2.48 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to xnview+0x38536c.