The Economics Fueling IoT (In)security Attackers understand the profits that lie in the current lack of security. That must change.
2018 might be remembered as the year security truly made its entry into the minds of enterprise Internet of Things (IoT) users. As a consequence, device manufacturers have learned to appreciate the value that security brings to their brand and its impact on their sales, while customers — specifically, enterprise users — have started to use the power of their wallets to demand security be baked into the products they buy.
Earlier this year, Bain & Company reported that enterprise IoT customers would be willing to pay 22% more for and buy 70% more of IoT devices if security was better. For an industry valued at $157 billion just over a year ago, the economic growth that could follow improved security would be astronomical.
But it isn't only the manufacturers who see security as a key source of increased income; attackers have begun to understand the profits that lie in the current lack of security. Cybercriminals are noticing the security flaws in the ever-growing connected devices world that can lead to handsome profits.
Ransomware, the Proven Route
It seems every discussion about the profitability of cybercrime starts with ransomware, and with good reason. In the first half of 2018 alone, a total of 181.5 million traditional ransomware attacks took place. Furthermore, the average duration of an attack is now 23 days, leading most to believe the situation couldn't get much worse. However, IoT ransomware is only now starting to take flight, meaning that those numbers could still grow considerably.
IoT ransomware is different than its IT counterpart. While ransomware installed in a computer usually leverages the risk of data loss to compel victims to pay, most IoT devices upload their data to the cloud continuously, forcing attackers to rethink what will force the victim's hand. If past attacks are any reference, cybercriminals are learning that different devices require different approaches. For example, an attack on smart TVs can be performed at any time but has relatively low value, as seen by the late 2016 breach of LG TVs, in which victims were asked to pay $500 to free infected TVs. While an attack on a hotel should be done at peak season to maximize impact, such as in 2016 when an Austrian hotel paid 2 bitcoins to open its rooms' hacked smart locks.
Although ransomware has proven fairly profitable over time, it has multiple downsides. Two main things are that the attacker's malware is revealed upon performing the attack, making it difficult to replicate, and the uncertainty as to whether the victim will actually pay. As a result, we might be reaching the dawn of a new age, one of cryptocurrency miners aimed at IoT.
Miners leverage computers' processing power to mine for cryptocurrencies, so the more processing power, the more crypto that can be mined. As such, attackers prefer leveraging high-power devices such as computers, but they come with a higher risk of detection. IoT devices, on the other hand, usually lack user supervision for CPU usage, making them even better targets. In the first half of 2018, total cryptomining detected attacks grew to a reported 787,000 from only 74,547 in 2017's first half.
For enterprises and users, the damage done by a cryptocurrency mining malware comes from the additional energy consumption and devices' burnout, which reduces lifespan, leading to faster renewal cycles and increased costs. For cybercriminals though, the rewards can be incredibly high. Reports earlier this year estimated that a compromised device could generate $0.28 in Monero, a cryptocurrency, per day. Although this number might seem low, an attack such as the one on MikroTik routers from this past August, where over 200,000 routers were infected, could generate a tidy $56,000 per day. And with attacks going unnoticed, this healthy revenue stream could go on for days at a time.
Reducing IoT Cybercrime Profitability
Cybercriminals targeting IoT devices have begun to uncover the benefits described above, and that is before even discussing data theft, where something such as a single electronic medical record could be worth $1,000 in the black market. Ransomware, crypto-mining or data theft attacks are having greater repercussions for the victims and rewards for the attackers. And this might only be the beginning, as attackers find new creative ways to leverage the existing flaws for their personal gain.
To reduce IoT cybercrime, its profitability must be reduced as well. However, as the current landscape is proving, the solution doesn't lie at the enterprise or user level. It must lie with the manufacturers of the connected devices. Only when these manufacturers begin to build truly secure-by-design products that follow standardization guidelines and best practices, will we begin to see the trends reversed and cybercrime reduced.
Ariel Kriger joined VDOO from Palo Alto Networks, where he headed the global Channel G-T-M strategy and management for the company's entire emerging technologies portfolio. He previously led the global channels for Cyvera, which was acquired by Palo Alto Networks in April ... View Full Bio