By Michal Sal

Two U.S. senators, Mark Warner (R-Va.) and Cory Gardner (D-Colo.), just debuted a measure known as the Internet of Things Cybersecurity Improvement Act of 2017 that aims to “provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies, and for other purposes.”

It’s telling that two politicians would take an interest in IoT hacking, which can include breaches of everything from IP cameras to fitness watches to thermostats. While such devices are designed to make our lives more convenient, the senators and a growing number of people are beginning to wonder: what happens when they turn bad? These seemingly innocent devices, which many of us have welcomed into our lives, can be unwillingly infected or hacked and thus join the dark side.

Robot + network = botnet attack

IoT devices can be forced to become bots that blindly follow commands to commit crimes as part of a botnet attack. A network of hacked devices, botnets are like zombie armies that perform tasks like carrying out DDoS attacks, Bitcoin mining and spreading spam emails. Pretty much any device connected to the internet can be infected and become part of a botnet. Hackers often recruit IoT devices to become bots because they frequently have weak security.

At the moment, cybercriminals mostly use botnets to carry out DDoS attacks and to mine for cryptocurrencies (which we have even seen run on DVRs), but they are capable of making hundreds of thousands of IoT devices do much more. Botnet attacks can send spam messages, ranging from phishing emails that contain malware that can lead to password or financial theft, to pump and dump schemes advertising stock from targeted companies. Botnets can also carry out click-jacking campaigns, distribute fake advertisements, and even worse, infect other IoT devices.

Dark things hide in dark places

You can find botnet attacks and other IoT hacking tools on darknet marketplaces. They are available to rent, or botnet source code can be purchased or even be had for free, such as with the Mirai botnet. The price tag for botnets for sale ranges from tens and hundreds of dollars per botnet, depending on the type of service, the amount of bots and devices available to use and, in the case of DDoS, the strength and duration of the attack.

[IoT Security Summit, co-located with Blockchain360 and Cloud Security Summit, explores how industry-wide security, privacy and trust can be established to unlock the full potential of IoT. Get your ticket now.]

Thanks to the competitive nature of the darknet, some botnets compete against one another. If an IoT device is already infected, another botnet can attempt to replace the infection with its code and in some cases also “repair” the security vulnerability used by the previous botnet to prevent re-infection and persist its position on the vulnerable device.

IoT devices turning bad can affect any of us

At the moment, IoT devices performing tasks as a botnet may not seem too critical, but what can happen if cybercriminals decide to go a step further?

We already know that it is possible to infect entire IoT networks by first infecting a single device. Proof-of-concept attacks demonstrate that this approach works. In one example, researchers modified the firmware of a smart light bulb and then altered the firmware of neighboring bulbs. In another example, researcher Cesar Cerrudo proved that he could hack a vehicle traffic control system to change traffic flow. In his 2015 Defcon presentation, Cesar explained that he could infect traffic sensors located in streets with a firmware update worm, which could then further infect other sensors.

These proof-of-concept attacks may seem innocent until we consider that smart cities in development now aim to be thoroughly connected in a few years. If these IoT devices and systems aren’t properly secured, hackers, nation states and even terrorists could gain control of them and cause complete chaos in cities, by controlling all the lights or traffic flow, just to name two examples.

In addition to IoT devices being hacked to carry out attacks on cities, we could see IoT devices be the next targets for ransomware attacks. When ransomware infected the computer system of an Austrian Hotel in February, guests were locked out of their rooms. The hackers behind the attack infected the same computer system also used to program electronic key cards for the hotel. It’s likely we’ll see other similar attacks that could target everything from high-profile individuals to industrial facilities to your smart thermostat. If your thermostat was infected with ransomware in the dead of winter, wouldn’t you pay up to pay up to be able to turn the heat back on?

I(oT) spy with my little eye: your personal data

A neglected risk when it comes to IoT devices is the possibility of personal data leakage as well as the tracking of movement of devices. Think about how much information an IoT device can collect: webcams can see whatever they are pointed at, smart TVs and personal assistants can pick up sound, smart factories gather company secrets, and smart cars and smart thermostats can give clues to whether or not someone is home.

The amount of data an IoT device collects depends on the device, but the subject of how that data is used and stored is up to the manufacturers. The trend today is to save seemingly everything in the cloud, and that applies to many IoT devices as well. Commands sent to an IoT device via a mobile phone can travel halfway around the world and go through several servers before an action is carried out. This information could be intercepted or rerouted to a malicious server, and be abused if not properly secured. Furthermore, hackers can breach data stored by manufacturers to collect a massive amount of personal information. Depending on the device, that data can include, for example, type of device, IP address, other devices connected to the network, location and more.

Cybercriminals, of course, don’t need to hack into a company’s server to gather information about you, they can go directly to the source instead. There are IoT search engines where one can find an enormous amount of vulnerable IP cameras that can be tapped into by just about anyone. These cameras are in stores, factories, warehouses, parking lots, but also in houses, garages, bedrooms and living rooms. People who use these “public” cameras don’t have the slightest suspicion that others may be watching their every move.

Imagine if a hacker gained access to all or most of the IoT devices in someone’s home. They could track their movement, listen to private conversations to then carry out a targeted attack against members of the household, or sell the information they collect on the darknet for others to abuse.

Growing numbers of IoT devices heightens the risks

The total amount of IoT devices is rapidly increasing, and it’s hard to predict what other commonly used things will become part of the wild IoT world. As the number of smart devices increases, so does the volume of possible IoT hacking exploits. Many IoT devices are essentially miniature computers connected to the public-facing internet or other networks with their own operating systems and the ability to perform quite complex computational operations, making them more powerful than we sometimes think, opening up more possibilities for criminals exploiting them.

The more we surround ourselves with IoT devices, the more motivation cybercriminals will have to target them. We can all imagine how hackers could abuse individual smart devices and the major problems that could occur if manufacturers do not begin to pay attention to securing their products. The IoT sector is still relatively young, and we hope that over time, we will reach a point where connected device security will dramatically improve. For the time being, however, you best keep a close eye on them.