IoT Rootkits: Should We Worry?

We've been busy creating videos for our newest course Linux Rootkits for Red-Blue Teams. We posted the first few videos and one of our students, a professional working at a large bank sent me an email with the following question:

... Why treat rootkits for IoT devices any different than the ones for existing Linux server and desktop systems? After all, you can only run them after escalating privileges so there is no immediate worry ...

His observation is correct in the context of Linux servers and desktops: Attackers get a foothold on the system generally as a low privileged user and then try to use a variety of escalation techniques to become root. Most of the time this is not possible and hence the Attacker might have to settle for user mode backdoors. Not bad, but definitely not as powerful as a rootkit!

However in the case of most IoT devices there is one MAJOR DIFFERENCE: Everything Runs as the Root User! but are these not Linux systems capable of multi-user support you ask? Yes, very much so but vendors have gotten away with doing this for a long time on Wi-Fi routers and are doing the same with IoT devices! So once an Attacker can get a foothold on an IoT device, he can immediately own the device pretty much FOREVER with a Rootkit!

FOREVER is a bold assertion :) but here is why this is true:

1. IoT device "hard disks" cannot be easily "re-formatted": "Format the Disk" -- the IT department solution for the really hard problems :) Unfortunately, for IoT you cannot "open the case" and "eject" the flash memory chip of the device like you would a hard disk of a regular server/desktop. Strictly speaking, yes, you can pry open the case, use on/off board devices to reprogram the flash chip but it will be very difficult to do this without physically damaging the case and/or the device: Imagine your IT team opening smart plugs and reprogramming them after a suspected attack :)
2. Firmware updates are useless once a rootkit is installed: Updates are downloaded and installed by the running operating system - once its compromised the updating mechanism cannot be trusted to do its job!
3. Rootkit infections are difficult/impossible to detect: Based on the technical ability of the Attacker, most rootkits by their very nature of running within the core operating system kernel become impossible to detect.

So what is the solution? Already exists: use principle of least privilege when building IoT devices. I guess we will have to wait for this one to hopefully find its way someday into embedded/IoT vendors development life cycles.

If you are interested in building simple rootkit demos for embedded/IoT devices and show them within your organization as a Proof-of-Concept to why we are not ready for IoT in the Enterprise, then please check out our Linux Rootkits for Red-Blue Teams course.