The Multi-Billion-Dollar Hack – How Criminals Exploit the IoT For Big Money

This is Not a Joke or a Delusion – This is Reality

The fabled IoT, or the Internet of Things, was heralded as the next big technological advance for humanity. Fridges, TVs, washing machines, cars, phones, wearable devices, heart implants, pacemakers – anything connected to the Internet in any way possible – was supposed to herald a new dawn in the age of humanity.

Good news – the new dawn is here.

Bad news – it could be an apocalyptic nightmare dawning even right now.

The Background

What is the trouble with the IoT? Security. The devices made today are being sold at lower prices than ever before. A device from Asia is half the cost of an Apple device and even Apple devices are part of manufacturing supply chains that create the computer circuitry elsewhere. We outsource our industrial needs at lower costs.

Now the manufacturers cannot compromise on features or functionality. If they did, they would no longer be profitable. So, they look to cut costs elsewhere. And what is the most logical target? You guessed it – security features. Static built-in passwords, lack of encryption, the complete absence of any security features, and a failure to counter possible intruders from anywhere in the world are worryingly ubiquitous across the budget IoT devices landscape.

Unless an IoT device has encryption and security mechanisms built into it from the very start of fabrication, it cannot be protected against unauthorized malicious access over the Internet. How many such devices exist in the world right now? The figures are worrying – by 2020, there will be three IoT devices for every human being on the planet. To be more precise, a study at IoT Analytics projects that over 20 billion devices will be active by 2020 that can be hacked remotely by malicious intruders.

Attack Method – DDoS

DDoS stands for Distributed Denial of Services. Basically, it works in the following manner.

A hacker gains access to multiple workers or zombie nodes. As it stands today, these zombie nodes can be IoT devices – of which there is a huge number, unprotected and vulnerable. Once the hacker has access, he/she forms a botnet – a collection of millions of devices connected to the Internet – that accesses the victim site simultaneously.

Since all web servers have finite resources, the server and its associated partner systems that normally handle high workloads collapse under the demand for resources, and the website is non-functional from that time onwards until the time that the server-side maintenance finds a way to take back control of the servers and initiate measures against such attacks in the future – normally by blacklisting the IP address that generated all the fake traffic.

From www.SlashGear.com 

So, there you have it – a method to take down any website in the world by any malicious agent who so wishes. The effects of such an attack can be dramatic – ranging from days to weeks of server downtime. And of course, millions of dollars in losses by companies that work with these websites. Two of the most recently affected sites were Internet giants Netflix and Twitter.

The results can be quite frightening.

The following graph records one of the largest DDoS attacks on GitHub (possibly for ransom) by over 1000 autonomous devices and tens of thousands of unique endpoints. This was an all-time record for the year 2018. However, in 2019, hackers have already surpassed this figure.

From www.A10Networks.com/blog/5-most-famous-ddos-attacks/

Now if multi-billion-dollar organizations are prone to such attacks, and can be severely crippled by it – what hopes do normal websites operated by individuals and smaller but more widespread companies like say, an independent blogger on WordPress have?

To show you how real the threat is, we quote from a report by The Daily Swig, an Internet security newsletter (the article by Jessica Haworth) made recently about the phenomena of DDoS attacks and their prevalence in the last year.

From https://portswigger.net/daily-swig - Global DDoS attacks nearly double in the first quarter of 2019

An excerpt:

“The number of distributed denial-of-service (DDoS) attacks detected worldwide increased by 84% during the first three months of the year, according to new research.

Fresh insight from Kaspersky Lab has revealed a dramatic increase in the instances of DDoS attacks during the first quarter, with the security company also noting a spike in “sustained attacks” lasting longer than an hour.

The uptake of the report is fairly unsurprising: DDoS campaigns remain a constant threat globally, with law enforcement worldwide taking steps to crack down on those orchestrating the attacks.

But while international agencies scramble to shut down cybergangs and their botnets, the rate of attacks shows no signs of slowing.

Indicators of DDoS campaigns increased during the first quarter of 2019, and the number of sustained attacks – those lasting more than 60 minutes – almost doubled, according to Kaspersky.”

From Jessica Haworth in the Daily Swig

But wait just one minute – botnets represent huge processing computational power. Can’t we do more with botnets than just ping a server? Yes – you can.

Security at All Layers of the IoT

Once upon a time, open-source was a fad that people thought would soon disappear. It’s remarkable how much things have changed today. Open-source software is not just a favorable requirement – it is an absolute must, especially today.

Why? For that, we need to delve a little deeper into what exactly a botnet is, what its capacities and capabilities are, and why the concept of a botnet is so relevant today.

What is a Botnet?

To answer this question, we turn to www.Technopedia.com:

Definition:

A botnet is a group of computers connected in a coordinated fashion for malicious purposes. Each computer in a botnet is called a bot. These bots form a network of compromised computers, which is controlled by a third party and used to transmit malware or spam, or to launch attacks.

A botnet may also be known as a zombie army.

There is a lot that can be done with the computing resources available to hackers today. We have 20 billion IoT devices, 5 billion computer systems (laptops and desktops), 4 billion mobile devices, 2 billion tablets, all connected to the Internet 24x7x365 by the year 2020.

That’s a total of around 30 billion devices alone that are available to hackers by 2020. A skilled distributed system malware developer has the power of the entire world accessible to him. What will be impossible to such a hacker? Nothing!

Existing Distributed Botnets Already Defrauding Millions

Computers can do much more than what the instruction manuals and textbooks tell you. To a technically creative mind, a computer is a dream come true – almost like having a chance to be a god-like entity as far as the technology world is concerned. What do I mean by that?

There exists malware on mobiles and tablets that uses computing power to perform cryptocurrency mining. According to Webopedia, crypto-mining botnets can earn hackers even six figures a month if the app that allows it is installed world-wide by millions of people. And no one will know or even imagine a thing!

Right now, writing this article, my computer may be used by hackers who control it remotely and use my computing resources to mine cryptocurrencies into their account, without any awareness on my part! Unless we see the source code, we cannot tell what an application does on our systems – laptop, mobile, tablet, PC, IoT device.

Jordan Pierson writes in a Symantec Report dated in 2017 but still valid today that nefarious entities are using multiple access points to our devices to mine cryptocurrency. The website The Pirate Bay, several Torrent Websites, and several web providers and systems on the Dark Web are actively involved in installing cryptocurrency miners on all who browse to their systems.

How does this apply to IoT?

The answer – not only does it apply, but IoT devices are at the greatest risk for cryptojacking (the term used for the process of mining cryptocurrency through malware). Poor security, static passwords, back doors and lack of intrusion detection systems make IoT devices a hacker’s paradise! And while it is difficult to detect cryptojacking on a laptop or mobile, it is possible. But how will we ever detect cryptojacking on an IoT embedded device?

An IoT device is accessible during construction. After that, it is free and blatantly tempting game for hackers. Oh, and how many such devices will exist by 2020? Not that many to worry about – just 20 billion!

What is the Solution?

As far as I see it, there is only one solution. Many more people need to learn software development. It should be introduced even from grades 1 and 2 (children are fast learners and incredibly intuitive). And every single software in the world needs to be Open Sourced.

Simply put, there is no other way.

You might think that this is impractical. That the opening up of source code across the technology industry and the entire software sector – mobile, laptop, tablet, wearables, and IoT – is not feasible, especially because of intellectual property restrictions. But again, I repeat – there is no other way.

I have coined a term for this – the O5S – the Open Sourced Software System Security Solution.

The O5S mandates that every line of code of every piece of software you own should be visible to the general community, free of cost. This means that the entire world will have free access to all the code in the phone, tablet, laptop/PC, and yes, even IoT. And should have the right to change the code (which will of course void any warranties) to suit their own requirements.

You gotta be kidding me! (I’m not surprised if this is your reaction!)

Why is this important?

There is no other way to be sure!

I am going to give you a list of mobile apps.

See if you have any of these installed on your Android phone/tablet.

1. Speed Booster – Memory Cleaner & CPU Task Manager
2. Clean Droid – 1 Tap Clear Cache & Phone Cleaner
3. Battery Saver – Bataria Energy Saver
4. AppLock Privacy Protector
5. Virus Cleaner Antivirus 2017 – Clean Virus Booster
6. Super Antivirus & Virus Cleaner (Applock, Cleaner)
7. Antivirus – Security
8. Antivirus 2018
9. Smart Antivirus
10. Antivirus Clean
11. Security Antivirus 2018
12. Max Security – Antivirus & Booster & Cleaner
13. Antivirus Cleaner – Virus Scanner And Junk Remove
14. Antivirus Security Free
15. Antivirus Cleaner For Android & App Locker Pattern
16. Antivirus Security
17. Smadav antivirus for android 2018
18. Antivirus Free : Process Virus
19. TV Antivirus Free + Applock
20. Antivirus Virus Cleaner – Security Applock 2017

The full list of over 50 Android apps, some of them having over 10 million downloads – is given on the following link:

51 Most Dangerous Android Apps on the Play Store

What do all these apps have in common?

Every single app in the list contains malware – phishing, spying, call recording, credit card number extraction, viruses, Trojans, you name it, it’s there!

As na?ve end-users with no technical skills for development and programming, we just don’t know.

The only way to be sure – is to go the open-source route.

And that is the only solution possible.

In the long run.

And it’s even beneficial to many.

Will do a blog post on that later.

TL; DR

The IoT is a technology security disaster and a hacker’s paradise in the making. However, its not too late. By ensuring that all code on your phones, tablets, and computers are open source, we can ensure that the worldwide community of open source developers scans all the code and picks up all the malware or secret backdoors available on so many devices right now. What will happen? Only time will tell. Thanks for staying with me till the end (if you did) – and as for me, I’m just going to scan my laptop for cryptojacking malware. And hope – that there will be a solution if I find one – or more!

Cheers!

Endnote

We live in highly exciting times. While there have never been such opportunities for cybercrime in all of history, this technology age is a place where one person can make 20 billion dollars for one single app. Just ask the people at Instagram. May the joy of the wonderful possibilities in your prospective future never leave you. And never go against the law. Criminals lose in the long run, regardless of whatever they gain immediately. There are many ways to make 1 billion dollars without criminal methods – all of which are doable and technically theoretically possible.

Maybe that will be my next blog post! ??

All the best.

References

1. Hacking the internet of things: vulnerabilities, dangers, and legal responses - Sara Sun Beale and Peter Berris

2. The 5 Most Famous DDoS Attacks – A10 Staff

3. Global DDoS attacks nearly double in the first quarter of 2019 – Jessica Haworth, The Daily Swig

4. Kaspersky Secure List Blog – DDoS attackers in 2019 Q1

5. The Definition of a Botnet - Technopedia

6. Crypto-Mining Malware Explained – Forrest Stroud, Webopedia

7. Symantec – A Crytocurrency Mining Malware Arms Race is Looming- Jordan Pierson, www.vice.com

8. 51 Most Dangerous Android Apps on the Play Store