Home and business users are likely to keep missing attacks on their increasing numbers of connected devices as hackers focus on new ways of exploiting the new 'Internet of Things' (IoT), an ESET security researcher has warned.
Such hacks often go unnoticed for months on end because users simply aren't monitoring the traffic between compromised equipment – routers, IP cameras, printers, scanners, and a new breed of casually-connected, non-computer devices – and the outside world, ESET research fellow Peter Košinár told CSO Australia.
“Many such devices are misconfigured, unpatched, and a good source of data when it comes to stealing information,” he said. “This makes them very interesting starting points when it comes to probing your network.”
Hackers have become increasingly interested in testing the limits of IoT penetration, with persistent router botnets already becoming a reality two years ago and the recently discovered 'Spike' toolkit automating the process of infecting connected computers, routers, and other devices to form massive botnets.
Exposure to IoT threats wasn't only due to human oversight, however: penetration of such equipment to date has generally been undertaken surreptitiously and often falls outside the purview of security tools predominantly deployed to monitor internal threats.
“From observations, it seems there are very long gaps – months to years – between when the attack was started and the observer noticed it,” said Košinár, who has researched the IoT threat extensively ' secret life of routers' and is in Australia presenting at this week's AVAR conference.
“Often, these attacks are not disruptive in terms you would notice,” added Košinár, who half-jokingly referred to IoT as the 'Internet of Attackable Surfaces'.
“[Monitoring] devices are usually sitting in front of their networks, monitoring the attacks on these devices – but the people monitoring the inside network are not seeing the traffic directed to the end point.”
That lack of visibility had opened the door to an increasingly complex range of potential attacks – and the potential compromises are set to explode, according to figures out this week from Gartner.
According to the research firm's latest IoT forecasts, some 4.9 billion connected 'things' will be in use by next year – up 30 percent on this year – and the number is on track to reach 25 billion by 2020.
This growth will support an explosion in new services, Gartner has said, with IoT-related services spending jumping from $69.5 billion next year to $263 billion by 2020. Yet Gartner vice president and fellow Steve Prentice agreed that the new paradigm introduced new threats: “Organisations must straddle the tension of all the information available from smart things by balancing their desire to collect and analyze it with the risk of its loss or misuse,” he said in a statement.
“Executives now face a decision regarding the future of security in their enterprise and who governs, manages and operates it,” Gartner's analysis noted, adding that by 2017 more than 20 percent of organisations expected to have digital security services devoted to protecting IoT-connected devices.
Relying on vendors for fixes is continuing to prove problematic, Košinár warned, since many manufacturers don't ship products in a secure state and take some time to patch them even after vulnerabilities are discovered.
Read more: 3 steps to total compromise – why Google’s 86,000 indexed printers should have your IT team jumping.
“It would be useful if, when it comes to home users, vendors were providing connectivity to provide devices in a better configured state,” he said. “It is very much a question of accepting responsibility – and the situation is only going to get worse with the number of devices that are being plugged in.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.