The number of IoT devices is growing, so is the malware targeting them. According to security service provider Symantec’s report, The number of IoT malware attacks has set the highest record in 2015, multiplied over the past year.
Eight malware families has emerged in 2015, and some keep active to this year. According to Symantec, poor security on many IoT devices has made them as soft targets, especially on non-PC embedded devices. Because of their less-structured operating system and processing power limitations, to install advanced security features is rarely seen. Many IoT malwares see this loophole and attack them along with their Internet-connected feature.
Weak passwords on these devices also attract malware attacks. From Symantec’s report, most users haven’t made changes to the passwords. The most frequent username or password from these attached devices appear to be root, admin, 123456, or test. These are often set by default. The users’ unawareness has become a threat to their own security.
Most of the attackers, however, are not interested in the victim, according to Symantec. Their top goal usually is to hijack a device and add it to a botnet, in order to perform distributed denial of service (DDoS) attacks. Through hijacking multiple IoT devices, hackers are able to perform DDoS attacks simultaneously from different IoT platforms, which is seldom seen in the past. Symantec predicts that this scene will happen more often as more and more embedded devices connect to the Internet.
The number of cross-platform malware is also increasing. The attackers can easily compile their malware for various architectures. The most common targeted platforms are x86, ARM MIPS and MIPSEL, Symantec indicated, but more architectures are also added. This has brought more devices to become potential targets, including web servers, routers, modems, NAS devices, CCTV systems and ICS systems.
From the analysis of Symantec’s honeypot, which gathers IoT malware samples, most of the IoT attacks come from China (34%) and United States (28%) in 2016. Then follows Russia (9%), Germany (6%), the Netherlands (5%), Ukraine (5%), Vietnam (4%), UK (3%), France (3%) and South Korea (3%).
Just few days ago, a computer security researcher Jonathan Zdziarski just published an awful IoT device security experience on his Twitter. According to his experience, his Owlet baby gizmo does encrypt the data, but the ad-hoc Wi-Fi connecting to the base station with the sensor is fully unencrypted and welcome access from anybody without asking any authentication.
In this situation, if anyone breaks into the IP address of the base station, the person is able to delete Wi-Fi networks and break the alerts.
Home security might be the first attraction to buy home connected devices. However, the incomplete security loopholes, which might be caused both from users and service providers, has leave the home potentially under danger.