Technology / Cyber criminals ‘flocking’ to hack poorly-protected IoT devices, experts warn

Cyber criminals ‘flocking’ to hack poorly-protected IoT devices, experts warn

Cyber criminals are increasingly using poorly-secured Internet of Things (IoT) devices to launch attacks, according to security experts.

Researchers from Symantec said malware targeting IoT-connected devices has "come of age" and poor security on many devices makes them a "soft target".

"Attackers are now highly aware of lax IoT security and many pre-program their malware with commonly used and default passwords," they wrote in a blog post.

They said that rather than concerning themselves with individual users, many hackers are using the devices to build botnets to launch distributed denial of service attacks.

Symantec said IoT security is often worsened because users do not change default device passwords and fail to apply manufacturers’ firmware updates.

2015 was a record year for such attacks, the firm said, with eight new malware families emerging. More than half of all IoT attacks originate from the US and China.

“Cyber criminals are interested in cheap bandwidth to enable bigger attacks,” said Nick Shaw, vice president and general manager for EMEA at Norton by Symantec.

“They obtain this by hijacking our devices and stitching together a large web of consumer devices that are easy to infect because they lack sophisticated security.”

Cyber security journalist Brian Krebs’ website KrebsOnSecurity was recently taken down by a distributed denial of service attack that was believed to have used hacked IoT devices.

“Someone has a botnet with capabilities we haven’t seen before,” Martin McKeay, senior security advocate at Akamai, told Krebs while the attack was ongoing.

“We looked at the traffic coming from the attacking systems, and they weren’t just from one region of the world or from a small subset of networks — they were everywhere.”

Security experts recently warned that the IoT will be the next target for ransomware campaigns, which can earn cyber criminals millions of pounds in payments from victims.

As such, they have told manufacturers of connected devices that security needs to be considered at the start of development – not after products are released.

“When you build a device, as an industry that threat modelling needs to happen at the start of the process, not the end,” said Huawei’s European cyber security officer David Francis at the FT Cyber Security Summit Europe. “It needs to be built in, not bolted on.”

For more on the rising IoT threat, see the Symantec blog.



Get our latest features in your inbox

Join our community of business leaders