The Internet of Things: New Threats Emerge in a Connected World

Internet of Things Header.jpg

Could your baby monitor be used to spy on you? Is your television keeping tabs on your viewing habits? Is it possible for your car to be hacked by malicious attackers? Or could a perfectly innocent looking device like a set-top box or Internet router be used as the gateway to gain access to your home computer?

A growing number of devices are becoming the focus of security threats as the Internet of Things (IoT) becomes a reality. What is the Internet of Things? Essentially, we are moving into an era when it isn’t just computers that are connected to the Internet. Household appliances, security systems, home heating and lighting, and even cars are all becoming Internet-enabled. The grand vision is of a world where almost anything can be connected—hence the Internet of Things.

Exciting new developments are in the offing. A connected home could allow you to logon to your home network before you leave work in the evening to turn on your central heating and your oven. If your alarm goes off while you are out in the evening, you could logon to your home security system from your smartphone, check your security cameras and reset your alarm if there isn’t a problem.

Unfortunately, every new technological development usually comes with a new set of security threats. Most consumers are now very aware that their computer could be targeted with malware. There is also growing awareness that the new generation of smartphones are also vulnerable to attack. However, few people are aware of the threat to other devices.

Linux worm

The Internet of Things may be in its infancy but threats already exist. For example, Symantec investigator Kaoru Hayashi recently discovered a new worm that targeted computers running the Linux operating system. Most people have probably never come across Linux, but it plays a big role in the business world and is widely used to run Web servers and mainframes for example.

The worm, Linux.Darlloz, initially appeared to be nothing out of the ordinary. It utilizes an old vulnerability in scripting language PHP to gain access to a computer; attempts to gain administrative privileges by trying a series of commonly-used usernames and passwords and propagates itself by searching for other computers. The worm leaves a back door on the infected computer, allowing the attacker to issue commands to it.

Since the worm exploits an old vulnerability in PHP, the threat relies on finding computers that haven’t been patched in order to spread. If this was all that the worm did, it would be fairly unremarkable. However, as Kaoru investigated the threat further, he discovered something interesting. The version circulating in the wild was designed to infect only computers running Intel x86 chip architectures, which are usually found on personal computers and servers. Kaoru then discovered versions designed for the ARM, PPC, MIPS and MIPSEL chip architectures hosted on the same server as the original worm. These architectures are mostly found in devices such as home routers, set-top boxes, security cameras and industrial control systems. The attacker was in a position to begin attack these devices at a time of their choosing.

One of the interesting things this worm does is scan for instances of another Linux worm, known as Linux.Aidra. If it finds any files associated with this threat, it attempts to delete them. The worm also attempts to block the communications port used by Linux.Aidra. There is no altruistic motive behind removal of the other worm. The likelihood is that the attacker behind Linux.Darlloz knows that the kinds of devices infected by Linux.Aidra have limited memory and processing power, and does not want to share them with any other piece of malware. 

Linux.Aidra, the malware that Linux.Darlloz attempts usurp, also exemplifies this new generation of threats. Like some of the variants of Darlloz discovered by Symantec, Linux.Aidra targets smaller devices, specifically cable and DSL modems. The worm adds them to a botnet, which can be utilized by the attackers to perform distributed denial-of-service (DDoS) attacks. Whoever authored Darlloz obviously believed that Aidra infections were so widespread that it posed a potential threat to their own malware.

What is particularly worrisome about these kinds of threat is that, in many instances, the end-user may have no idea that their device is running an operating system that could be attacked. The software is, by and large, hidden away on the device. Another potential issue is that some vendors don’t supply updates, either because of hardware limitations or outdated technology, such as an inability to run newer versions of the software.

Vulnerable security cameras

This worm is just the latest in a series of incidents highlighting the emerging security threat around the Internet of Things. Earlier this year, the US Federal Trade Commission settled a case against TRENDnet, a firm that makes Internet-enabled security cameras and baby monitors. The FTC said that TRENDnet had marketed the cameras as being secure. “In fact, the cameras had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address,” the FTC said. “As a result of this failure, hundreds of consumers’ private camera feeds were made public on the Internet”.

In January 2012, a blogger made the flaw public and this resulted in people publishing links to the live feeds of nearly 700 of the cameras. “The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives,” the FTC said. As part of the company’s settlement with the FTC, the firm had to beef up the security on its devices and promising not to misrepresent their security in future promotional material.

What is notable about the TRENDnet incident is that the devices targeted were not infected with any form of malware. Their security configuration simply allowed anyone to access them if they knew how. This was not an isolated incident. There is now even a search engine called Shodan that allows people to search for a range of Internet-enabled devices.

Shodan searches for things rather than websites. Aside from security cameras and other home devices, Shodan can also find building heating control systems, water treatment plants, cars, traffic lights, fetal heart monitors and power plant controls. If a device is simply found using Shodan, it does not mean a device is vulnerable. However, services such as Shodan do make it easier for devices to be discovered if attackers know of vulnerabilities in them.

The connected world

Not all concerns relate to security vulnerabilities. Internet-enabled televisions are now quite common and offer a number of useful additional features such as access to video streaming services and Web browsing. Recently, electronics manufacturer LG confirmed that several of its television models track what people watch and send aggregate data back to the company. The company said that it did this in order to customize advertising for its customers. However, an error in the system meant that the television continued to collect data even when the feature was turned off. The company has said a firmware update is being prepared that will correct this problem.

Internet of Things 1.png

Figure 1. Estimate on the growth in the number of connected devices in the world (Source: Cisco)

The Internet of Things is still only in its early stages. The number of Internet-enabled devices is beginning to explode. According to Cisco, there are now more than 10 billion connected devices on the planet. Given that the world’s population is just over 7 billion, that means that there are now more connected devices than there are people. Cisco, which has been keeping tabs on the numbers of devices, now believes that the number of connected devices will hit 50 billion by 2020. Interestingly, the company believes that around 50 percent of the growth will occur in the last three years of this decade.

Within the past number of years, we have seen a huge range of connected devices emerge. For example the humble thermostat is now Web-enabled. So too is the light bulb, which can now be controlled with a smartphone. Even the automotive industry is sitting up and paying attention, promising connected vehicles that can receive a stream of real-time information.

What is driving this explosion? Simply put, there is now more “room” on the Internet and devices are becoming cheaper to manufacture. Every device connected to the Internet needs an address in order to communicate with other devices. This is known as an Internet Protocol (IP) address. The number of available addresses under the current system of addresses, Internet Protocol Version 4 (IPv4), has been almost exhausted. A new system, IPv6, is currently being adopted. It can provide a vastly larger number of IP addresses, billions upon billions for every single person on the plant.

Other standards are also evolving. For example, the industry charged with overseeing the Bluetooth standard for wireless communications recently announced the latest version of the technology. The group said that Bluetooth is evolving to take into account the development of the Internet of Things. The new Bluetooth standard will make it easier for devices to find and talk to each other in an increasingly crowded environment. And it will now be easier for Bluetooth-enabled devices to link up with an IPv6-enabled Internet.

In tandem with this increase in network space, Internet-enabled devices are becoming easier to manufacture. Many people may be aware of Moore’s law, the axiom that predicts that the computing power of processors will double every two years. A corollary is that lower powered chips are becoming cheaper to manufacture all of the time. Other technologies, such as Wifi chipsets, have dropped significantly in price over recent years. All of these factors are combining to mean that it’s becoming easier and cheaper to produce Internet-enabled devices.

Staying protected

  • Perform an audit of what devices you own. Just because a device doesn’t possess a screen or a keyboard, doesn’t mean that it isn’t vulnerable to attacks.
  • If something you own is connected to your home network, there is a possibility that it accessible over the Internet and thus needs to be secured.
  • Pay attention to the security settings on any device you purchase. If it is remotely accessible, disable this feature if it isn’t needed. Change any default passwords to something only you know. Don’t use common or easily guessable passwords such as “123456” or “password”. A long combination of letters, numbers and symbols will generate a strong password.
  • Regularly check the manufacturer’s website to see if there are updates to the device’s software. If security vulnerabilities are discovered, manufacturers will often patch them in new updates to the software.

Many of your devices are attached to your home network, which is in turn connected to the Internet. Your router/modem is what stands between your devices and the wider world. Securing it is of paramount importance. Most come equipped with a Firewall, so ensure that it is turned on and properly configured.

Case Study from the Spammer’s Perspective: Crafting Spam Content to Increase Success

Spammer success is dependent on two factors:

  1. Evading spam filters so the spam message arrives in the recipient inbox
  2. Crafting messages so that the recipient is enticed to open and perform desired call-to-actions (click on the link, open attachment, etc.)

Spammers walk a fine line to balance these two aspects; relying heavily on one factor and ignoring the other will make the spam campaign fail. For example, spammers can evade spam filters by randomizing the subject and body of the message, however such randomization is likely to be ignored by even the most unsophisticated user as obvious spam. Similarly, crafting stand-out enticing messages to increase the email open rate often results in spam filters blocking the message. Spammers have a tough challenge.

Rising up to meet this challenge, spammers are now hiding the true content from the user more than ever before. While there are still spam campaigns with links to online pharmacies with subject lines mentioning a variety of popular Rx names—can it be more obvious?—more sophisticated spam campaigns now use enticing email content unrelated to the spam. One of the most popular methods is to use current events and news, such as the death of a celebrity or major figure or even a natural disaster. A spam message may look like a legitimate email from a news organization containing an article about current events, but actually links to a spam website. This spam strategy is common for spam messages that spread malware.

To increase the success of the call-to-action, spammers have realized that registering a domain for their spam has become less effective as it was too easy for anti-spam software to simply block that particular domain. To counter anti-spam efforts, spammers may now use hijacked URLs (otherwise legitimate servers hosting spam content without the owner’s knowledge) or URL shorteners that obfuscate the destination as call-to-action.

Let's take a look at how spammers adapted and changed their content through a six-week period to increase their success in both message delivery and email open rates.

We begin this journey with a message that spoofs a well-known voicemail service brand.

Case Study 1.png

Figure 1. Malicious spam message

Clicking the Play button leads to the following URL:


Instead of playing the voicemail, malware is actually delivered to the computer.

On December 19 spammers changed their content template from voicemail to a fake delivery failure notification from large retailers. How do we know this as the same attack? There are various clues in the message (including same type of hijacked URLs being used), but most obvious is the mistake the spammer made by using the same header as the first sample, indicating a missed voicemail, while the body of the message indicates a delivery failure notification from a retailer.

Case Study 2.png

Figure 2. Wrong spam email subject reveals single spam campaign

Oops! This was obviously a mistake on the spammer’s part as the content was quickly fixed (in four minutes, or possibly sooner).

Case Study 3.png

Figure 3. Fixed spam email subject

Two additional retailers were also spoofed as part of this particular spam campaign. The structure of the messages remained the same, but the spammers used a variety of hijacked URLs as a call-to-action, which changed the directory paths. This spam campaign hid the spam content in various first directories, but eventually used several directories over time.

Case Study 4.png

Figure 4. Spammer uses various content directory names over time

This spammer preferred to use one particular directory path at a time, and then move on to the next one, rather than distributing the spam across multiple options all at once.

Another change occurred on January 7, when holiday shopping activity had presumably declined. Rather than using fake delivery notification from a large retailer, the spammers switched to spoofing a large utility company.

Case Study 5.png

Figure 5 Spam campaign switches from retailer to utility company spoofing

The spammer made the same mistake once again with an email subject header that indicates a delivery notification from a retailer, but a body message showing an energy utility statement.

Case Study 6.png

Figure 6. Another wrong spam email subject reveals single spam campaign

Oops again! This mistake was soon fixed with a corrected email subject.

Case Study 7.png

Figure 7. Fixed spam email subject

Why did these spammers chose to use utility statements for their spam content? They may be leveraging consumer fear of a large electricity bill due to the Christmas holiday period to make their spam message more enticing to click on. The spam message contains a large bill, and that piques the recipient’s interest enough to make the spam campaign a success.

There was a small spike in retailer-spoofed spam on January 12, well after the utility spam increased in volume. Those messages, while retaining the overall structure of the previous campaigns, dropped the reference to the Christmas holiday.

Case Study 8.png

Figure 8. Post-Christmas delivery notification spam

As the above examples have demonstrated, spammers are always attempting to make their spam messages undetectable by spam filters. They also want to appeal to recipients by pretending the spam contains some legitimate content. In this particular case, clicking on the link leads to a .zip file download containing Trojan.Fakeavlock malware.

There will be more avenues for spammers to entice recipients to click on spam messages as we live more of our lives online. These same spam strategies will continue. Unfortunately, this means that Web users must continue to be on high alert for spam and observe the following best practices to stay protected:

  • Exercise caution when receiving unsolicited, unexpected, or suspicious emails
  • Avoid clicking on links in unsolicited, unexpected, or suspicious emails
  • Avoid opening attachments in unsolicited, unexpected, or suspicious emails
  • Keep security software up-to-date
  • Update antispam signatures regularly

Symantec constantly monitors spam attacks to ensure that users are kept up-to-date with information on the latest threats.

Vietnamese hackers target EFF staffers, journalist in phishing attack

The e-mail received by EFF staffers carrying a link to malware that has been connected with a Vietnamese government campaign against bloggers.

The Electronic Frontier Foundation has published details of an attempted malware attack on two of its employees by a group of hackers associated with the Vietnamese government. The hacker group, known as Sinh Tử Lệnh, has targeted Vietnamese dissidents and bloggers in the past; it now appears that the campaign has been extended to attacks on US activists and journalists who publish information seen as critical of the Vietnamese government.

The Vietnamese government has gone after bloggers in its own country before, and as of last year it had jailed 18 independent journalists—bloggers being the only journalists in the country not affiliated with state-run media. And since 2009, the hacker group has taken that campaign beyond Vietnam's borders, targeting members of the Vietnamese diaspora critical of the Hanoi regime.

In December, two staff members of the EFF received e-mails from someone claiming to be from Oxfam International, inviting them to “Asia Conference.” The e-mail, from a Gmail address for “Andrew Oxfam,” appeared to have been sent to a list and included links to two documents that appeared to be information on the conference shared over Google Drive.

Read 2 remaining paragraphs | Comments


Internet users ditch “password” as password, upgrade to “123456”

"I should have added a 6."

An annual list of the most commonly used passwords, a source of both humor and sadness to the human race, shows a change at the top for the first time in three years.

SplashData, a maker of password management software, started analyzing passwords leaked by hackers in 2011 and for the first two years of its study found that "password" was the most commonly used password, ahead of "123456."

The two switched places in 2013, according to the latest list released over the weekend. The new rankings were influenced by a hack on Adobe that revealed 130 million passwords protected only by reversible encryption. Security firm Stricture Consulting Group was able to reveal the top 100 passwords from the Adobe hack, and "123456" came in first by a long shot. Stricture found 1.91 million uses of "123456" compared to 446,162 uses of "123456789" and 345,834 uses of "password." Only 43,497 people used the password for Druidia's air shield and President Skroob's luggage.

Read 4 remaining paragraphs | Comments