The Economics of Home IoT Cyber Crime
IoT devices in the home are increasingly being targeted by cyber criminals. This can lead to invasions of personal privacy as well as attacks on Communications Service Providers (CSPs) and IoT vendor property and infrastructure. It is likely that this trend will continue with attacks becoming more widespread and sophisticated. The past five years has seen an explosion in the number of IoT devices located in the home, from security cameras, nanny cams, and smart home devices (such as smart locks and smart heaters) to smart home controllers and routers. Many of these devices contain easily-exploitable vulnerabilities, which may not only impact the privacy of home Internet users but that can also expose personal security, personal data, and computer equipment to exploitation and damage. For the cybercriminal, attacking home IoT devices is a little like shooting fish in a barrel. They are easy targets, which maintain only basic levels of access security, and which can offer potentially high rewards when exploited. Squarely in the hackers’ crosshairs are home Internet consumers whose privacy and property can be easily compromised through an IoT attack. This can involve the theft of video footage of the inside of a person’s home, to hacking into the device controlling the home heating system. For example, a DDoS IoT-based attack in Finland did just that when several residential complexes were held hostage without heat until a ransom was paid. IoT security breaches can also put home consumers in personal physical danger, when security cameras can be switched off remotely and smart locks disabled by a cyberattack. A greater financial risk lies in the exposure to which IoT device vendors and manufacturers can be subjected. One example of IoT device vendors being targeted by cyberattack was the recent Satori IoT botnet, a variant of the infamous Mirai malware, that used a zero-day exploit to “zombify” some 500K to 700K Huawei routers. The resultant attack opened the IoT device manufacturer to serious ransomware exposure. Similar attacks, including the one on the Deutsche Telecom network where hundreds of thousands of home routers were “bricked”, exposing the router manufacturer to pay a ransom, or face potential financial ruin. Such assaults can badly damage IoT vendors’ reputations as well as expose them to ransom payments to avoid replacing thousands, if not millions of their compromised IoT devices. This means that by attacking easy targets such as home IoT devices, the cyber attacker is capable of ransoming IoT device vendors and/or IoT service providers. In this case little effort can produce huge gain. The factors that contribute to IoT devices being prone to breach are varied. First, many of these devices are designed without the manufacturers investing adequate resources in providing built-in cyber security, emphasizing low cost over security. Often constructed utilizing relatively old technologies, these IoT devices contain weak spots that can be targeted by cybercriminals (for example, the Reaper attack that created IoT botnets used nine known weaknesses, some of which had been around since 2013). Cyber defenses are further undermined by the fact that most home users won’t bother or won’t know how to update their IoT firmware to meet the challenges posed by the latest sophisticated cyberattacks. Even automated updates often fail to provide the necessary solution as they are not always activated by consumers. Finally, most consumers are not tech savvy and are simply unaware of the necessity for maintaining strong, secure password regimes, which can easily lead to their home networks being violated by cybercriminals. Due to the ease with which cybercriminals can identify and attack vulnerabilities in IoT devices on the home Internet network, and due to the significant potential gain for the attackers, it is only a matter of time before those attacks increase in scale and sophistication. Delivering a comprehensive solution for the consumer IoT threat described above requires a solution that is both consumer friendly, at the price level relevant for consumers, and that provides a high level of security. A layered approach would be the most effective method to tackle the evolving attack surface. Such an approach should comprise:
- Customer Premises Equipment (CPE)-based Security: Provides comprehensive security policies for every IoT device in the household.
- Network-based Protection: Protects the CPE and secures against attacks within the home network—preventing a proliferation of infection from one device to another within the household.
The real challenge for security providers today is to provide an enterprise-grade solution that requires zero knowledge and zero intervention from the consumer and that can protect against sophisticated attacks—all at a consumer price tag and utilizing a deployment mechanism that can facilitate rapid mass distribution and foster engagement by consumers. However, the challenges posed by these IoT vulnerabilities will provide opportunities to CSPs that are best placed to provide such solutions through their home network infrastructure (CPE) as well as core network capabilities. Leveraging on their CPE and network assets, CSPs can offer consumers security solutions that can protect against sophisticated attacks, that require zero knowledge and zero intervention from the consumer, and that can achieve optimal levels of IoT security. With a track record built on proven success with the world’s largest deployed network-based security service, Allot’s HomeSecure aims to set the standard for home IoT cybersecurity protection within the Communications Service Provider sector.