In December 2013, Check Point released its security predictions for 2014. At the top of the list of predicted new threats was criminals looking to exploit IP-based smart devices and appliances to gather personal information, or to launch attacks. However, we didn’t expect that this prediction would be proved right within a month, with two security incidents involving a range of new devices.
First came the news that a massive data breach at two leading US-based retailers had resulted in the theft of credit card and personal information of 110 million customers. The attackers used ‘RAM scraping” malware, which they planted in the point-of-sale terminals at retail stores.
Getting into a scrape
Even though these POS terminals are not computers in the conventional sense, they do have processors and RAM memory chips, and they perform basic computing functions – like reading the data from customers’ credit cards, encrypting it and sending it to the retailer’s back-end systems.
The RAM scraping malware is designed to activate when new data is loaded into memory before it is encrypted, to grab the data (which includes the cardholder's name, card number, expiry date, and the three-digit security code) and forward it onto the attacker. While the POS terminals may not be directly connected to the Internet, the retail systems that run the terminals are usually Windows-based and need to be regularly patched, updated and properly configured, and are probably connected to other internal networks as well as the Internet.
So an attacker who can find a way into a retailer’s Internet server using a vulnerability, may be able to move across to other local networks, and then to the POS systems and terminals themselves.
Spam: fresh from the fridge
Second, there was the news that over 100,000 consumer devices including an internet-connected refrigerator, smart TVs and multimedia hubs helped to send more than 750,000 spam and phishing emails over the Christmas holidays.
Of course, it’s commonplace for home and business PCs to be compromised by bots and used to generate huge amounts of spam and phishing emails, and to launch "denial of service" attacks on websites – but this attack is the first to be reported in which conventional smart household devices were used as part of the botnet.
The majority of the devices were not actually infected, but were simply left open so that attackers were able to exploit the software running on them to send and relay spam and infected emails. But this incident highlights just how resourceful attackers have become, and how unconventional attack vectors can be effective.
Protecting things
Now that attacks against smart devices have begun, they will only escalate. Analyst agency IDC forecasts that there will be 200bn devices connected to the internet by 2020 - compared with 5bn devices today (approx 1bn PCs, 2bn mobiles and tablets and another 2bn devices such as temperature monitors, webcams, etc.)
Securing these devices will be a challenge. Many of them have limited processing capability, and so are not capable of running conventional anti-malware solutions. Instead, security relies on users changing passwords and settings away from default settings, and ensuring the devices are not left open – in exactly the same way that people are recommended to protect their home wifi networks.
Larger-scale attacks such as the RAM scraping exploits against major retailers reinforces the need for organisations to maintain best security practices. This includes applying the latest updates and patches to close off vulnerabilities, and deploying layers of security to protect networks and data so that even if one layer is breached, the next can stop the attack. For example, organisations could isolate different network segments from each other using firewalls, to inhibit attacks from crossing networks; and use threat emulation or ‘sandboxing’ services to identify and isolate malicious files before they enter the network, so that infections do not occur.
Just as the 'Internet of Things' is enabling a better-connected, more efficient world, it also gives criminals a better connected, more efficient network for launching attacks. Yes, we should be aware of suspect devices – which, it seems, is rapidly becoming all devices.