The Internet of Things represents a significant and growing target area for cyber criminals.
The growth in cryptocurrencies is focussing cyber criminals on the benefits of crypto-mining malware.
Individuals, businesses and governments need to include IoT related cyber risks in their security controls and plans.
The significant increase in the value of cryptocurrencies in 2017 focussed cybercriminals attention to the benefits of crypto-mining
2017 saw a 50% growth in cryptocurrency mining cyber-attacks with up to 59% of home network attacks cryptocurrency related and this trend is expected to continue
‘Mining pools’ allow users to share computing power and split the cryptocurrency reward in proportion to their contribution
Through crypto-mining malware, cybercriminals can crypto-jack a range of PCs and IoT devices to steal the computing power and secretly mine cryptocurrencies
Whilst the devices themselves can be damaged, the bigger risk is disruption to the actual IoT service which could lead to a loss of business critical assets or even life
There are a range of precautions consumers and organisations can take to minimise cyberattacks in the home and workplace such as building awareness, installing latest device software, auditing devices and installing IoT specific monitoring software
In our last cyber security report ‘IoT and Cyber Security’, we highlighted that as the number of IoT devices grow across market segments, so too will the risks of cyberbreaches across these devices. The focus in our last paper was the hijacking of IoT devices to create armies of cyber bots to carry out global cyberattacks – such as the Mirai Botnet which used thousands of IoT devices, ranging from CCTV security cameras to home routers, to orchestrate Domain Name System attacks on major websites. This report provides an update on IoT cyber risk and the growth of cryptocurrency mining cybercrime.
The ubiquitous IoT ecosystem
The Internet of Things represents an ecosystem of internet enabled devices which allow a range of traditional and new objects (i.e.: ‘things’) to be connected, monitored and controlled through the internet.
Given the number of physical objects in the world runs into the billions, the potential to connect internet enabled devices to the IoT ecosystem also runs into the billions. Ericsson, a global telecommunications network provider, forecasts that globally IoT devices will grow from 5.6 billion in 2016 to 18.1 billion by 2022. These devices can be connected through traditional wide area mobile phone networks such as 4G or through short range wireless networks such as Wi-Fi and Bluetooth - with Ericsson forecasting 88% of the total IoT devices are in the latter (short range) category. As telecoms operators look to upgrade their mobile networks from 4G to 5G, IoT is seen as the major beneficiary with Deloitte recently finding that much of Australia’s 5G value will come from IoT driving new products and services.
IoT will therefore dramatically change both consumer and business ecosystems. Consumer benefits include smart home lighting and security applications designed to save energy and keep households safe. Business benefits cross virtually all industry sectors with efficiency and productivity examples within the transportation (traffic management, parking), healthcare (health monitoring and alerts) and energy (demand management, emergency alerts etc) sectors.
IoT and Cryptocurrency Mining
As more IoT devices are connected and more consumer and business processes are monitored and controlled, our reliance on IoT devices increases exponentially which in turn increases the range of risks for individuals and society.
We have previously highlighted the use of hijacked IoT devices for DDOS attacks and the growth in IoT hacking toolkits available to cyber criminals. For example, traditional penetration test kits such as Metasploit have been upgraded to accommodate IoT devices and there are a range of hacking toolkits designed to target traditional wireless interfaces such as Wi-Fi, RFID and Bluetooth.
Due to the rapid increase in value of cryptocurrencies in 2017, malware operators are including cryptocurrency mining software in their exploit kits and we are seeing a significant growth in cryptocurrency mining cyber-attacks. These attacks use the computing power of hijacked PCs and IoT devices to mine cryptocurrencies.
Cryptocurrencies are created by mining ‘transaction blocks’ which are appended to a cryptocurrency blockchain such as Bitcoin. These blocks are created by calculating cryptographic hashes until the miner finds the matching hash – at which point the block is formed and the miner receives the cryptocurrency payout for that block.
However, this process scales in complexity as more blocks are created and there is increased competition from other miners to solve the cryptographic hash. As such, the mining process is time intensive, involves hardware with powerful processing capabilities and, as a result of operating these machines 24 hours a day, uses large amounts of electricity.
To keep up with the growing competition, many miners are joining ‘mining pools’ to share their compute power with other miners. The miners split the block reward in proportion to their mining hash power. There are both public and private mining pools with the mine pool operator also receiving a fee for participation. An example of a public mining pool is Slushpool (Figure 1) which was the first publicly available mining pool.
Figure 1. Example of Crypto Mining Pool Benefits – Slushpool.com
SOURCE: Slushpool Website
The Benefits of ‘Crypto-jacking’
Recognising the costs of increasing compute power and electricity, cybercriminals are using the concept of mining pools to hijack 3rd party devices, install cryptocurrency mining malware on the device and use them as bots to mine cryptocurrency. If successful, the cybercriminal keeps the cryptocurrency payout and continues the mining process.
There are several benefits of crypto-jacking for the cybercriminal:
If the malware is installed and operated discreetly (i.e.: doesn’t take up 100% of the CPU or GPU capability), the owner of the hijacked device will not be aware that the device is being used to mine cryptocurrency and therefore the device can continue to be used.
There is no interaction with the device owner (as there would be with installing ransomware) which in turn decreases the risk for the cybercriminal.
The costs of computing power and electricity are avoided by the cybercriminal.
Due to the anonymity of the cybercurrency, the profits can be taken without having to deal with banking systems, financial transfers etc.
The malware code for crypto-jacking is relatively simple and can be delivered onto target devices via traditional malware practices such as phishing, software download etc..
Clearly, hijacking more powerful devices (such as desktop computers) delivers better results, however due to the ability to distribute computing power, IoT devices are also being targeted. In addition, it is less likely the malware will be detected on IoT devices as they have limited security functionality, tend to run on discrete tasks and are not necessarily ‘active’ all the time, eg: alarm monitoring devices.
How Big is the Issue?
In October 2017, Trend Micro estimated that there has been a 94% increase in blocked cryptocurrency mining activities from July – September 2017. This translated to 59% of home network attacks that were cryptocurrency related and 2.5 million home networks per week which were detected as running mining activities.
In March 2018, Windows Defender Antivirus blocked more than 80,000 instances of sophisticated trojans which carried a coin miner payload. Within 12 hours this had spread to 400,000 instances.
Kaspersky Labs have seen 50% growth in the number of their users attacked by malicious miners in 2017 – with a total of 2.7 million users attacked. (see Figure 2)
Figure 2. Number of Kaspersky Lab users attacked by malicious miners in 2017
SOURCE: Kaspersky Lab
Symantec reports that they have seen large jumps in coin miner malware detection starting from September 2017 - with detection previously in the tens of thousands peaking at 1.6 million in December.
What are the Risks
Whilst IoT devices have relatively low computing power, the attraction of mining cryptocurrencies still provides incentives for cybercriminals to infect as many devices as possible – even if their overall value is low. However this creates issues for the owners of the IoT devices. Firstly, the extended use of compute resources will slow down devices and cause them to use more power over time which can potentially damage the device through overheating due to the greater usage of the CPU. Whilst it is not in the cybercriminal’s long-term interests to push the device too hard (as this could lead to detection and or cause the device to fail) many cybercriminals may be willing to take the short-term gain over the long-term crypto-mining benefits.
Apart from the device damage, the biggest risk is the disruption to the actual service which the IoT device was installed for. For example, if the device was being used to monitor intrusion or fire security alarms, then these events may not be triggered which could lead to a significant loss of personal or business critical assets and even life.
Measures to minimise IoT security risks
There are a range of measures which can be employed by both homes and organisations to minimise the cyber security risks of IoT devices. These include:
Auditing the number and types of IoT devices.
Disabling unnecessary devices.
Changing device passwords from factory defaults.
Enabling devices firewalls (where applicable).
Being more aware about attack vectors such as phishing emails, downloading suspicious files, accessing websites etc..
Upgrading device software or installing latest patches to ensure each device is running the latest software version.
Installing specific IoT network software to discover, segment and monitor IoT devices in real time.
Assess the physical vulnerabilities of the devices, eg: can criminals replace devices or physically hack devices in common or insecure areas.
In addition, organisations need to build IoT awareness into their staff training programs and put in place purchasing rules which ensure devices are purchased from authorised and reputable resellers and that the device selection process includes the analysis of security options.
IoT is already being deployed across market segments and will continue to grow as businesses look for greater cost efficiencies, insights and competitive advantage. However, the risks of cyberbreaches are real and threat actors will constantly look for ways to hack new devices – such as leveraging the growth in cryptocurrency mining. As such, individuals and organisations need to incorporate the management of IoT devices into their cyber defence strategies.