The world of threats surrounding Internet of Things (IoT) products has taken a turn since the uncovering of the MIRAI botnet in August 2016. This Distributed Denial of Service (DDoS) attack exploited thousands of innocent devices that had not been regarded as an attack vector until then. Since then, the code of that malware was uploaded to the web and became accessible to anyone interested in it. "Until the MIRAI attack, no one had taken the warnings regarding the threats reflected from IoT devices very seriously," explains Yotam Gutman, VP Marketing of the startup company SecuriThings that specializes in security for IoT devices.

"Unlike computer devices, we had known in the past, IoT devices are characteristically designed to perform a set of simple, predetermined operations that do not always require a high processing capability. Today, IoT devices are designed to operate for 5 to 15 years without any downtime or maintenance. This field generates narrow profit margins and as such, information security around it should, on the one hand, offer an added value, while on the other hand fitting into a very tight equation of operating costs."

Manipulation of the Device Code

There are IoT devices of many types, and as technology advances and the cost of components decreases, these devices are becoming increasingly more sophisticated all the time, and now feature sensing, processing and communication capabilities – like security cameras. These devices run on a 'lean' Linux operating system and enable remote access and software installation. "Such devices enable a potential attacker to control them remotely and install malware," explains Gutman. "Security systems for the IoT device category currently focus on the communication medium between the devices and the cloud or among the devices themselves and ignore the vector of code manipulation on the device itself. This is the gap we enter in order to provide a solution."

The solution SecuriThings offers is multidimensional and consists of a software element installed on the device itself and a cloud-based Big Data system that processes the information and identifies anomalies. The combined presence on the device itself and in the cloud enables prompt detection of attacks by processing substantial amounts of data coming in from millions of devices. The cumulative knowledge from all of the devices on the web provides IoT service providers with real-time visibility and the ability to prevent attacks before they spread and inflict damage on the devices themselves.

The system architecture was conceived out of the need to provide real-time protection for thousands of interconnected devices in such major operations as Smart City projects. A Smart City project will have hundreds of thousands of sensors connected to the Internet. Every IoT device on which code may be run becomes a point of access into the organizational, municipal or state network. All of these devices must be charted, and the communication of all of them must be monitored so as to understand when a device has been taken over and the situation has changed from legitimate to malicious.

"One important point is the realization that any IoT device deployed in the street, in a playground, by a road, on a utility pole or anywhere else in the public space is exposed to physical attack. In addition to the remote takeover option, there is also the option of physically accessing the device, disassembling it, planting a code and replacing it. Unless you monitor its behavior, you will never know something happened. Around the world, networks made up of tens of thousands, hundreds of thousands and possibly even millions of such devices, deployed in the public space of the state, are being discussed," explains Gutman.

Not Just DDoS

When you consider the IoT attacks of the last few years, you think about DDoS attacks mainly. Hundreds of thousands of innocent bots joined together under a sophisticated (human/automatic) command center for the purpose of generating an attack that would 'choke' the computer resources of the party being attacked. From a business point of view, such an attack will have an adverse effect on the ability of the party being attacked to maintain its business activity and inflict financial damage. From an operational point of view, such attacks also inflict substantial damage on the devices 'recruited' into the botnet. IoT devices designed to perform specific operations are suddenly forced to transmit continuously – an activity that drains their batteries and degrades their performance to the point of rendering the device completely inoperable.

As IoT attacks evolve, new attack configurations can be expected. "In the future, we can expect to see camera-based ransom attacks. The attacker will be able to dominate a camera in a home, a business on in the street, and use the footage being recorded as a bargaining card for the purpose of blackmailing people," says Gutman. "An attacker will also be able to dominate a traffic light network and demand ransom from a mayor. Another type of attack involves 'sleeper' attacks. An attacker will be able to install his software on IoT devices, to be activated at a certain time and only where he wants it to be activated according to his interests. Such attacks can inflict financial damage or serve as a tool by a state in a wartime situation, to wreak chaos in the public domain.

"Another type of attack could be directed against such security resources as surveillance cameras, locks or gates by criminal organizations, as part of a carefully-planned criminal activity. The option of dominating a device, causing it to rotate at a certain angle or transmit the same picture over and over again, can be used to create a false picture while a crime is being committed."

Along with the technological threats to IoT infrastructures, the human factor also plays a role in this context. Persons operating out of organizations can link up with remote devices and cameras and use the data for their own pleasure or to generate financial gains without hacking the system. "This is the reason why it is important for security systems to provide alerts for external attacks (hacking) as well as for unauthorized use by internal elements (insider threat)," explains Gutman.

There is no doubt that the world of IoT devices in the private, business and public sectors is expected to develop and grow in the coming years. Smart cities, smart buildings, smart sites, autonomous management of processes in the public domain are only a few of the applications already addressed by the discourse around this subject. All of these elements are expected to increase the amount and severity of cyber threats aimed specifically at IoT devices.