There are major indications that both smartphones and Internet of Things devices have become major entry points for network malware as well as botnet targets being used to launch distributed denial of service (DDos) attacks. This is something about which security experts have been understandably worried.
One such indication: Level 3 Communications Inc. (NYSE: LVLT) and research partner Flashpoint discovered that literally a million devices, 95% of which were connected machines such as thermostats, web cams and DVRs, have been used as botnets for an extended period after being compromised by common malware that goes by names such as Lizkebab and BASHLITE.
The other: Nokia Corp. (NYSE: NOK)s latest malware report shows security breaches of mobile devices rose a whopping 96% in the first half of 2016, to reach an all-time high in April. Most of those breaches hit Android phones, and many come in the form of malware that is inserted into applications that users download from sources other than Google Play. (See Nokia Sees Boom in Smartphone Malware .)
Taken separately, neither trend is good news and both need to be addressed. Collectively, they represent the mobile device threat that many have been expecting but that hadn't yet materialized.
Who hacks a thermostat?
Because IoT involves millions of newly connected devices of differing types, there have been concerns about security, but most of those have related to theft of data being collected or the ability to hack a connected car. There wasn't a lot of concern about traditional security threats such as DDoS attacks because these devices lack the compute power of PCs or even smartphones.
As it turns out, hacking a high volume of IoT devices does create a substantial botnet army AND has the added benefit of being much less detectable, notes Dale Drew, Level 3's chief security officer. Normally, consumers discover their PCs or laptops are compromised when they start misbehaving due to lack of memory or CPU issues or slow network connections, all caused by the botnet activity. Then they start checking things out and find out their security has been compromised and take action.
"People don't log into devices like thermostats or DVRs, so as long as they continue to do their primary function, the [breach] can go undetected for an extended period of time," Drew says. Unless the network activity happens to interfere with the device function -- such as a DVR suddenly developing buffering issues -- the botnet activity can continue working in the background for some time, which is what Level 3 and Flashpoint discovered was actually happening.
You can read details of their discovery in this blog.
Drew thinks device makers need to be held more accountable for providing better out-of-the box security settings and for also providing automated patching, once security breaches are detected. The current flood of IoT devices into the market includes many for which security is very sloppy, he says.
Consumers may also have to play a role, however, and one thing they can do is monitor their network activity to determine if network bandwidth is being consumed at odd hours, for example in the middle of the night, or if a device that shouldn't be consuming network bandwidth is, in fact, doing so. Broadband ISPs should play a role in that process in helping consumers look at their bandwidth consumption.
Finding more than Pokemon
Smartphones now account for more than 78% of mobile network breaches, and that's a substantial leap from the past, says Kevin McNamee, director of the Nokia Threat Intelligence Lab. And most of that is happening on Android phones, where the open operating system and broader array of app stores create more opportunities for the bad guys.
"Most of what we are seeing is Trojanized applications," he says. "The attacker will take an app, perhaps a popular game, and inject their malware into that game. And then there are a number of ways that can be monetized and exploited."
For example, he says, ransomware can take over the device and force the user to pay to get it unlocked, or spyphone apps can track where the device is, and the user phone calls, text messages and even browsing habits. Or the malware could subject the smartphone's owner to "fairly aggressive adware," which does continual popup ads that are hard to block.
It's also possible to take the user's personal information and send it off to the malware's command and control function.
"The malware is becoming a fair bit more sophisticated," McNamee says. "The more sophisticated stuff tends to root the device, so it can get more embedded into operation system itself and gain a permanent foothold that is difficult to get rid of and that conceals its presence from antivirus software."
That gives the bad guys control of the device, which allows them to download other applications for which the end user ends up paying, and money from those downloads flow back to the criminals, he notes. SMS Trojans sit on the phone and send messages to premium SMS numbers -- messages for which the end user is charged. Or the malware sits on the phone, clicking on ads and generating revenue to "pay for click" services, which then in turn funnel money back to the bad guys.
Like Level 3's Drew, McNamee says this is very much "buyer beware" time. Users need to be cautious about downloading applications from lesser known app stores or sites, and stick instead to reputable stores. They should also avoid clinking on links and text messages that push apps, and install a reputable anti-virus program on their phones.
Wireless network operators have become the first line of defense for a lot of this activity, as they are often the ones that notice billing changes and can alert the end user to the problem, McNamee says.
A changing role?
Drew also sees a changing role for broadband network operators, to become responsible for not only identifying bad actors but taking action against them. Where once the networks were open highways, now he sees a responsibility to crack down on speeders and those who transport drugs or stolen goods -- i.e., the hackers, botnets and malware folks.
"We are definitely taking a much more proactive role in identifying that traffic," Drew says. "We not only want to educate users about it, but we are blocking it when we see it. The amount of visibility that broadband providers have into what is going on is increasing, so it is significant that we step up to make the Internet in general more safe."
— Carol Wilson, Editor-at-Large, Light Reading