Cybercriminals are finally leveraging the thousands or millions of insecure devices in the so-called Internet of Things to launch cyberattacks.
Earlier this week, someone used a botnet made of more than 25,000 hacked CCTV cameras to launch a massive cyberattack on a jewelry store's website.
Just two days later, a security firm revealed that another group of cybercriminals had taken over more than 1,000 internet-connected cameras and turned them into a zombie army, launching attacks against three US gaming companies and some other targets in Brazil, including banks, telecom companies, and government agencies.
The two attacks had one thing in common: the use of hacked Internet of Things cameras as botnets. Earlier this year, the cybersecurity site Dark Reading presciently warned that criminals would soon target Internet of Things devices in an attempt to turn them into a Botnet of Things.
Botnets are large groups of computers that are controlled remotely by cybercriminals, often employed in distributed denial of service (DDoS) attacks, a type of cyberattack where someone sends an overwhelming amount of bogus or spoofed traffic to a target site in order to overload it and take it down.
"IoT essentially means 'hey, there's a small computer in there,' and for malicious actors, that also means 'prey!'"
"By naively connecting everything to the Internet, we have made our possessions and personal information extremely vulnerable," Deepak Patel, the vice president of engineering for security firm Imperva said at the time. "IoT essentially means 'hey, there's a small computer in there,' and for malicious actors, that also means 'prey!'"
That future is now.
Internet of Things devices are the "ideal target," as Arbor Networks security researcher Matthew Bing put it. The main reason is because they are often programmed with default and easy-to-guess passwords such as "admin" or "1234," and have no other security preventing anyone from accessing them. Also, usually their internet bandwidth isn't limited so it can be redirected to attack websites.
"All [hackers] are really looking for is the low-hanging fruit and also bandwidth, so IoT devices are popular targets because have a lot of them have default passwords and a lot of them do have a lot of bandwidth," Bing told me.
Ben Herzberg, security group research manager at Imperva, said that "it's very easy to take control" of these IoT devices, easier than taking control of computers or mobile devices.
That's exactly what the criminals behind the 1,000 cameras-strong botnet did. They used the DDoS tool Lizard Stresser, which was created and released by the hacking group Lizard Squad, reprogrammed it to search and take over a specific group of IoT cameras that used weak passwords, infected them with malware, and enlisted them for their DDoS'ing botnet.
These latest attacks are not the first ones to leverage internet-connected devices. In 2014, Lizard Square took down Xbox and PlayStation networks thanks to a botnet made of hacked routers. One thing is for sure, these won't be the last attacks of this kind.
"We don't see any decline in this trend and expect attackers to go after *any* device connected to the Internet (phone, computer, camera, home broadband router, etc.," CloudFlare's chief technology officer John Graham-Cumming wrote in an email. "we should expect to see more and more IoT based attacks because the industry hasn't yet got used to the need to update and patch (automatically) and neither have consumers."
Welcome to the future, where your internet-connected cameras, thermostats, or fridges will be taken over by a group of cybercriminals who want to take down someone else's website.