Internet of things (IoT) devices can be exploited during software updates and used as launch proxy servers to target businesses that are then extorted for monetary payment, according to a survey sponsored by Nexusguard, a specialist in distributed denial-of-service (DDoS) security solutions.
DDoS is often the first wave of attacks by hackers who use them to distract companies from other more targeted intrusions. Routers are also being used in Simple Service Discovery Protocol (SSDP) reflection attacks, which target unpatched or un-patchable routers.
These SSDP attacks are especially dangerous because they can utilize vulnerable routers to amplify an attack beyond normal bandwidth limits while also hiding the original source of the attack.
The report, conducted by research and market intelligence firm Cybersecurity Ventures, indicated that by year-end 2017, more than 20 percent of businesses will utilize security services to protect IoT initiatives.
"I found it compelling that IoT will be a key driver in security research and spending through 2025," Terrence Gareau, chief scientist at Nexusguard, told eWEEK. "The size of the global IoT market space at an estimated several trillion is simply astronomical."
In the past seven days Nexusguard saw 64 Internet-based scans for SSDP services, and in a recent attack the company tracked 559 edge devices that were being exploited, with more than half located in the United States, China, Bulgaria and Russia. Edge devices provide an entry point into enterprises’ or service providers’ core networks. The types of attacks we are seeing now go far beyond the digital world that we all live in," Gareau explained. "Gone are the days of only data breaches and privacy being compromised; these attacks are bridging the virtual and physical worlds and will cause harm that goes beyond the need for credit monitoring; these attacks have the potential to cause physical harm or death."
Thanks to the risk from cyber-attacks, the report found the multi-trillion dollar IoT market would likely lift security research and spending through 2025.
"We will begin to witness technology used to a greater extent in street crimes--including auto theft, home invasions, and digital voyeurism--digital crime will become more physical," Garneu said. "Companies as a whole now are becoming highly focused on security and security spending far more than 10 years ago. However, corporate cultures change and accept the fact there is no silver bullet to solve all of their security problems."
In addition, as older devices are no longer supported by manufacturers and patches and fixes stop, there will be increased opportunity for hackers.
"In my experience in the IT security world, IoT and device security reminds me of a cat and mouse chase. Every time a new device is released, it is exploited faster than security experts thought possible," Garneau said. "The tools for researchers and bad guys to assist with compromising these devices are becoming much easier to use, making the barrier of entry to target anything quite low. The question organizations need to be asking themselves is 'what are we doing about it today?'"