Beware of Suspect Devices
Beware of Suspect Devices

In December 2013, many security industry observers gave their predictions for the threats they expected to emerge over the next year.  One of the most popular forecasts was criminals exploiting IP-based smart devices and appliances, to launch attacks or gather personal data.  These predictions were quickly realised in January 2014, with two security incidents that successfully targeted a range of unconventional devices.

First was the massive data breach at two leading US-based retailers, resulting in the theft of credit card and personal data of 110 million customers.  The attackers used ‘RAM scraping' malware, planted in the point-of-sale terminals at retail stores.

Getting into a scrape

Even though these POS terminals are not computers as such, they do have processors and RAM memory chips, and perform basic functions – reading data from customers' credit cards, encrypting it and sending to the retailer's back-end systems. 

The RAM scraping malware activates when new data is loaded into memory, before it is encrypted.   The malware grabs the data (including cardholder name, card number, expiry date, and security code) and forwards it onto the attacker.   While the POS terminals may not be directly connected to the Internet, the retail systems running the terminals are usually Windows-based and need regular patching and updates;  they're also connected to other internal networks as well as the Internet. 

So an attacker who can find a way into a retailer's Internet server using a vulnerability, may be able to move across to other local networks, and then to the POS systems and terminals themselves. 

Spam:  fresh from the fridge

The second incident involved more than 100,000 consumer devices, including an internet-connected refrigerator, smart TVs and multimedia hubs, being exploited to send more than 750,000 spam and phishing emails over the Christmas holidays.  This was the first reported attack which exploited both conventional smart household devices and conventional computers.

The majority of the devices used in the attack were not infected by malware, but were simply left open so that attackers were able to use their IP capabilities to relay spam and infected emails.  But this incident highlights just how resourceful attackers have become in using unconventional, but effective, attack vectors. 

Protecting things

Now that attacks against smart devices have begun, they will only escalate.  Analyst IDC forecasts that there will be 200 billion devices connected to the internet by 2020, compared with 5 billion devices today (around 1billion PCs, 2 billion mobiles and tablets, and another 2 billion devices such as IP-based temperature monitors, webcams, and so on).

Securing these devices will be a challenge.  Many have limited processing capability, and so are not capable of running conventional anti-malware solutions.  Instead, security relies on users changing passwords and other settings away from defaults, and ensuring the devices are not left open – in the same way that people are recommended to protect their home wifi networks.

Larger-scale attacks such as the RAM scraping exploits against major retailers reinforces the need for organisations to maintain best security practices. This includes applying the latest updates and patches to close off vulnerabilities, and deploying layers of security to protect networks and data so that even if one layer is breached, the next can stop the attack.  For example, organisations could isolate different network segments from each other using firewalls, to inhibit attacks from crossing networks;  and use threat emulation or ‘sandboxing' services to identify and isolate malicious files before they enter the network, so that infections do not occur.

Just as the 'Internet of Things' can enable a better-connected, more efficient world, it also gives criminals a better connected, more efficient network for launching attacks.  We should be aware of the risks posed by suspect devices – which is rapidly becoming all devices.

Contributed by Keith Bird, UK managing director of Check Point