IoT devices become new targets for cybercriminals

Singapore entities are no strangers to cybersecurity incidents with even major government sites getting in the crosshairs of hackers from around the world in recent times.

Like previous years, 2016 saw its share of cyber attacks ranging from attempts to steal data, both institutional as well as personal, to the new menace called ransomware - where users' PCs and, sometimes, company servers are locked down by attackers who demand a monetary "ransom" to release the machines.

However, one attack in particular, stands out this year, not because of the damage it caused but more because it signifies a whole new level of sophistication in the modus operandi that hackers employ.

In October, StarHub's home broadband network's Domain Name Servers (DNS) came under attack via what is known as a distributed denial of service (DDoS).

These DNS servers run special-purpose networking software which translate a web address, such as www.starhub.com.sg, into a machine-readable set of digits that allows various devices to connect to the website.

StarHub thwarted the first attack within two hours and during the second, it took just 30 minutes to neutralise it.

According to the telco, there was no major damage in terms of loss of data or financial misappropriation.

What is significant is that the DDoS attack originated from devices within Singapore that were already connected to StarHub's broadband network.

In a DDoS attack, machines are infected with a malicious code, which allows hackers to take control and use them to simultaneously and repeatedly send queries - such as log-in requests - to a server or website, with the objective of overwhelming it.

Devices such as Internet-connected DVR players, WiFi cameras, music systems and routers, among others, sitting in the homes of unsuspecting StarHub customers, and infected with malicious code, were taken over by hackers.

They used these machines to launch the DDoS attack.

These IoT (Internet of Things) end-point devices are made by a variety of manufacturers many of whom supply unbranded and cheap products without adequate built-in security.

As Sanjay Aurora, Asia-Pacific managing director for security firm Darktrace, notes, such attacks can be mounted as a distraction, that is, undertaken to draw attention away from other intrusions being carried out against the target organisation at the same time.

Such intrusions could entail delivering malware, opening a route into key enterprise subscribers or perpetrating a large-scale ransomware attack.

The StarHub attack came close on the heels of a similar attack which occurred on some major global websites.

Known as the Dyn attack, this involved multiple DDoS attacks targeting systems operated by DNS provider Dyn.

This affected major Internet platforms and services, which were unavailable to large swathes of users in Europe and North America.

Sanjay Rohatgi, Symantec's senior vice-president for Asia Pacific and Japan (APJ), notes that the Dyn attack and the one on StarHub's network demonstrates "the vast number of IoT devices that don't have security on them and are tremendously vulnerable to attacks".

He adds that as more IoT devices are installed in the mass market, the risk of security breaches will increase.

"Once insecure devices are in the market, it becomes almost impossible to fix the issue without recalling them or issuing security updates," he adds.

Gartner predicts that by 2020, a black market exceeding US$5 billion will exist to sell fake sensor and video data for enabling criminal activity and protecting personal privacy.

Given that this lack of security will continue for the foreseeable future, the number of IoT attacks will only increase as well, Mr Rohatgi adds.

As Singapore's reputation as a commercial hub with high connectivity grows, cybersecurity will continue to play an increasing role in the national agenda, he says.

Neustar's Asia Pacific general manager, Robin Schmitt, adds that according to data published by his company, organisations in the Asia-Pacific region are less prepared to deal with online threats.

"The region leads the field in the amount of damage left in the wake of a DDoS attack, with 20 per cent of Asia-Pacific enterprises not even planning on investing more in DDoS defence," he adds.

Mr Schmitt paints a worrying picture. He says that with the advent of IoT technology's ubiquity, its exploitation is just one area in which attackers became more emboldened in 2016 as their actions result in highly publicised outages.

"The effectiveness of ransomware, phishing, and malware all reveal many inroads to creating lucrative chaos in organisations. Next year will produce unlimited opportunity and the potential for bad actors to achieve objectives that include theft, disruption, extortion, and impact," he says.

Ransomware, in which hackers infect a computer or server with encryption software and ask for a "ransom", is another increasing threat in Singapore - for both companies as well as individuals.

But it's difficult to track the number of ransomware victims in Singapore.

As the Cyber Security Agency (CSA) notes, not many people or organisations come forward to report such an attack.

However, a recent Dell EMC study reckons that Singapore ranks eighth in the Asia-Pacific region and 42nd globally, in terms of ransomware attacks, with an average of 16 attacks per day.

The average ransom demanded has jumped to US$679, up from US$294 at the end of last year, the study notes.

David Siah, Trend Micro's Singapore country manager, feels that in 2017, ransomware will remain a top threat.

"Its operations will become fuller, as more variants are produced; deeper, as well-planned targeted attacks are launched; and wider, as threats affect non-desktop targets like mobile phones and smart devices," he says

Symantec's Mr Rohatgi observes that apart from DDoS and ransomware, the significant shift towards cloud-based storage and services is making cloud a lucrative target for attacks.

"The cloud is not always automatically protected by firewalls or more traditional security measures. Cloud attacks could result in multi-million dollar damages and loss of critical data, so the need to defend it will become even more crucial."

Overall, data theft is the objective of all hacking operations.

Method and techniques may differ but the ultimate profit for cybercriminals lies in being able to steal data and monetise their ill-gotten gains.

The Dell EMC study notes that companies in Singapore, as well as globally, are unprepared for new, emerging threats in data protection.

Compared with 2014, this year at the global level, 13 per cent more businesses experienced data loss in the last 12 months, costing them an average of US$914,000.

The average cost of data loss for organisations in Singapore during the same period was more than US$1.3 million, significantly above the global average.

The study estimates that 28 local firms lost data over the past one year due to cyber attacks.

While the cybersecurity threat environment has intensified, Singapore's defences have also become more organised.

The government has set up the CSA to coordinate responses to cyber attacks in a more holistic manner.

This year it has also taken the important step of separating Internet surfing in the public services from work systems to ensure malicious codes do not infect government servers.

Next year will also see a new cybersecurity legislation being tabled in Parliament which will take into account the recent advances in technology and required steps to protect Singapore's digital network.

This year, Prime Minister Lee Hsien Loong has also outlined a new cybersecurity strategy in which the government will work with key stakeholders, including private-sector operators and the cybersecurity community, to strengthen the resilience of the Critical Information Infrastructure (CII) that supports Singapore's essential services.

As Mr Lee said, companies must understand that cybersecurity is "also their problem and make the necessary investment to protect their customers". He adds that, at the same time, individuals should stay safe online and "practise good cyber hygiene".

This article was first published on December 28, 2016.
Get The Business Times for more stories.