When it comes to Internet of Things (IoT) devices, everything from smart glasses to connected cars is susceptible to malware infection if not properly secured, Fortinet senior researcher Axelle Apvrille said in a presentation at the DefCamp 2016 security conference in Bucharest, Romania this week.
CCTV cameras, DVRs and network routers have made headlines recently as vulnerable IoT devices due to their connection to distributed denial of service (DDoS) botnets such as Miraiand Bashlite, but malware could target more devices, including smart toys, home appliances, wearables, and more. In fact, the future could be a dark one for such devices and for their users, the researcher says.
The only required trigger for such attacks to become norm would be for the cymbercriminals to find a way to monetize such infections. “Ultimately, the purpose of IoT malware is financial. It’s the money that their developers are after, the same as those behind other malware out there,” Apvrille told SecurityWeek at the conference.
The computing power of targeted devices doesn’t even matter, she explained. As long as these devices have an Internet connection that can be exploited to send spam messages or launch distributed denial of service attacks, malware authors will be interested in them, especially since Mirai has shown that they can be easily compromised.
“If a device has firmware, there could be some room left for an attacker to install malware, because it doesn’t have to be complex malicious code. In fact, such malware only needs 4 bytes of memory,” the security researcher explained.
With actors targeting less complex devices, it might not be too long before IoT malware completely surrounds us, Apvrille explained. It only takes a single vulnerable entry point for attackers to find and exploit, and entire home or corporate networks could be infected via a connected device.
Security researchers previously explained that the main purpose of IoT malware is to launch of DDoS attacks, but Apvrille says that these devices could be infected for other nefarious purposes as well, including ransomware, Trojans, and spyware.