IoT malware often relies on old vulnerabilities

A survey on malware that exploits vulnerabilities in connected devices may explain why this category of systems continues to pose a risk to their network ecosystem. Long delays in releasing patches and difficulty in tracking glitches play important roles in continuing to tag Internet of Things as insecure.

At the ninth edition of the DefCamp security conference in Bucharest this month, independent security researcher Andrei Costin talked about IoT malware and some factors that contribute to keeping threats active long after a solution becomes available.

Costin says some vulnerabilities affecting Internet-of-Things systems lack an identifier such as the one given for the entries in the Common Vulnerabilities and Exposures (CVE) public list. This impedes development of efficient defenses, as it could bypass security solutions that rely on specific rules (IDS/IPS, Yara) for identifying and blocking threats.

One reason Costin says could explain this state is insufficient optimization for the filing or assigning process, which delays the release of a CVE number. Another would be that researchers simply don’t ask for an identifier, which would make sense considering the large number of security bugs discovered in IoT devices.

Regardless of the root cause, this creates a messy problem when the infosec community wants to exchange information about vulnerabilities actively exploited by malware, as it is difficult to discuss without a common reference to it.

Because of the huge diversity of IoT systems, creating an antivirus program compatible with all of them is not feasible. Instead, the antivirus industry devised a solution that protects the entire home network. A hardware security product like Bitdefender BOX inspects incoming traffic and identifies and blocks malicious communication. This way, BOX can mitigate attacks even against unpatched IoT systems.

During his study in collaboration with Cisco Talos malware researcher Jonas Zaddach, Costin noticed that writing code that protected against a known, easy-to-exploit vulnerability sometimes took half a year to become publicly available, more than enough time for exploits and IoT threats to emerge and do their work.

Some malware families analyzed by the duo exploited vulnerabilities known by the security industry for two years, yet there was no patch for them. At the moment, cybercriminals incorporate a lot more than three exploits into their malicious programs, so they have a wider net for compromising unpatched devices.

Public knowledge for creating defenses against medium- and high-risk IoT security bugs could have been used at least 90 days before the first malware sample that leveraged them appeared.

A window of opportunity this large lets cybercriminals plan and build operations without the pressure of having to act before a patch is released. Until the delay in shipping fixes or defense rules for smart devices is reduced, the bad guys will continue to have a huge market for their business.

Image credit: geralt