Windows-Powered IoT Responds to Desktop Vulnerabilities

As the Internet-of-Things space struggles to rid itself of its well-earned “insecurity” stigma, cybercriminals might start exploring an avenue of attack adapted from desktop computers. A backdoor implant built for the Windows operating system has been modified to work on connected devices that are attractive to malicious hackers.

Microsoft Windows is the operating system of close to 90% of laptops and desktops . There is also the IoT Core flavor, a variant that runs on a business-oriented smart devices such as digital signage systems, order processors, cocktail mixers, wearables for employees and kiosks. ATMs are also on the list, and manufacturers are looking at an upgrade to Windows 10 IoT by 2020.

Leaked in early 2017, DoublePulsar is a backdoor implant that can run on Windows Vista through 10, after the systems are compromised. The backdoor offers the attacker direct control over a target and researchers have shown it is compatible with Windows-powered embedded systems, even if they are not on the original list of targets.

Such details are a boon for criminals, who use them to create custom versions and turn the tools into whole new beasts capable of avoiding detection or covering new functionality. History has confirmed this trend multiple times, with Mirai serving as the best example in the IoT universe.

“Mirai-inspired botnets have become a thing only after source code of the original bot has been made public online, thus opening the door to wannabe cyber-criminals and less skilled black hats to join the business,” says Bogdan Botezatu, senior e-threat analyst at Bitdefender.

DoublePulsar is on the radar of many antivirus solutions, so it is unusable for backdoor access on desktops. However, things are different for the IoT variant, which has limited defenses and does not come with an antivirus – not even Windows Defender. Both researchers, who modified the backdoor to run on embedded systems, managed to plant it and obtain the highest privileges.

The two tests occurred a year apart, suggesting that the smart devices did not benefit from the same updates as Windows for desktop (patches against the hacking tools used to deliver DoublePulsar have been available since mid-March last year). Windows IoT Core receives feature updates twice a year, and security updates are delivered through IoT Core Services, available for a fee starting June.

Most smart devices lack the power for complex tasks, but they offer the advantage of connectivity, and they are online almost all the time. Weak defenses make them even more attractive targets that can increase the power of distributed denial of service (DDoS) attacks or act as a proxy for launching other types of attacks.

The appeal score increases manifold for “important devices with an easy monetization path, such as ATMs or Kiosk,” Botezatu says. He adds that the operating system is not a criteria for choosing a smart device to attack: the ability to perform a DNS query is enough to make it valuable, “especially when botmasters are competing between themselves to amass larger numbers of compromised devices.”

Image credit: pixabay