A while ago I was asked by a journalist about an example of malware of which it had been reported that it could be developed to spread to a far wider range of hardware and architectures than the PCs it was actually known to attack. Malware that aims to spread over all those devices sounds more Proof of Concept than anything immediately purposeful (except in terms of old-school “look at how many machines I infected” bragging rights) but distinguishing between targets by architecture as well as broad platform does suggest potential for much more targeted attacks in the future. This is a scenario that could be compared to Java malware: devices using a range of versions, update and patch levels - where an update mechanism exists at all - but also, apparently, other architectures (ARM, MIPS and so on).
A possibility exists – and most of the conversation around threats against the Internet of Things concerns possibilities, rather than hard threats or even likelihood – of malware that discriminates not only by machine but by function, providing openings for other kinds of malicious activity. At the same time, end users may be as unaware of what is running on their devices as those people recently affected by intrusive or faulty firmware updates for TV/audiovisual technology, for instance. Attempts to hack Samsung Linux-based firmware and indeterminate vulnerabilities in that firmware have been reported for several years. Targeted threats are often seen as associated with individuals working in huge corporations, but they can be and are scaled down to smaller target groups such as SMEs, Mom and Pop shops, activist groups, even private individuals. There’s nothing outlandish either about the idea of an individual being targeted externally to an organization in order to exploit his access to internal resources via remote access channels.
Targeting devices that aren’t PCs and therefore probably don’t have an explicit malware detection mechanism would reduce the likelihood of early detection of device-specific malware. Payloads that would take advantage of device-specific functionality would require significant research and development, but who, a few years ago, would have given much thought to the likelihood of malware targeting uranium enrichment centrifuges?
The likelihood of mass-market security software especially designed for the whole range of devices that might be exploitable isn’t great. The companies making such devices would have to be prepared to discuss potential intrusive or disruptive attacks against such devices in the design and planning stages, and how countermeasures might be implemented, with specialist security companies. I guess we can only hope that the makers of a whole range of devices will devote more thought to building in sound security and update mechanisms for internet-connected devices. My own experience in healthcare in the decade before this one, and Bring Your Own Device (BYOD) issues in more recent years, suggest that it will take substantial evidence before manufacturers truly appreciate that they are making exploitable networked computer systems rather than isolated devices.
However, the fact that eavesdropping, sabotage and other attacks are or may be possible in surprising contexts doesn’t mean that they’re likely. The internet may have elements of the Wild West (and always did), but it hasn’t turned into a gigantic stage set from 1984, even if a laptop or television screen can sometimes behave like Big Brother’s telescreens. (That’s the 1984 Big Brother, not the TV unreality show.)
Nor are we all now players in a universal game of Cluedo where Professor Plum is likely to be bumped off by Wi-Fi-controlled sabotage of his pacemaker, Colonel Mustard and his library is about to be set on fire by a subverted heating system, or Miss Scarlett might die of a seizure induced by flashing lights controlled by a tablet app. There may be more possibilities for exotic attacks in a world where even your toilet may be online, and security company PR offices are having lots of fun flagging such exotica, but what is possible in cybercrime usually only actually happens if someone sees a substantial profit in developing an attack.
David Harley
ESET Senior Research Fellow