The Use of IoT in Offensive Cyber Activities

The realm of cyber-attacks has advanced over the years, both in regards to the scope of the phenomenon and in terms of the technological abilities displayed by the attackers. One recently developing field in this realm is the use of terminal equipment, including communications equipment such as routers and IoT (Internet of Things) devices that are connected to the Internet but are not protected from breaches at a level customary for computers and cellular devices. This trend comes hand in hand with the growing use of IoT devices and the increasing connectivity of electronic devices (security cameras, gates, smart TV's, etc.) to the Internet, in order to better the user experience through regular updates and remote control. Experts in this field estimate that there are over six billion IoT devices in use around the world, in addition to leading devices such as telephones, tablets, and computers, which are protected in one way or another against breaches.[1]

In this manner, the cyber world is integrating into the public, government, military, economic, and personal spheres, while significantly contributing to advancement and development in all areas of life. Such a comprehensive use of the cyber world, however, serves as a source for risks stemming from cyber-attacks; security risks such as information leaks or prevention of the use of various systems, as well as those related to criminal activity.

The Internet and advanced communications technologies have also become an important element for terrorist organizations, which use the cyber-space for a wide range of, mostly operational, activities such as fundraising, recruitment, intelligence gathering, the dissemination of ideologies (such as radicalization and religious justifications) and information (such as reports on victories in the battlefield), as well as marketing. Although the use of cyberspace for offensive activities is not entirely absent from the field of terrorism, terrorist organizations have not yet demonstrated significant independent capabilities. Nevertheless, it should be taken into consideration that offensive cyber capabilities are likely to change significantly and immediately in any of the following scenarios: assistance from a terror-supporting state, the acquisition of knowledge or capabilities from international criminal elements offering their services for a fee on the darknet, or by recruiting computer experts (hackers) with high professional capabilities.

Cyber-attacks carried out by terrorist organizations to date have been at the most basic level. These attacks, most of which exploit weaknesses in the attacked systems, also indicate the potential damage inherent in them, both in the context of intelligence exposure and in regards to the operation or disruption of terminal equipment. During 2016, a growing interest was detected on the part of terrorist and criminal elements in IoT devices and in attacks on those devices. Among the incidents worth noting are the following:

• In February 2016, on a television program about a group of Shi’ite hackers affiliated with Hezbollah named Kadimon (translation from Arabic: “we are coming”), it was claimed that members of the group had hacked security cameras in Israel, including cameras located at the Ministry of Defense building in Tel Aviv.[2] This incident emphasizes the organization’s ability to exploit and use security cameras to collect visual and even audio information in places in which the cameras also have microphones installed.
• In October 2016, an unidentified source launched a comprehensive DDoS (“Denial of Service”) attack, which imposes a traffic load level that prevents the continued functioning of the system, against the Dyn Company, which manages DNS services. At the height of the attack, it reached a traffic volume of 1.2 terabytes per second, which was defined by experts as the largest attack of its kind ever documented.[3] The attack disrupted the proper functioning of over 70 leading Web sites, including social networks (such as Reddit, Yelp, Tumblr and Twitter), commerce sites (Visa, PayPal, Amazon), news sites (BBC, CNN, New York Times), entertainment and television sites (HBO, PlayStation), and more. The attack was carried out using a network of tens of millions of IoT devices that operated as a Botnet (a network of remotely operated computers), including security cameras, baby monitors and electric gates.[4] These devices were attacked using a malware named Mirai, which attacks Linux-based systems and creates a Botnet server that enables the launch of DDoS attacks, whose existence was published several weeks before the attack as open-source.[5] The incident illustrates how many IoT devices were used as a tool for a massive attack against another target.
• At the end of November 2016, over 900,000 customers of the German telecommunications company, Telekom Deutsche, suffered temporary connection problems including slowdowns in browsing speed, difficulties connecting to the Internet, and even complete prevention from browsing. According to assessments by cyber industry sources, these temporary problems were the result of a takeover, by hostile elements, of the routers produced by a variety of manufacturers and marketers by Telekom Deutsche, aimed at creating a Botnet server using malware with features similar to those of Mirai.[6] This incident highlights the danger of a simultaneous attack against multiple IoT devices, resulting in significant cumulative damage.

The afore-mentioned incidents may indicate the dangers inherent in attacks carried out using IoT devices, as well as the issues, related to the phenomena, that must be dealt with:

• Access to information that enables identification of targets for attack: At present, there are specialized search engines that enable the detection of the IP addresses of terminal equipment connected to the Internet. These search engines allow attackers to sort targets according to countries, types of devices, versions, etc. In addition, various hacker groups, including supporters of terrorist organizations, have previously published lists that included the IP addresses of terminal equipment such as the addresses of routers and security cameras. Such detection is easy to carry out as it does not require extensive knowledge and serves as the basis for an attack.
• Information security policies: Terminal equipment is often protected by default administrator access passwords that are openly published and, therefore, allow anyone a remote connection to the terminal equipment. Most manufacturers publish the default passwords even in cases where the password is changed daily for security reasons.[7]  It can be assumed that this was also the case in the aforementioned February 2016 incident, as it was claimed that Hezbollah elements had gained access to the security cameras via default administrator passwords.
• Technological quality and the use of open-source: To save on manufacturing costs and to remain competitive in the face of competition, manufacturers of IoT products tend to use outdated technology or open-source codes, which often enable security breaches that the manufacturer does not rectify. Thus, marketers who supply terminal equipment may choose a low-quality product, which suffers from security breaches, instead of a quality product. These low-quality products can be compared to a loaded gun, waiting to be utilized in a future attack.

The risks described above, the weaknesses that stem from them, and the possibilities that they open for potential attackers to utilize, serve as the basis of an offensive cyber-campaign. Said campaign could utilize IoT devices as a tool in the framework of a DDoS attack or as a means of disrupting the functioning of the device itself. It is worth emphasizing that a large-scale attack is liable to cause significant damage, such as the attack in Germany, in which the routers themselves were damaged. In the absence of an appropriate response, terrorist organizations are likely to use this product in order to increase the effectiveness, efficiency and scope of damage of a given attack.

Countries must establish security standards for IoT devices through regulation that imposes minimum standards on manufacturers and importers. Alongside the establishment of security and enforcement standards, the public also has a responsibility to select products with minimal security, with a preference for secure products. In addition, we must continue to promote the development of protective measures similar to those available on computers.