Hackers Take Over IoT Devices to ‘Click’ on Ads

A video interview and Q&A with IoT specialist Dan Demeter of Kaspersky Lab.

By 2025 there will be 25 billion internet of things (IoT) connections, according to GSMA Intelligence. And if hackers have it their way, many of those IoT devices will be hijacked and recruited into online pay-per-click advertising scams.

At the Security Analyst Summit 2019, Threatpost sat down with Dan Demeter, a security researcher specializing in IoT at Kaspersky Lab’s global research and analysis team (GReAT), to discuss ongoing trends and attack methods related to IoT devices. One of the more interesting trends he discussed has to do with hackers taking over IoT devices (such as a thermostat or light bulb) and having them programmed to “click” on ads to drive ad revenue for hackers. He said devices can be low bandwidth and low powered. All they need is a unique IP address to fool advertising networks into thinking they are real people, he said.

The video is here, with a lightly edited transcript below.

Threatpost: What is the main trend in IoT security that you’re seeing?

Dan Demeter: For the past two years now, we have seen attackers going for easy targets…and most are lacking sufficient security.

In terms of types of devices that are being infected, we see any kind of device from DVR cameras to routers, even from some quite well-known vendors. And unfortunately, there are cases of some big vendors who are not so fast in fixing their vulnerabilities.

TP: Are attackers looking to amass large botnet volumes?

DD: Also, one other trend that we have seen is that attackers now go after a lot of volume rather than quality. So they don’t care if they infect a really small camera with a really slow connection, it’s okay for them because if they manage to affect 10,000 or 100,000 devices, they are still going to get a pretty good [base] for them to be able to launch a DDoS attack, for example.

TP: Is DDoS still the main IoT botnet attack type?

DD: A trend that we have been seeing lately is that attackers now, instead of infecting devices with the aim of launching DDoS attacks (or offering DDoS as a service), they instead try to infect devices and use them as proxies.

One of the easiest ways that you can use a device as proxy [in an attack] is to add it to an ad-click campaign. Basically, there are websites from Google, Facebook, Amazon, Roku, where they display ads. And [attackers] infect the routers or the IoT devices in people’s homes in order to proxy requests to mimic real user clicks [on those ads].

And this is quite successful, mostly because they have a lot of IP addresses that they can use, and also, they use this to improve their techniques, in order to not be discovered by Google’s AdWords for example.

Google, if it detects weird traffic or automated traffic clicking on your ads, they might cut off your campaign or not give you the money because the traffic was not organic; it was not directed by real users.

Infecting devices helps a lot [with this problem] because the IP addresses are found at people’s homes; so if you mimic the geo-location of the user, you can actually be successful in clicking on your own ads [without being caught] and thus generating quite a good revenue.

TP: What about cryptojacking?

DD: So apart from the ad fraud and the DDoS services that are still popular, some of the latest trends include mining cryptocurrencies on these devices. Of course, in my opinion, this is not so efficient, mostly due to the fact that these devices don’t have specialized hardware or powerful processors to be able to mine a consistent amount of cryptocurrency. But, even if you earn two cents per hour or .01 cent per hour, and if you have a lot of devices (like 100,000 or 200,000 devices), that’s still quite a lot of money you earn by basically just scanning for vulnerable devices and infecting them.

TP: What is the role of the ISP in all of this?

DD: I think internet service providers have a big role in this problem. And this is because they are the ones that connect those devices, vulnerable devices, with the internet. And, of course, an ISP should not be allowed to block traffic or monitor user traffic – but they might have some options to protect users who unwittingly connect vulnerable devices to the internet directly.

So one way they can protect [subscribers] is, they can monitor attacks against their networks and they can block the attackers at their [own] routers or border regions. And, we have been cooperating with some ISPs; basically, we deploy honeypots in their network using their free IP addresses, so there is no user traffic involved at all. Using this honeypot, they are able to identify whenever there is a new wave of attacks against their clients.

Of course, this is just a remedy for the problem of users connecting vulnerable devices to the internet. Unfortunately, sometimes users don’t know that their devices are vulnerable, and this is another side of the story.

TP: What responsibility do the IoT vendors themselves have?

DD: Companies, the vendors that produce IoT devices, should be held responsible if they don’t patch their devices. Or if they don’t act fast. Because nobody writes perfect software, so vulnerabilities might exist – but it is your responsibility as a vendor to actually fix and patch your devices as fast as possible, as soon as possible. And actually, the European Union is putting forward legislation forcing vendors to patch their devices…when there is a new vulnerability found or exploited in the wild.

TP: How can consumers protect themselves?

DD: Users should not make vulnerable devices publicly available and directly connected to the internet, or they shouldn’t put vulnerable devices in their networks at all. Of course, some users might now know that their devices are vulnerable.

So our recommendation would be, if you are a concerned person and you say, “OK, I would like to buy a monitoring device to monitor my apartment, is this secure or not? Will I be vulnerable to attacks?” Our suggestion would be, do a Google search of the brand name and the word “vulnerability.” Try to see if there were any vulnerabilities discovered in the past.

This this does not mean that there might not be vulnerabilities discovered in the future. So secondly, check to see if the vendor is responsible enough to fix the vulnerabilities fast enough. You see researchers like myself or my colleagues who sometimes will write blog posts saying that we discussed this vulnerability and the vendor promptly fixed it and vendor was cooperating with us. Try to aim for these kinds of vendors.

And try not to buy the cheapest product on the market, because sometimes, in order to be able to develop or to bring on to the market a product that is so cheap, it means that you as a vendor have to cut corners. And, most of the time, security is the first corner that is being cut. They do not have time or the expertise or the budget to invest into developing a secure product.

So, do your research, try not to buy the cheapest product available, and even if you know that your device is secure, try to limit the exposure into the internet. Maybe use a VPN to connect to your house and then to monitor your cameras.

Suggested articles