The Government wants citizens to become more aware of the dangers of the Internet of Things (IoT). It is estimated that by 2020, 30 billion household appliances will be connected to the internet worldwide. These include televisions, toys, routers, cameras and doorbells. On behalf of the Ministry of Economic Affairs, TU Delft researchers will calculate the number of unsafe and hacked appliances in the Netherlands.
The principal investigator is Carlos Ganan of the TPM Faculty. He believes that IoT poses many risks. “We have recently seen examples of hotels and hospitals being attacked with botnets. But this is just the tip of the iceberg. Hackers are now leveraging IoT devices to carry out denial-of-service attacks by sending so much traffic as to temporarily take servers down. For instance, in 2016 a major attack disrupted services like Airbnb, Spotify, Visa and the BBC. Don’t forget that even some internet-enabled doorbells and toys contain tiny computers. Their individual computing power may be very limited but when combined can cause a lot of damage.”
‘The attacks are more and more sophisticated’
“By using botnets, you could also block all hotel doors”, Ganan says. “Criminals then ask for a ransom. The attacks we see are getting more and more sophisticated. Some criminals even use hacked devices for crypto currency mining, such as Monero.”
And of course then there is the risk of loss of personal data and the violation of privacy. Hackers can gain excess to personal information that they can use for extortion purposes through routers, external hard disks or cameras that are not well protected.
The goal of Ganan’s project is to find out which type of IoT devices are infected and what type of attacks are most common. Thereafter, the Government will enter into discussions with internet providers and manufacturers on making the devices more secure by default.
“A major problem with many cheap appliances is that they use default credentials,” says Ganan. “When you connect a device and you are not enforced to change the password, we have a problem. Sometimes people are not even aware that there is a way to change the password. The default password is often something as simple as 1234. So you do not need a master of science to get into these systems.”
On a fishing expedition
So how will they go about this? “We will create a honeypot. We are going to buy vulnerable devices that can easily be infected. This will be our bait. And then we wait until we get infected. This will allow us to capture IoT malware. Once we have the malware, we can analyse it and see the other types of devices that are targeted and maybe even identify part of the criminal infrastructure.”
“Many hackers are what we call script kiddies. Kids with some basic knowledge of IT who are playing around. But there are also financially motivated criminals behind the hacks. These are the people that we will try to identify. But we will probably only expose certain parts of the infrastructure. Some attackers will use more sophisticated techniques and will be hidden behind anonymised networks such as Tor.”
The project will take two years. “We expect the first calculations by the end of September. By then we hope to have an idea of how many devices are infected in the Netherlands.”