IoT malware often relies on old vulnerabilities

A survey on malware that exploits vulnerabilities in connected devices may explain why this category of systems continues to pose a risk to the network ecosystem. Long delays in releasing patches and difficulty in tracking glitches play important roles in continuing to tag Internet of Things(IOT) as insecure.

Some vulnerabilities affecting Internet-of-Things systems lack an identifier such as the one given for the entries in the Common Vulnerabilities and Exposures (CVE) public list. This impedes development of efficient defences, as it could bypass security solutions that rely on specific rules (IDS/IPS, Yara) for identifying and blocking threats.

One key reason is insufficient optimization for the filing or assigning process, which delays the release of a CVE number. Another would be that researchers simply don’t ask for an identifier, which would make sense considering the large number of security bugs discovered in IoT devices.

Regardless of the root cause, this creates a messy problem when the infosec community wants to exchange information about vulnerabilities actively exploited by malware, as it is difficult to discuss without a common reference to it.

Because of the huge diversity of IoT systems, creating an antivirus program compatible with all of them is not feasible. Instead, the antivirus industry has started devising a solution that protects the entire home network.

It has been noticed that writing code that protected against a known, easy-to-exploit vulnerability sometimes took half a year to become publicly available, more than enough time for exploits and IoT threats to emerge and do their work.

Some malware families analyzed exploited vulnerabilities known by the security industry for two years, yet there was no patch for them. At the moment, cybercriminals incorporate a lot more than three exploits into their malicious programs, so they have a wider net for compromising unpatched devices.

Public knowledge for creating defenses against medium- and high-risk IoT security bugs could have been used at least 90 days before the first malware sample that leveraged them appeared.

A window of opportunity this large lets cybercriminals plan and build operations without the pressure of having to act before a patch is released. Until the delay in shipping fixes or defense rules for smart devices is reduced, the bad guys will continue to have a huge market for their business.

Zakir Hussain
Director,  BD Software Distribution Pvt. Ltd.