How Operating Systems Leave IoT Devices Vulnerable

26-10-2020 | By Robin Mitchell

A variance of the InterPlanetary malware has infected just over 13,000 machines around the globe and is now starting to infect IoT devices based on Android and Linux systems. What does this malware do, why is it able to infect IoT devices, and what risks does using standard operating systems on IoT device present?

What is the InterPlanetary Storm malware?

Recently, a piece of malware has been infecting machines called InterPlanetary Storm and has so far infected 13,000 machines over 84 different countries. The malware utilises a brute force method to gain access to devices using a dictionary attack (i.e. a dictionary of commonly used passwords). It can also access devices via Android Debug Bridge servers. Once into the system, the malware can detect the CPU architecture (e.g. x86, x64, and ARM), and load the correct version. The function of most malware is known, but the exact nature of InterPlanetary Storm is a mystery to cyber experts, and it is believed to be a backdoor to allow remote attacks to crypto mine or perform DDoS attacks.

How is it able to affect IoT devices?

Generally speaking, such malware in the past would be limited to main computing systems such as desktop PCs, laptops, and servers. Still, the increasing use of operating systems in IoT devices is also allowing malware to infect these devices too. In the case of InterPlanetary Storm, IoT devices that use either an Android or Linux based OS are equally vulnerable as the malware can successfully run on them. The ability for malware to infect IoT devices is worsened when considering that IoT devices, by nature, have internet interconnectivity, thus allowing for malware to find vulnerable devices quickly, infect, and then spread across networks. 

Why do operating systems leave IoT devices potentially vulnerable?

While any device can be vulnerable to malware, the use of commonly available operating systems complicates the matter further. Unlike simple microcontrollers that run specific firmware, a processor running an OS is designed to be able to execute a wide range of different applications that can easily be added and removed. Security systems can be integrated only to allow a few specific apps to run. Still, as operating systems are large and complex, they often have multiple entry points that attackers can exploit. For example, secure shells are particularly problematic as they allow for remote control of a system, and if not properly secured, allow for attackers to easily take control. Operating systems also have many features that may be unused, and these additional services can include bugs and exploits that go unnoticed. These same services can also be difficult to disable/remove. Thus a design is reliant on a system that cannot be easily patched (except by the developers of the operating system). 

Does this mean that operating systems should be avoided?

While operating systems can provide easy to use platforms, it should be noted that the use of such platforms in IoT devices will only increase the likelihood of infection by malware, and IoT devices will only further encourage the spread of malware on commonly used platforms. Of course, those same platforms can utilise security software, but not only does this consume processing power, but also increases the energy consumption of that device which defeats the purpose of low-power devices. 

The use of a custom system on an IoT device allows for a designer to minimise points of entry with the lack of unused services, closed ports, and unique software structure. The use of dedicated firmware also makes it harder for external malware to inject code into memory protected areas, and using uncommon CPU architectures adds a layer of complexity that malware has to overcome. But even then, using custom platforms and uncommon CPU architectures is still not enough to guarantee a secure system, and can even lead to more vulnerabilities. For example, operating systems developed by major companies will most likely employ security specialists who look for vulnerabilities and understand what to look for, while a firmware engineer designing a custom system may make trivial mistakes unknowingly such as not checking array bounds, sensitising data, and leaving ports open.

In the future, it is more than likely that as IoT devices become increasingly more powerful, specialised operating systems will be developed, such as Window IoT, that provide systems ideal for IoT applications with minimal features and ability to disable unused services. Such platforms will help engineers create easy to use systems for adding applications while ensuring that they are fundamentally secure. This will also be reflected in hardware choice of the future as IoT devices move towards a more traditional PC architecture also allowing them to run x86, x64, and ARM programs. But, as this happens, designers need to be aware that their IoT devices are now more like computers and thus potentially vulnerable to malware already in circulation.

Read More

Profile.jpg

By Robin Mitchell

Robin Mitchell is an electronic engineer who has been involved in electronics since the age of 13. After completing a BEng at the University of Warwick, Robin moved into the field of online content creation, developing articles, news pieces, and projects aimed at professionals and makers alike. Currently, Robin runs a small electronics business, MitchElectronics, which produces educational kits and resources.