Cyber criminals shut down parts of the Web in October 2016 by attacking the computers that serve as the internet’s switchboard. Their weapon of choice? Poorly secured Web cameras and other internet-connected gadgets that have collectively come to be known as the Internet of Things (IoT). The attack created a minor panic among people trying to visit Sony PlayStation Network, Twitter, GitHub and Spotify’s Web sites, but it had little long-term effect on internet use or the hijacked devices. Less than two years later, however, security experts are sounding the alarm over a new and possibly more nefarious type of IoT attack that “cryptojacks” smart devices, surreptitiously stealing their computing power to help cyber criminals make digital money.
Cryptocurrencies—so called because they use cryptography to secure transactions and mint new virtual coins—are generated when computers loaded with “cryptomining” software perform complex mathematical calculations. The calculations themselves serve no practical purpose, but the faster the computers complete them the more electronic money they make. Cryptojacking (a mashup of the words “cryptocurrency” and “hijacking”) occurs anytime someone uses another person’s internet-connected device without permission to “mine” Ethereum, Monero or some other virtual cash. (Bitcoins are a lot more valuable, but this well-known cryptocurrency is more likely to be created using warehouses of servers rather than someone’s stolen processing power).
Cyber criminals steal that power by sneaking malicious software containing cryptomining code onto PCs, smartphones and other internet-connected devices that, once infected, divert some of their processors’ capacity into solving the aforementioned calculations. Another type of cryptojacking attack occurs when internet users are tricked into visiting Web sites containing code that grabs part of their device’s processing power for as long as they visit the site. To entice people to stay, those sites tend to offer free pornography or pirated content. Victims usually have no idea their device has been coopted—although they might wonder why their batteries drain so quickly.
“When mining for gold, the person who works hardest with their pickaxe makes the most money,” says Richard Enbody, an associate computer science and engineering professor at Michigan State University. “In cryptomining, the pickaxe is an algorithm. The more complex the calculations it performs, the more processing power and energy it uses and the more money it earns.”
The latest trend is for criminals to infect appliances and other internet-connected devices with unwanted cryptomining software, Sherri Davidoff, CEO of cyber security firm LMG Security, said during a recent IoT cryptojacking webinar. “Many of these devices are unmonitored and highly vulnerable to simple attacks that exploit weak passwords and unpatched vulnerabilities,” Davidoff said. Nearly every case LMG is currently investigating has turned up cryptomining software, in addition to whatever other malware criminals installed on their victims’ computers, she added.
To test IoT devices’ susceptibility to having their processors hijacked to make cryptocurrency, Davidoff and her colleagues hacked into a Web camera in their lab and installed cryptomining software. After a day of calculating the camera managed to produce about three-quarters of a penny’s worth of Monero. Not exactly the motherlode, but those almost-pennies add up over time—especially if an attacker takes over thousands of Web cameras and leaves the software in place for a while, Davidoff said. Security cameras are a prime target because they connect to mostly unsecured public networks and are fairly generic—the same malware can be used to infect many different brands. In some cases these devices do not allow users to change their default security passwords.
“For financially-motivated cybercriminals, cryptojacking a large number of inadequately protected IoT devices could be highly lucrative,” says Pranshu Bajpai, a PhD candidate in Michigan State University’s Department of Computer Science and Engineering. “It can be argued that gaining [an] initial foothold into IoT devices is relatively easier than a computer or a phone, which normally have better protections.” Given that many IoT devices lack updated antivirus software or an intrusion detection system, the malware is more likely to remain undetected longer.
In addition to degrading battery life, cryptojacking can strain or possibly burn out a device’s processor. In an extreme case LMG investigated, one of the client’s employees requested an extremely powerful computer—ostensibly for work—only to inform the client within a couple of months that the computer had caught fire. A few weeks later the client discovered that the employee had been using his new work computer for cryptomining. Most cryptominers and hackers avoid overtaxing their machines, or the machines they hijack, for fear of killing a (digital) cash cow. Still, even if cryptojacking does not destroy a device it will slow it down considerably.
Not all remote cryptomining is done on the sly or for malicious purposes. In February lifestyle magazine Salon employed the practice to help make up for the advertising revenue they lose when readers use ad-blocking software. Salon began asking online readers to help support the publication financially, either by shutting off ad blockers or allowing Salon to borrow users’ devices for Monero mining while they read. UNICEF Australia encourages people to donate their computers’ processing power to the charity for digital fundraising. Cryptojacking, however, is increasingly being recognized as a crime. A Japanese court earlier this month sentenced a man to a year in prison for illegally cryptomining $45 in Monero on victims’ computers.
People can protect their devices primarily by keeping their operating systems and software up to date, Bajpai says. They can also install programs called “extensions,” which block mining software, in their Web browsers. Consumers typically must rely on the companies that make internet routers, Web cameras and other connected devices to keep that technology secure and up to date. If those companies do not ship their products with secure software and update it frequently to fight malware, the IoT could be in for a bumpy ride—and it is expected to grow from about 23 billion devices this year to more than 75 billion by 2025.