In the digital graveyard, a new threat stirs: Out-of-support devices becoming thralls of malicious actors
Outdated devices are often easy targets for attackers, especially if they have vulnerabilities that can be exploited and no patches are available due to their end-of-life status.
Hacks of outdated or vulnerable devices are an issue, but why would anyone attempt to hack discontinued devices or those running out-of-support software? To gain control? To spy on people? The answer is quite multifaceted.
The end of life is coming — for your device
There comes a time when a device becomes obsolete, be it because it gets too slow, the owner buys a new one, or it lacks functionalities compared to its modern replacement, with the manufacturer shifting focus to a new model and designating the old one as end of life (EOL).
At this stage, manufacturers stop the marketing, selling, or provisioning of parts, services, or software updates for the product. This can mean many things, but from our standpoint, it means that device security is no longer being properly maintained, making the end user vulnerable.
After support has ended, cybercriminals can start gaining the upper hand. Devices such as cameras, teleconferencing systems, routers, and smart locks have operating systems or firmware that, once obsolete, no longer receive security updates, leaving the door open to hacking or other misuse.
Estimates say that there are around 17 billion IoT devices in the world – from door cameras to smart TVs – and this number keeps increasing. Suppose that just a third of them become obsolete in five years. That would mean that a bit over 5.6 billion devices could become vulnerable to exploitation – not right away, but as support dries up, the likelihood would increase.
Very often, these vulnerable devices can end up as parts of a botnet – a network of devices turned into zombies under a hacker’s command to do their bidding.
One person’s trash is another’s treasure
A good example of a botnet exploiting outdated and vulnerable IoT devices was Mozi. This botnet was infamous for having hijacked hundreds of thousands of internet-connected devices each year. Once compromised, these devices were used for various malicious activities, including data theft and delivering malware payloads. The botnet was very persistent and capable of rapid expansion, but it was taken down by 2023.
Exploitation of vulnerabilities in a device like an IoT video camera could enable an attacker to use it as a surveillance tool and snoop on you and your family. Remote attackers could take over vulnerable, internet-connected cameras, once their IP addresses are discovered, without having had previous access to the camera or knowing its login credentials. The list of vulnerable EOL IoT devices goes on, with manufacturers typically not taking action to patch such vulnerable devices; indeed this is not possible when a manufacturer has gone out of business.
Why would someone use an out-of-date device that even the manufacturer deems unsupported? Be it either lack of awareness or unwillingness to purchase an up-to-date product, the reasons can be many and understandable. However, that does not mean that these devices should be kept in use — especially when they stop receiving security updates.
Alternatively, why not give them a new purpose?
Old device, new purpose
A new trend has emerged due to the abundance of IoT devices in our midst: the reuse of old devices for new purposes. For example, turning your old iPad into a smart home controller, or using an old phone as a digital photo frame or as a car’s GPS. The possibilities are numerous, but security should still be kept in mind – these electronics should not be connected to the internet due to their vulnerable nature.
On the other hand, getting rid of an old device by throwing it away is also not a good idea from a security standpoint. Apart from the environmental angle of not messing up landfills with toxic materials, old devices can include treasure troves of confidential information collected over their lifetime of use.
Again, unsupported devices can also end up as zombies in a botnet — a network of compromised devices controlled by an attacker and used for nefarious purposes. These zombie devices most often end up being used for distributed denial of service (DDoS) attacks, which overload someone’s network or website as revenge, or for a different purpose such as drawing attention away from another attack.
Botnets can cause a lot of damage, and many times it takes a coalition (often consisting of multiple police forces cooperating with cybersecurity authorities and vendors) to take down or disrupt a botnet, like in the case of the Emotet botnet. However, botnets are very resilient, and they could reemerge after a disruption, causing further incidents.
Smart world, smart criminals, and zombies
There’s a lot more that can be said about how smart devices represent further avenues for crooks to exploit unsuspecting users and businesses, and the discussion surrounding data security and privacy is a worthy one.
However, the takeaway from all this is that you should always keep your devices updated, and when that is not possible, try to dispose of them securely (wiping old data), replace them with a new device after secure disposal, or find them a new, much-less-connected purpose.
Outdated devices can be easy targets, so by keeping them disconnected from the internet or discontinuing their use, you can feel safe and secure from any cyber harm through them.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit www.eset.com or follow us on Facebook, YouTube and Twitter.