Are your IoT devices mining cryptocurrencies in their spare time?

//Are your IoT devices mining cryptocurrencies in their spare time?

We like to say that cybercriminals use IoT devices for “firepower” (DDoS) and “brainpower” (crypto mining) attacks. While IoT-related DDoS attacks have been widely recorded and are well understood, only now is the crypto-mining threat becoming more widely acknowledged.

Several studies published recently indicate an interesting trend: Cybercriminals are shifting from ransomware mining to mining cryptocurrencies. Interestingly, these “miners” are not exclusive to PCs and are finding their way into smaller IoT devices.

Initially, IoT devices were not considered plausible candidates for mining cryptocurrencies, especially Bitcoin.  After all, most IoT devices are fairly rudimentary in terms of computing power, and the process of verifying transactions on a cryptocurrency network by solving complex mathematical problems requires high-powered computers. However, some researchers were able to successfully demonstrate mining $1,000 worth of Monero using 15,000 infected IoT devices in under four days. That may not sound like a lot of Monero, but considering the cost of infection (nearly zero) and the fact that this process could go on for a very long time without being detected, the cyber-miners’ potential gain is huge.

To illustrate the motivation of cybercriminals to utilize IoT devices for mining cryptocurrencies, another researcher visited dark web forums dedicated to crypto-mining malware and recorded lively discussions about developing and selling IoT-specific malware for that purpose.

Given that crypto-mining is a real threat (here at SecuriThings, we’ve identified many such infected IoT devices), how concerned should the owners of IoT devices be? Is this some nuisance that you can simply accept as part of “the cost of doing IoT business”?

Actually, an IoT device is at far greater risk than it appears on the surface.

Consider this – an IoT device is meant to operate at a certain load and perform certain functions. When a device is forced to conduct more laborious activities, it starts to display operational degradation. Mining is far more demanding than normal operations on these devices, so IoT devices participating in mining become strained: they display abnormal CPU usage and power consumption. They experience disconnections and instability and break more often.

Since the IoT business model is all about reliable service and predictable or hassle-free maintenance, lowering the MTBF (mean time between failure) even by a little could result in unexpected spending by IoT service providers, in addition to reduced service quality and client dissatisfaction. Imagine a mission critical system (like a group of surveillance cameras) that is infected with malware. During an emergency, the cameras may be slow to react or could even go offline because their processors are busy mining. Even an array of small sensors with no compute power that are connected to a mesh network and communicate with the cloud via a local gateway could become unavailable due to the gateway being infected.


To conclude, when a device is infected by a foreign piece of malware, it becomes exhausted to the point of failure while assisting the cybercrime ecosystem. With more and more devices forcefully participating in mining activities, the need for real-time security monitoring technologies will only increase. Security solutions must enable IoT service providers to identify the infection (and mining activities) in time to remove the malware before it damages the device, thus reducing operational costs and maintaining quality service.

2018-10-23T09:31:30+02:00 May 8th, 2018|