Every year we see new pressing cyber threats, from new targets for hackers to new issues cropping up in the cybersecurity space. 2018 will be no different. One area that has recently got a lot of attention is IoT devices, as the use of such devices has increased in both the public and private sectors. Here at Silobreaker we are keen to highlight three pressing cyber threats to IoT devices that we believe enterprises need to be aware of:
By 2020 it is expected that 25% of cyber-attacks will target IoT devices, many of which will be deployed in industrial environments. Infection and covert usage of IoT devices to mine cryptocurrencies or conduct DDoS attacks is a trend that isn’t slowing down, and one that is especially problematic in the industrial space because Industrial IoT devices tend to be both poorly secured and difficult to patch, especially across a distributed environment such as manufacturing.
It’s true that Mirai, and variants such as Okiru and Satori, pose a major risk to manufacturing, where the reduction of a connected device’s processing power can seriously impact safety or disrupt processes. But there is also the potential for untargeted, collateral damage in this space. The prospect of motivated attackers leveraging destructive malware such as BrickerBot to wipe devices is highly concerning, but such ‘attacks’ need not even be targeted to cause damage. A wormable exploit such as the one used by WannaCry could cause widespread infection of industrial IoT devices – to devastating effect – quite regardless of the original intentions of the attacker. We expect to see a major event of this kind take place in 2018.
Bringing in the professionals
Another pressing threat for 2018 is a dearth of skills and resources. Humans are still the weakest link in the security chain, but hiring and training people who can understand and respond to issues in the threat space is only becoming more difficult. Demand is rising much faster than supply, with 3.5 million unfilled positions in the cyber security field expected by 2021. At the same time, the eternal catch-up game played between criminals and analysts continues, with threats becoming more sophisticated and widespread every day.
As we further integrate IoT technology into our lives and into sectors such as manufacturing and critical infrastructure, this problem is not going to go away – it is going to get worse. The skills we need to protect ourselves: analysing information, separating intelligence from noise, and understanding the motivations of threat actors, are in short supply. They need to be cultivated. And to some extent this is happening; we’re simply not doing it fast enough. If this skills gap widens too fast, and too quickly, it won’t matter how much companies are willing to pay to fill these vital positions; we will all become victims.
To mitigate this issue, we need to put more effort than ever into hiring, training and retaining the next generation of cyber security experts. Information security is increasingly being viewed as more than an IT-only problem, which is a big step, but budgets don’t always scale with intentions. Yes, working to improve the “cyber hygiene” of employees is important, but no organisation is unbreachable. And we need many more skilled people if we want to be prepared for when the worst happens.
The most tantalising treasure is data
Theft and manipulation of personal information from IoT devices is a growing concern for 2018. With IoT machines becoming ever more popular with consumers, we need to come to terms with the idea that our personal information is more at risk than ever. Devices such as Amazon’s Echo and other virtual assistants allow us to (often unwittingly) sacrifice convenience for security – as we learned when a researcher used malware to stream audio to a remote server. Or when a Bluetooth vulnerability rendered Echo, Google Home and billions of other devices vulnerable to hijacking. We don’t know all the potential methods by which our personal information - what we say and do in our own homes - can be used against us, because having one’s personal life potentially exposed in this way is brand new. Identity theft and the resale of shopping habits are all perfectly possible, but this data can also enable crime in the physical world. If you’ve suddenly stopped ordering your weekly groceries, maybe there’s nobody at home? Assuming such information can be accessed, it will certainly be sold.
Mitigating data theft from devices like Echo is both a manufacturer issue and a consumer one. The more these devices are sold and used, the more attractive targeting them becomes for criminals. At the same time, the longer consumers wait before purchasing, the more tried and tested (and secure) this technology becomes. Purchasing from quality vendors will also reduce the risk of security ‘oversights’ and make sure that vulnerabilities are patched. Fundamentally, it also comes back to the very personal question of convenience versus security; to what extent are the risks worth the rewards? Caveat emptor.