‘Tis the season for predictions, and the IT security industry has been particularly prolific: a number of the major vendors have come out with their thoughts on what we can expect in cyber crime and cyber crime prevention in 2019.
Not surprisingly, IoT loomed large in their forecasts. Not surprisingly the news was, mostly, not good.
The root cause of the problem is well known. The attack surface is huge and growing with the proliferation of connected things, many of which incorporate only minimal security.
At the same time, as IoT becomes ever more deeply embedded into industrial and business processes, homes and people, the scale and severity of compromise increases dramatically.
New take on ransomware: pay or die!
BitDefender suggests: “body implants that support wireless connectivity may lead to the first ransomware attacks where you need to pay or die.”
In case that sounds far-fetched, BitDefender reminds us that, back in 2013, US vice president Dick Cheney had the wireless function of his pacemaker disabled to prevent it being hacked by would-be assassins.
BitDefender expects more attacks leveraging IoT. “As lawmakers scramble to come up with a way to regulate the IoT space, attackers will continue to capitalise on their inherent weaknesses,” it says.
“Hackers are becoming better at hijacking IoT products like baby monitors, surveillance cameras and other home appliances.”
Fivefold increase in IoT botnets
Nokia devoted almost half of its Threat Intelligence Report 2019 to IoT, saying: “Driven by financial and other nefarious purposes, IoT botnet activity accounted for 78 percent of malware detection events in communication service provider (CSP) networks in 2018. That is up sharply from 33 percent in 2016, when IoT botnets were first seen in meaningful numbers.”
Kevin McNamee, director of Nokia’s Threat Intelligence Lab and lead author of the report, said: “In 2018, IoT bots made up 16 percent of infected devices in CSP networks, up significantly from the 3.5 percent observed in 2017.”
MQTT and CoAP leaking like a sieve
Trend Micro came out with some very specific bad news, in a report, co-branded with Politecnico di Milano, The Fragility of Industrial IoT’s Data Backbone.
Trend Micro said it had found major design flaws and vulnerable implementations related to two popular machine-to-machine (M2M) protocols, Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP).
“Over just a four-month period, Trend Micro researchers identified more than 200 million MQTT messages and more than 19 million CoAP messages being leaked by exposed brokers and servers,” Trend Micro said.
“Using simple keyword searches, malicious attackers could locate this leaked production data, identifying lucrative information on assets, personnel and technology that can be abused for targeted attacks.”
Greg Young, vice president of cybersecurity for Trend Micro said the protocols were to be found in an increasingly wide range of mission critical environments and use cases.
“This represents a major cybersecurity risk. Hackers with even modest resources could exploit these design flaws and vulnerabilities to conduct reconnaissance, lateral movement, covert data theft and denial-of-service attacks,” he said.
Trend Micro’s conclusions are damning. “MQTT and CoAP are data protocols playing a fundamental role in M2M communication among consumer and industrial applications,” it says.
“The presence of unsecure MQTT and CoAP deployments shows no improved security awareness since 2017, when this problem was first highlighted for MQTT. Despite the security recommendations being well highlighted in the CoAP RFC, CoAP already suffers from a deployment problem similar to that affecting MQTT.”
“Alexa: you’ve been hacked!”
McAfee flagged voice-controlled digital assistants and smartphones as the next vector in attacking IoT devices.
While poorly secured smart gadgets, from plugs to TVs, coffee makers to refrigerators, and motion sensors to lighting, are growing rapidly McAfee said: “the real key to the network door next year will be the voice-controlled digital assistant, a device created in part to manage all the IoT devices within a home.
“As sales increase — and an explosion in adoption over the holiday season looks likely — the attraction for cybercriminals to use assistants to jump to the really interesting devices on a network will only continue to grow.”
McAfee suggested the more sophisticated IoT malware would exploit voice-controlled digital assistants to hide its suspicious activities from users and home-network security software.
McAfee said smartphones had already served as the door to threats, but in 2019, they may well become the picklock that opens a much larger door. “Infected smartphones, which can already monitor and control home devices, will become one of the top targets of cybercriminals, who will employ current and new techniques to take control.”
It suggested malware authors could take advantage of phones and tablets, which are already trusted controllers, to try to take over IoT devices by password cracking and exploiting vulnerabilities.
“These attacks will not appear suspicious because the network traffic comes from a trusted device. The success rate of attacks will increase, and the attack routes will be difficult to identify.
“An infected smartphone could cause the next example of hijacking the DNS settings on a router. Vulnerabilities in mobile and cloud apps are also ripe for exploitation, with smartphones at the core of the criminals’ strategy.”
Symantec says one of the most troubling developments in 2019 will be attacks against IoT devices that bridge the digital and physical worlds. “We expect to see growing numbers of attacks against IoT devices that control critical infrastructure such as power distribution and communications networks. And as home-based IoT devices become more ubiquitous, there will likely be future attempts to weaponise them, say by one nation shutting down home thermostats in an enemy state during a harsh winter.”
The bad news about 5G
There is an ever growing barrage of news from telcos and their suppliers talking up the imminent arrival of 5G and claiming 5G ‘firsts,’ but from a security perspective the news is not good.
Nokia suggests it will contribute to an increase in security breaches simply by introducing more and better-connected devices. “The high bandwidth, large-scale and ultra-low latency capabilities of 5G greatly facilitate connecting billions of things to the internet, including smart home security monitoring systems, vehicles, drones and medical devices.”
Symantec suggests the 10 fold increase in peak data rates, to 10Gbps enabled by 5G will catalyse new operational models, new architectures, and consequently new vulnerabilities.
Also: “Over time, more 5G IoT devices will connect directly to the 5G network rather than via a Wi-Fi route,” Symantec says.
“This trend will make those devices more vulnerable to direct attack. For home users, it will also make it more difficult to monitor all IoT devices since they bypass a central router.”
Some good news, for vendors
It’s always good to end on a positive note, and there was also good news, for security vendors at least. Rethink Technology Research reported: “Total global endpoint security revenues will rise three-fold from $[US]2 billion per year at present to $[US]6 billion by 2023, outstripping the average for cyber security over the next five years, despite security still being a grudge purchase which everybody hates.”
It added: “Investment in IoT endpoint security will be led by the commercial sector where enterprises have already committed over $1 billion a year globally to securing vertical industry-specific applications, and spending will grow in business and industrial sectors 20-fold over the next five years. This is about half the global endpoint security total.”
