As threats to IoT devices evolve, can security keep up?

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Zoltan Balazs, Head of the Vulnerability Research Lab, CUJO AI


  • Reports of IoT breaches are common and efforts have progressed to manage such risks, but some of these developments provoke mixed feelings among security researchers.
  • Devices that collect data have become increasingly common, particularly with the uptick in cloud-enabled technology.
  • New solutions that are developed to combat ongoing security issues often come with new or different problems.

Internet of Things (IoT) devices are some of the least secure connected machines, but they are also becoming ubiquitous in our lives. The McKinsey Global Institute estimates that 127 new IoT machines go online every second. Data from CUJO AI research shows the significant presence of these gadgets in Western households, where an average consumer home has upwards to 20 online-capable devices.

As we become more connected and 5G-enabled smart city solutions with even more points of connection proliferate, are we putting our connected lives at risk? To even start answering this question, we first have to realise that the IoT threat landscape is not stagnant.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority. World Economic Forum | Centre for Cybersecurity

Our community has three key priorities:

Strengthening Global Cooperation – to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience – to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

The myth of perpetual, unchanging threats

Hardly a week goes by without an article about a new type of IoT device being hacked: internet protocol (IP) cameras, baby monitors, light bulbs, even rifles.

Nevertheless, the IoT security landscape has progressed a lot since 2010, even if the perception of IoT vulnerabilities has largely stayed the same. It’s true that people are still playing VNC roulette – trying to remotely access devices at random – or even attempting to hijack cars. For the most part, however, the public image of IoT threats is perpetuated by the media and attention-hungry security researchers. Scary headlines drive clicks.

The real truth is that a decade of threats and increased awareness has pushed IoT security to change course. Some of these changes are welcome, while others provoke mixed feelings among security researchers.

A decade of threats and increased awareness has pushed IoT security to change course. Some of these changes are welcome, while others provoke mixed feelings.—Zoltan Balazs, CUJO AI

Growth, data collection and shifting security challenges

A decade and a half ago, it was hard to find a smart household device, now it’s hard to find one that is not smart. More than 70% of TVs sold today are smart, and even the “dumb” ones can stream online content through Roku or other smart devices. Analysts predict a compound annual growth rate for Internet Connected Devices of 11% by 2023.

Although some of these devices have useful features, a key driver for developing smart devices is data collection. Some vendors even sell devices with data collection features at a lower price. Customer privacy is a wholly different topic, but it must be noted that having an additional point of contact and connectivity for data collection creates an additional risk vector. To put it simply: the risk of a home network getting hacked increases in line with the number of connected devices, especially if we take IoT devices’ long lifespans into account.

Nevertheless, there have also been positive changes in the IoT industry. IP cameras were once notorious hacking targets due to glaring vulnerabilities like open telnet ports. Nowadays, as devices such as these tend to operate via the cloud only, attacking them is more difficult because they do not usually have open ports or hardcoded default credentials and so are more secure.

Cloud connectivity may create more threats than solutions

Cloud connectivity has generally been good for security, but it is important to note that it is a key enabler for data collection in the IoT sector. Also, while the move towards cloud services may have solved some glaring security issues, new ones appear almost instantly.

While the move towards cloud services may have solved some glaring security issues, new ones appear almost instantly.—Zoltan Balazs, CUJO AI

If a device can only work with an internet connection to cloud servers, operational risk becomes a concern – what happens if the servers go down? Cloud dependency has rendered many devices non-functional in recent years, from smart pet feeders, to home temperature control and security devices, doorbells and vacuum cleaners.

Devices can also be hacked en masse through cloud connectivity. One researcher was able to generate valid camera IDs, use those IDs to connect to a device login screen and guess owners’ passwords or bypass the authentication altogether.

IoT security depends on good practices, which are still not followed by many developers. Standard username and password combinations remain common, as does password reuse. This leaves systems and accounts vulnerable because malicious actors can use that information to target IoT systems. This happened with Ring doorbells before its provider offered two-factor authentication, which significantly reduces the chances of a successful attack, according to our experience at CUJO AI. Sadly, not all IoT service providers offer multi-factor authentication.

Hacking centralised cloud services is also more lucrative for criminals. Once a cloud camera service provider is breached, hackers might be able to access all cameras operated by a provider and then sell that access. The recent case of 150,000 hacked Verkada cameras is a good example of this type of breach.

Another development in the IoT threat landscape is the shift towards targeting higher-value cloud-enabled devices, such as Network Attached Storage (NAS). Criminals focus more on the vulnerabilities of these devices and use them to install ransomware that encrypts the victim’s backups, such as family photos and videos. According to data from CUJO AI Labs, NAS adoption is stable at around 0.2-0.3% of all online devices, which makes it a common, but not pervasive target.

The near-term future of IoT threats and security

The growing number of connected devices is forcing the long-overdue transition to Internet Protocol version 6 (IPv6) addresses. As more Internet Service Providers (ISP) support IPv6 by default, IoT devices will be able to connect to the internet directly rather than operating on private networks. Unfortunately, few of these devices will be powerful enough to run any antivirus or antimalware software. As such, we expect to see more instances of attackers connecting directly to these devices from the internet.

ISPs could block such connections at the gateway (the router) or by adopting better network monitoring solutions, but it is unclear how many ISPs will be willing and able to do this. We will find out whether these new IoT threats appear at the ISP level in the very near future, although hopefully not as part of a new research article about an in-the-wild IPv6 botnet.

the sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

4 innovative renewable energy projects powering Europe’s green future

Financing economic recovery, written by United Nations Under-Secretary-General

Is your smart home as safe as you think?

45th Anniversary of the French Confederation (Confédération Nationale des Junior Entreprises)

A Europe that delivers: EU citizens expect more EU level action in future

Islamophobia is driving more US Muslims to become politically engaged, suggests report

MEPs condemn attacks on civilians, including children, in Yemen

The banks first to benefit from the new euro trillion ECB plans to print

8 fascinating and fearsome frontiers of science you should know about

Making the move to more sustainable mobility – three steps for companies

Colombia: Rights experts condemn killing of reintegrated former rebel fighter, call for respect of peace process

EU-Russia summit in the shadows of Kiev’s fumes

The Parliament sets the way for the European Banking Union

6.1 billion EUR for sustainable fisheries and safeguarding fishing communities

Thursday’s Daily Brief: Safeguarding civilians, strengthening Ebola response in DR Congo, marking Fistula Day, updates on CAR and Syria

This is how India can become the next Silicon Valley

Turkey: Commission continues humanitarian support for refugees

19th EU-China Summit: A historical advance in the Chino-European rapprochement

The woman who wanted to be treated the same as the man

These countries are the most peaceful – in 3 charts

Alternative proteins will transform food, mitigate climate change and drive profits. Here’s how

Estonia: use robust growth to improve income equality and well-being

The use of mobile technologies in Radiation Oncology: helping medical care

These countries are leading the way in green finance

Shenzhen just made all its buses electric, and taxis are next

4 eco-friendly products put sustainable spins on classic practices, from teacups to hankies

Why the future is bright for drone technology

‘Jerusalem is not for sale’ Palestinian President Abbas tells world leaders at UN Assembly

US-China trade war: Washington now wants control of the renminbi-yuan

Look Mom, even the House of Lords says the #righttobeforgotten is not right

Portuguese Presidency outlines priorities to EP committees

An economist explains how to value the internet

Investing in rural women and girls, ‘essential’ for everyone’s future: UN chief

Cum-ex tax fraud scandal: MEPs call for inquiry, justice, and stronger tax authorities

Libyan authorities must shoulder the burden to support country’s ‘vulnerable’ south

COVID 19 Vaccine: A new terror or a savior for mankind?

State aid: Commission approves €150 million Austrian subordinated loan to compensate Austrian Airlines for damages suffered due to coronavirus outbreak

The status of the Code of Medical Ethics: loading

UN Security Council offers Yemen Special Envoy ‘their full support’

Over 1 million health consultations provided in Yemen in 2019: UN migration agency

Why the ECB prepares to flood the markets with more and free of charge euro; everybody needs that now

“I believe that startups are for grown-up men, those, who have already achieved something “

Do not jeopardise future-oriented EU programmes, say EP’s budget negotiators

‘Global sisterhood’ tells perpetrators ‘time is up’ for pandemic of violence

One Hundred Years of Qipao History: from Shanghai to EU

Finland is a world leader in clean energy. Here’s what’s driving its success

Nearly four million North Koreans in urgent need, as food production slumps by almost 10 per cent

Will the Greek economy ever come back to growth?

3 important lessons from 20 years of working with social entrepreneurs

At this ‘critical moment’, UN chief urges anti-corruption conference to adopt united front

We are stronger than this pandemic (COVID-19)

EU lawmakers vote to reintroduce visas for Americans over “reciprocity principle”

‘Endemic’ sexual violence surging in South Sudan: UN human rights office

Public Policies for LGBT in Brazil

A faster, fairer way to retire carbon-emitting assets

Amid pandemic detours, mental health matters

Coronavirus: Commission concludes talks to secure future coronavirus vaccine for Europeans

Why hourly workers should have the same benefits as salaried ones

How do we design an inclusive energy transition?

State aid: Commission approves €300 million Austrian scheme to support organisers of events affected by coronavirus outbreak

More Stings?

Trackbacks

  1. […] As threats to IoT devices evolve, can security keep up?  The European Sting “IOT” – Google News […]

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s