As threats to IoT devices evolve, can security keep up?

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Zoltan Balazs, Head of the Vulnerability Research Lab, CUJO AI

• Reports of IoT breaches are common and efforts have progressed to manage such risks, but some of these developments provoke mixed feelings among security researchers.
• Devices that collect data have become increasingly common, particularly with the uptick in cloud-enabled technology.
• New solutions that are developed to combat ongoing security issues often come with new or different problems.

Internet of Things (IoT) devices are some of the least secure connected machines, but they are also becoming ubiquitous in our lives. The McKinsey Global Institute estimates that 127 new IoT machines go online every second. Data from CUJO AI research shows the significant presence of these gadgets in Western households, where an average consumer home has upwards to 20 online-capable devices.

As we become more connected and 5G-enabled smart city solutions with even more points of connection proliferate, are we putting our connected lives at risk? To even start answering this question, we first have to realise that the IoT threat landscape is not stagnant.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority. World Economic Forum | Centre for Cybersecurity

Our community has three key priorities:

Strengthening Global Cooperation – to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience – to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

The myth of perpetual, unchanging threats

Hardly a week goes by without an article about a new type of IoT device being hacked: internet protocol (IP) cameras, baby monitors, light bulbs, even rifles.

Nevertheless, the IoT security landscape has progressed a lot since 2010, even if the perception of IoT vulnerabilities has largely stayed the same. It’s true that people are still playing VNC roulette – trying to remotely access devices at random – or even attempting to hijack cars. For the most part, however, the public image of IoT threats is perpetuated by the media and attention-hungry security researchers. Scary headlines drive clicks.

The real truth is that a decade of threats and increased awareness has pushed IoT security to change course. Some of these changes are welcome, while others provoke mixed feelings among security researchers.

A decade of threats and increased awareness has pushed IoT security to change course. Some of these changes are welcome, while others provoke mixed feelings.—Zoltan Balazs, CUJO AI

Growth, data collection and shifting security challenges

A decade and a half ago, it was hard to find a smart household device, now it’s hard to find one that is not smart. More than 70% of TVs sold today are smart, and even the “dumb” ones can stream online content through Roku or other smart devices. Analysts predict a compound annual growth rate for Internet Connected Devices of 11% by 2023.

Although some of these devices have useful features, a key driver for developing smart devices is data collection. Some vendors even sell devices with data collection features at a lower price. Customer privacy is a wholly different topic, but it must be noted that having an additional point of contact and connectivity for data collection creates an additional risk vector. To put it simply: the risk of a home network getting hacked increases in line with the number of connected devices, especially if we take IoT devices’ long lifespans into account.

Nevertheless, there have also been positive changes in the IoT industry. IP cameras were once notorious hacking targets due to glaring vulnerabilities like open telnet ports. Nowadays, as devices such as these tend to operate via the cloud only, attacking them is more difficult because they do not usually have open ports or hardcoded default credentials and so are more secure.

Cloud connectivity may create more threats than solutions

Cloud connectivity has generally been good for security, but it is important to note that it is a key enabler for data collection in the IoT sector. Also, while the move towards cloud services may have solved some glaring security issues, new ones appear almost instantly.

While the move towards cloud services may have solved some glaring security issues, new ones appear almost instantly.—Zoltan Balazs, CUJO AI

If a device can only work with an internet connection to cloud servers, operational risk becomes a concern – what happens if the servers go down? Cloud dependency has rendered many devices non-functional in recent years, from smart pet feeders, to home temperature control and security devices, doorbells and vacuum cleaners.

Devices can also be hacked en masse through cloud connectivity. One researcher was able to generate valid camera IDs, use those IDs to connect to a device login screen and guess owners’ passwords or bypass the authentication altogether.

IoT security depends on good practices, which are still not followed by many developers. Standard username and password combinations remain common, as does password reuse. This leaves systems and accounts vulnerable because malicious actors can use that information to target IoT systems. This happened with Ring doorbells before its provider offered two-factor authentication, which significantly reduces the chances of a successful attack, according to our experience at CUJO AI. Sadly, not all IoT service providers offer multi-factor authentication.

Hacking centralised cloud services is also more lucrative for criminals. Once a cloud camera service provider is breached, hackers might be able to access all cameras operated by a provider and then sell that access. The recent case of 150,000 hacked Verkada cameras is a good example of this type of breach.

Another development in the IoT threat landscape is the shift towards targeting higher-value cloud-enabled devices, such as Network Attached Storage (NAS). Criminals focus more on the vulnerabilities of these devices and use them to install ransomware that encrypts the victim’s backups, such as family photos and videos. According to data from CUJO AI Labs, NAS adoption is stable at around 0.2-0.3% of all online devices, which makes it a common, but not pervasive target.

The near-term future of IoT threats and security

The growing number of connected devices is forcing the long-overdue transition to Internet Protocol version 6 (IPv6) addresses. As more Internet Service Providers (ISP) support IPv6 by default, IoT devices will be able to connect to the internet directly rather than operating on private networks. Unfortunately, few of these devices will be powerful enough to run any antivirus or antimalware software. As such, we expect to see more instances of attackers connecting directly to these devices from the internet.

ISPs could block such connections at the gateway (the router) or by adopting better network monitoring solutions, but it is unclear how many ISPs will be willing and able to do this. We will find out whether these new IoT threats appear at the ISP level in the very near future, although hopefully not as part of a new research article about an in-the-wild IPv6 botnet.