As threats to IoT devices evolve, can security keep up?

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Zoltan Balazs, Head of the Vulnerability Research Lab, CUJO AI


  • Reports of IoT breaches are common and efforts have progressed to manage such risks, but some of these developments provoke mixed feelings among security researchers.
  • Devices that collect data have become increasingly common, particularly with the uptick in cloud-enabled technology.
  • New solutions that are developed to combat ongoing security issues often come with new or different problems.

Internet of Things (IoT) devices are some of the least secure connected machines, but they are also becoming ubiquitous in our lives. The McKinsey Global Institute estimates that 127 new IoT machines go online every second. Data from CUJO AI research shows the significant presence of these gadgets in Western households, where an average consumer home has upwards to 20 online-capable devices.

As we become more connected and 5G-enabled smart city solutions with even more points of connection proliferate, are we putting our connected lives at risk? To even start answering this question, we first have to realise that the IoT threat landscape is not stagnant.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority. World Economic Forum | Centre for Cybersecurity

Our community has three key priorities:

Strengthening Global Cooperation – to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience – to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

The myth of perpetual, unchanging threats

Hardly a week goes by without an article about a new type of IoT device being hacked: internet protocol (IP) cameras, baby monitors, light bulbs, even rifles.

Nevertheless, the IoT security landscape has progressed a lot since 2010, even if the perception of IoT vulnerabilities has largely stayed the same. It’s true that people are still playing VNC roulette – trying to remotely access devices at random – or even attempting to hijack cars. For the most part, however, the public image of IoT threats is perpetuated by the media and attention-hungry security researchers. Scary headlines drive clicks.

The real truth is that a decade of threats and increased awareness has pushed IoT security to change course. Some of these changes are welcome, while others provoke mixed feelings among security researchers.

A decade of threats and increased awareness has pushed IoT security to change course. Some of these changes are welcome, while others provoke mixed feelings.—Zoltan Balazs, CUJO AI

Growth, data collection and shifting security challenges

A decade and a half ago, it was hard to find a smart household device, now it’s hard to find one that is not smart. More than 70% of TVs sold today are smart, and even the “dumb” ones can stream online content through Roku or other smart devices. Analysts predict a compound annual growth rate for Internet Connected Devices of 11% by 2023.

Although some of these devices have useful features, a key driver for developing smart devices is data collection. Some vendors even sell devices with data collection features at a lower price. Customer privacy is a wholly different topic, but it must be noted that having an additional point of contact and connectivity for data collection creates an additional risk vector. To put it simply: the risk of a home network getting hacked increases in line with the number of connected devices, especially if we take IoT devices’ long lifespans into account.

Nevertheless, there have also been positive changes in the IoT industry. IP cameras were once notorious hacking targets due to glaring vulnerabilities like open telnet ports. Nowadays, as devices such as these tend to operate via the cloud only, attacking them is more difficult because they do not usually have open ports or hardcoded default credentials and so are more secure.

Cloud connectivity may create more threats than solutions

Cloud connectivity has generally been good for security, but it is important to note that it is a key enabler for data collection in the IoT sector. Also, while the move towards cloud services may have solved some glaring security issues, new ones appear almost instantly.

While the move towards cloud services may have solved some glaring security issues, new ones appear almost instantly.—Zoltan Balazs, CUJO AI

If a device can only work with an internet connection to cloud servers, operational risk becomes a concern – what happens if the servers go down? Cloud dependency has rendered many devices non-functional in recent years, from smart pet feeders, to home temperature control and security devices, doorbells and vacuum cleaners.

Devices can also be hacked en masse through cloud connectivity. One researcher was able to generate valid camera IDs, use those IDs to connect to a device login screen and guess owners’ passwords or bypass the authentication altogether.

IoT security depends on good practices, which are still not followed by many developers. Standard username and password combinations remain common, as does password reuse. This leaves systems and accounts vulnerable because malicious actors can use that information to target IoT systems. This happened with Ring doorbells before its provider offered two-factor authentication, which significantly reduces the chances of a successful attack, according to our experience at CUJO AI. Sadly, not all IoT service providers offer multi-factor authentication.

Hacking centralised cloud services is also more lucrative for criminals. Once a cloud camera service provider is breached, hackers might be able to access all cameras operated by a provider and then sell that access. The recent case of 150,000 hacked Verkada cameras is a good example of this type of breach.

Another development in the IoT threat landscape is the shift towards targeting higher-value cloud-enabled devices, such as Network Attached Storage (NAS). Criminals focus more on the vulnerabilities of these devices and use them to install ransomware that encrypts the victim’s backups, such as family photos and videos. According to data from CUJO AI Labs, NAS adoption is stable at around 0.2-0.3% of all online devices, which makes it a common, but not pervasive target.

The near-term future of IoT threats and security

The growing number of connected devices is forcing the long-overdue transition to Internet Protocol version 6 (IPv6) addresses. As more Internet Service Providers (ISP) support IPv6 by default, IoT devices will be able to connect to the internet directly rather than operating on private networks. Unfortunately, few of these devices will be powerful enough to run any antivirus or antimalware software. As such, we expect to see more instances of attackers connecting directly to these devices from the internet.

ISPs could block such connections at the gateway (the router) or by adopting better network monitoring solutions, but it is unclear how many ISPs will be willing and able to do this. We will find out whether these new IoT threats appear at the ISP level in the very near future, although hopefully not as part of a new research article about an in-the-wild IPv6 botnet.

the sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Ukraine undecided over a strategic partnership with the EU

One billion people have preventable eye conditions, increasingly linked to lifestyle choices: UN health agency

Car clocking: MEPs call for new legislation to combat odometer fraud

Conference on the Future of Europe: Plenary meets for the first time

Independent Ethics Body: improving transparency and integrity in EU institutions

Future EU-UK Partnership: European Commission takes first step to launch negotiations with the United Kingdom

Britain and Germany change attitude towards the European Union

What if big-tech companies became non-profits?

Africa is helping the drone industry get off the ground. Here’s how

“Financial crisis will not happen in China!”, the Chinese Premier underlines from Switzerland; the Sting reports live from World Economic Forum 2015 in Davos

Medical students, climate change and health: an unorthodox combination

This is how the tech giants are helping tackle coronavirus

Attack on UN compound in Somalia may be ‘violation of international humanitarian law’

EU summit: step up work for recovery, and update migration and asylum system

OECD joins with Argentina to fight financial crime

Why your next car is a bike

This is what countries are doing to fight plastic waste

Security Union: A Counter-Terrorism Agenda and stronger Europol to boost the EU’s resilience

The impact of mobile and rapid digital adoption on how India consumes

Can the COVID-19 response lead to an immunization renaissance?

European Junior Enterprises to address the significant skills mismatch in the EU between school and employment

European Year of Rail: Connecting Europe Express now leaving the station

A new arrangement between Eurozone’s haves and have-nots

Strength in unity: Commission makes recommendations for the EU’s next strategic agenda 2019-2024

Sex education: the application of sexual and reproductive rights in the fight against HIV

Bid to raise $5.5 billion for millions of Syrians and their host communities

Where do Americans stand on immigration? They’re not as divided as you might think

The US pipeline attack shows the energy sector must act now on cybersecurity. Here are 6 ways how

Lebanon: EU delivers additional emergency assistance following the explosion in Beirut

Scientists studied microbes feeding on Antarctica’s first methane leak – here’s what they found

The EU might as well go down the drain if foreign meddling corrupts May’s elections

Climate experts pledge to scale up high-altitude fight against mountain melt

At this Italian bookshop, children swap their recycling for something to read

“Is Europe innovative? Oh, Yes we are very innovative!”, Director General of the European Commission Mr Robert-Jan Smits on another Sting Exclusive

OECD, BSR and Danone launch 3-year initiative to strengthen inclusive growth through public-private collaboration

UN-based World Summit Award (WSA) presents its master list on digital innovation with impact on society from 24 countries

Foreign fighters: ‘One of the most serious dimensions’ in global counter-terrorism struggle

Young and unemployed the perfect victims of ‘vultures’

At UN, Somalia’s President spotlights country’s progress, but cautions eradicating terrorism ‘will not be easy’

Military escalation will have ‘serious consequences’ for Yemeni civilians, warns UN Special Envoy

Coronavirus (COVID-19): Latest news from Monday’s World Health Organization briefing

The EU wants to create 10 million smart lampposts

Nine children killed or maimed in Afghanistan every day: UN Children’s Fund

Technological innovation can bolster trust and security at international borders. Here’s how

Remarks by Commissioner Virginijus Sinkevičius on the Zero Pollution Action Plan

The ECB ‘accidentally’ followed IMF‘s policy advice for growth and job creation by printing more money

COVID-19: first go-ahead given to the new Recovery and Resilience Facility

Investment, not debt, can kick-start an entrepreneurial Europe

UN will do ‘utmost to prevent and mitigate any risk of violence’ in DR Congo, pledges Mission chief

Unanswered questions for Europe’s youth in President Juncker’s State of Union

Deep science: what it is, and how it will shape our future

Germany loves a strong euro; the new Fiscal Councils can deliver despite the Greek chaos and a wider questioning of austerity

Ethiopian Prime Minister Abiy Ahmed wins Nobel Peace Prize

G20 LIVE: “International communities and leaders have great expectations for 2016 G20 summit in Hangzhou China”, Mr Wang Xiaolong, the Chinese Foreign Ministry’s special envoy stresses live from G20 in Antalya Turkey

Council strongly criticised over failing to act to protect EU values in Hungary

Urban Waste Water: Commission decides to refer Slovenia to the European Court of Justice over waste water treatment

Additional and more flexible funding to help those most in need

Why exchange programs are essential for the medical students of the 21st century

Europe had a record year for Measles – and it’s partly down to anti-vaccine campaigners

Pollinating insects: Commission proposes actions to stop their decline

More Stings?

Trackbacks

  1. […] As threats to IoT devices evolve, can security keep up?  The European Sting “IOT” – Google News […]

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: