The Internet of Things (IoT) is changing the way we live and work forever. It makes us more productive, healthier and happier, and it enables businesses to work smarter, more efficiently and with greater agility. There’s just one problem: from a security perspective IoT devices are fundamentally flawed. And the bad guys are getting pretty good at exploiting them.
Trend Micro predicts that 2017 could see an avalanche of new attacks on consumer-grade smart devices and industrial IoT environments. These systems may be worlds apart. But the effect of compromises on targeted businesses could be similarly devastating.
Mirai: just the beginning?
If 2016 was the year IoT-powered botnets became big news, then the coming 12 months could see the trend finally go mainstream. After the source code of the now infamous Mirai malware was publicly revealed last year, it didn’t take long before the black hats were using it to probe smart home devices for those featuring default usernames and passwords. They were then able to compromise such devices in the tens of thousands to create botnets capable of launching some of the biggest DDoS attacks ever seen.
One allegedly took the African nation of Liberia briefly offline. The most notable targeted the DNS firm Dyn, which had a devastating knock-on effect, taking down its clients – some of the biggest names on the web. The likes of Twitter, Reddit, Spotify and SoundCloud were all affected.
We predict that cybercriminals will this year continue to leverage basic security vulnerabilities in consumer grade devices like webcams and DVRs to build DDoS botnets. After all, the lukewarm reaction to Mirai among the vendor community has proven that there’ll always be vulnerable devices to exploit. In the crosshairs of hacktivists and financially motivated attackers using DDoS botnets will be service-based, news, corporate, and political sites this year.
At the other end of the spectrum, we’re likely to see an uptick in highly targeted attacks aimed at compromising Industrial IoT systems, like those found in manufacturing and energy firms. Once again, the precedent has already been set. Ukrainian power stations were disrupted in December 2015 and 2016 by relatively sophisticated attackers, leaving many without electricity.
The risk here is not necessarily of data loss but very real physical harm – because IIoT sits at the intersection of physical and cyber worlds. Hack a connected car and you could cause a major pile-up on the freeway. Successfully hack a power station during the middle of winter and who knows what could happen to residents unable to heat their homes?
Unfortunately, in this sphere too, the products themselves are woefully vulnerable to attack. In fact, supervisory control and data acquisition (SCADA) system vulnerabilities comprised nearly a third (30%) of the total number of vulnerabilities found by Trend Micro TippingPoint in 2016.
So what can we do? We can try to raise awareness of security among consumers and manufacturers, to reduce the easy pickings for the bad guys. And from an industrial standpoint, security bosses should always try to keep mission critical systems patched and up-to-date, and where possible, air-gapped from the wider internet. Also, ensure you have network IPS in place to detect and block malicious network packets.
As we head into a new year, we’re all going to have to up our game to mitigate the growing IoT security threat.
Article by Ed Cabrera, Trend Micro's chief cybersecurity officer.