As the annual cyber security reports came in towards the end of 2018, it was no surprise to see thet there was an increase in both the number of attacks and the damage done. Most threat analyses also showed that attacks and exploits were getting more sophisticated. The ENISA Threat Landscape Report report showed a rapid rise in IoT-based attacks as well, among others.
The well-known Mirai botnet, first observed in 2016, is still evolving to exploit new vulnerabilities to add IoT devices to its botnet. Several new malware campaigns were also launched, most notably the VPNfilter strain of malware that targets small home and office routers and network storage devices (NAS).
The main objective of these botnets so far has been to take control of devices and use them to attack other parts of the Internet infrastructure. However, researchers are now reporting a rapid increase in attacks that take advantage of the device itself, for instance in cryptojacking campaigns where devices are compromised and used to mine for cryptocurrency.
How can IoT devices such as Utilitywise’s new energy counter be protected within businesses
What is most concerning is ENISA’s observation that there is also an increase in attacks that aim to disable or compromise the IoT network’s functionality itself. In particular, during 2018, a piece of malware called Trition was uncovered, which seeks to compromise industrial safety systems. One can only imagine the devastating outcome a successful attack on these systems could have.
What we can learn from 2018
Even as high-profile attacks like Mirai raise awareness of the vulnerability of IoT devices, there remains a noticeable lack of countermeasures. We did see a few steps in the right direction last year, with the release of the UK government’s IoT Code of Practice, which was created in close cooperation with the industry and other stakeholders. The challenge in 2019 is ensuring that the measures laid out in the code are actually applied to products in the market.
Even more difficult, as the continued threat of the Mirai family shows, is to patch the vulnerable devices that are already in homes and businesses. Think about it – when was the last time you checked if there was new software for your wifi-router or your printer?
We still rely on manufacturers and service providers to supply timely software updates and to help people make the right choices. For instance, service providers are often obliged to force users to pick a unique password upon installation, instead of leaving an easy-to-guess default in place.
With GDPR being a hot topic in 2018, many suppliers reviewed their installation and subscription processes to obtain customer consent for collecting and processing data. Unfortunately, the same attention hasn’t yet been applied to security-related settings. With much of the debate still centred on privacy and data security, we shouldn’t forget the threat that many of these devices impose on other parts of the Internet. Even if your own data is secure, your device might still be used to inflict harm on others or to attack critical infrastructure.
4 modern challenges for the Internet of Things
With the development of embedded networked systems, Bo Wei – senior lecturer in Computer Science at Teesside University – discusses how the technology behind the Internet of Things (IoT) has become mature and readily available in people’s daily lives. Read here
With greater awareness of IoT vulnerabilities and their potential impact, there are many ongoing discussions regarding the need for regulation. While there could be benefits to that approach, for instance, levelling the playing field between industry actors, there are also a lot of challenges. In the borderless world of the Internet, for regulation to have an effect, it needs to be internationally coordinated and that makes the process slow and complex. It will remain an uphill battle for regulation to keep pace with a rapidly evolving threat landscape and novel IoT applications that are being invented every day.
No doubt this year we will again see a number of big attacks, but hopefully, we will also see a rapid response in patching newly-discovered vulnerabilities. For this to happen, close collaboration between the IoT industry, the security companies and public sector is absolutely crucial in order to exchange details and coordinate responses.
Securing networks in the IoT revolution
Let’s hope that with an increase in coordination and the adoption of self-regulatory approaches such as the Code of Practice we can turn the tide. But let’s also keep in mind that this is not solely a burden for the IoT or Internet industry – consumers can play a role as well. Security and safety should be synonymous with quality and we all understand that quality costs money. And of course, security remains dependent mainly on the user to check for and install updates regularly and to change any default passwords as soon as they unwrap their latest gadget.
Written by Marco Hogewoning, senior external relations officer at RIPE NCC