IoT Cybersecurity Trends To Look Out For In 2019
By Jaime Manteiga
You just found out that the smart coffee maker in your office break room has been hijacked and has been sending millions of spam emails for months. Worse, your corporate internet router was used by overseas hackers to conduct distributed denial-of service (DDoS) attacks against another company, or against your own government. In both cases, your company wasn’t even the ultimate target of the attacks. Imagine if it was.
Expensive, embarrassing incidents like these are becoming more common and more advanced in the ever-growing internet of things (IoT) and could have serious consequences — especially for small and medium businesses (SMBs) that can ill afford the fallout. The IoT isn’t new, but it has yet to reach its full potential. As 5G networks gradually roll out in major cities over the next year, the number of connected devices is expected to explode. Businesses have already been the earliest adopters of IoT technology, and thus the canaries in the coal mine for the newest cyberattacks. They will likely continue to be on the cutting edge of new connected technologies and the threats that come with them over the next few years.
In my work as an information security researcher, I’ve helped both small businesses and large corporations identify and mitigate serious flaws in their systems, including the types of connected systems that make up the IoT. It’s vital for business leaders to keep an eye on the current threat landscape to understand where their vulnerabilities lie and how they can protect their technology and assets.
According to Business Insider, investments in IoT could top $830 billion USD by 2020. Businesses are investing in connected technology to increase productivity and reduce costs. For smaller companies, smart devices that save on personnel and operating costs can be game-changers.
Mobile payment systems have become essential for many small businesses and are getting more sophisticated each year. Devices that track supplies and products throughout the supply chain, including those for inventory and real-time shipping data, reduce the costs associated with overstocking, delivery inefficiency and poor product quality. Connected smart locks and cameras can reduce or eliminate the need to hire expensive security contractors by allowing remote monitoring and control of building access. Other IoT innovations range from smart devices that help reduce building utility costs to artificially intelligent automated customer service agents.
Additionally, with 5G coming fast, IoT innovations are set to change many aspects of society and daily life — opening new markets and opportunities for businesses and entrepreneurs. Self-driving cars and smart roadways are only a few years away. Advanced factory automation, remote monitoring of municipal utilities and telemedicine are also expected to emerge.
With all these advances, however, will come new cybersecurity risks with higher stakes than ever.
The Symantec 2019 Internet Security Threat Report indicates that cyberattacks on IoT held steady from 2017 to 2018 but are rapidly evolving in sophistication.
Most attacks consist of bots or worms designed to take over vulnerable smart devices, mostly Linux-based internet routers (75% according to Symantec), and use them to commit other crimes like DDoS or illegal mass marketing. However, an increasing number of attacks have even more nefarious purposes. Attacks against industrial control systems (ICS) are on the rise — something that can threaten critical infrastructure and public safety. Both military and civilian infrastructure rely heavily on supervisory control and data acquisition (SCADA) systems that are becoming highly valued targets for the world’s most advanced hackers.
In my experience, routers are often only the gateway for attackers to achieve deeper penetration into a target system. Particularly nasty router malware that poses an advanced persistent threat (APT) has significantly evolved in the past year. New manifestations can remain in a target’s memory even after reboot and can completely wipe a device on command. These worms now feature advanced payloads that can steal SCADA data and security credentials and intercept or spoof secure communications between connected devices.
Nearly half of all router attacks are accomplished using the default username and password for the device, according to the Symantec report, often as simple as “admin” and a blank password. Unfortunately, I’ve observed that manufacturers of routers have been negligent over the years in shipping products with the default settings in place, leaving consumers to do their own due diligence.
Protecting Your Business
One of the most frustrating aspects of the IoT threat is that it is largely preventable. Here are some things to think about to help stop an information security nightmare before it starts.
- Basic precautions like setting a secure password can thwart most simple router and other IoT attacks. Always follow password best practices for connected devices in your network.
- Ensure that your technical team performs a full cybersecurity review of systems before purchase and implementation. If this is beyond their expertise, hire a third party to ensure a proper selection of equipment and software.
- More insidious than sloppy security practice is the threat of backdoors being deliberately embedded into an IoT device in the supply chain. Take the time to understand where your equipment originates and consider having your information security team investigate the supply chain security of the manufacturer.
- Hackers are opportunistic criminals and go after the weakest fish in the pond. You should never assume that because you survived last year’s barrage of attacks that the same will be the case this year. Be sure to stay ahead of the game by updating and patching all software and having regular security assessments.
Nobody wants their company to be the last one on the block to figure out how to protect their assets and customer data from the latest threats. Stay informed and be proactive to avoid becoming another statistic.