My own interest in security began several years ago after I offered to help friends and family members who had become flummoxed by various computer problems they were experiencing. For the most part, the issues they had were centred around getting games to work (the youth of today don’t know how lucky they are with their consoles and services such as Steam), but beyond that, viruses were always the motivation behind their frantic phone calls.
Research on the then new-fangled web thing often proved fruitful, in combination with some trial and error, and their shiny new 386s and 486s were quickly restored to full working order.
Time moves on though and nowadays we see some pretty decent security products on the market. Whilst they are no golden bullet, they do allow the average home user to avoid the constant headache of trying to manually remove the latest virus (as long as they are sufficiently security-aware that they don’t invite them onto their system in the first place).
But that doesn’t mean that the threat to home users has completely disappeared.
On the contrary, many users may soon find themselves voluntarily inviting more potential problems into their homes via the Internet of Things (IoT).
The interconnected home of the not-so-distant-future could pose far more danger than the old PCs of the past, especially given how malware has progressed far past the point of presenting victims with nothing more than some quaint graphics and some humorous text.
With fridges, hoovers, lights and thermostats being manufactured with far too much attached connectivity – in my opinion (and I’m not alone in having concerns) – the Internet of Things presents new challenges according to Hewlett-Packard (HP).
In a study of the ten most popular IoT devices, HP discovered a total of 250 security vulnerabilities.
The unnamed devices each featured some form of cloud and remote mobile application component. Additionally, 90% collected personal information which in some cases included names, addresses, dates of birth and credit card details.
Seven of the ten devices transmitted data over an unencrypted network and sixty percent featured insecure interfaces. Eight of the ten devices allowed weak passwords to be deployed, including such classics as “1234.” (do you know how to choose a strong password?)
The report suggests that device manufacturers should follow the OWASP Internet of Things Top 10 project that was used as part of the test.
HP also suggested that vendors should –
- conduct security reviews of devices and all associated components
- adopt stringent standards that must be met before production commences
- apply security principles throughout the product lifecycle
Commenting on the report, Mark Sparshott, director of EMEA at Proofpoint, envisages IoT as the next big threat in the security field in terms of phishing attacks:
“In January 2014 Proofpoint discovered hacked internet connected home devices being enrolled into botnets and used to distribute spam and malicious emails. Given the explosive growth in IoT devices (Cisco predicts 50bn connected devices by 2020) Proofpoint believes that the IoT will be the next industrial revolution for cybercriminals bringing about technological, socioeconomic, and cultural changes which deeply concern forward thinking security professionals. An almost endless supply of new IP addresses will make the traditional IP reputation systems that many security vendors still rely on extinct.
Today each single bot that Proofpoint tracks will typically send 100s or 1,000s of phishing emails in campaign after campaign providing an opportunity to identify and blacklist them. However last year Proofpoint saw cybercriminals start using database marketing techniques such as IP, sender and content rotation within targeted email attacks called “longlining” that bypass reputation systems.
Future IoT botnets will be 100s or 1,000s of times larger exponentially increasing the rotation available. It is conceivable that a future IoT bot could send just 1 phish and never appear on any reputation block list. The IoT and the increasing use of zero-day threats to bypass signature-based security systems means that enterprise security strategies have to evolve to leverage cloud based dynamic sandboxing and malware analysis as well as focus on reducing the time to remediate the inevitable breach through automated security response.”
Considering all the other potential threats posed by IoT, I for one hope that vendors get their acts together and weigh the security implications on a par with the need for innovation and profit.