Insights from VDOO’s leadership
2018 was the year of the Internet of Things (IoT) – massive attacks and various botnets, a leap in regulation and standards, and increased adoption of IoT devices by consumers and enterprises, despite the existence of security and privacy concerns. 2019 will continue these trends but at a faster pace.
IoT Attacks in 2018
Among the multiple IoT attacks in 2018, we saw Wicked, OMG Mirai, ADB.Miner, DoubleDoor, Hide ‘N Seek and even a Mirai-Variant IoT Botnet used to target the financial sector. Yet, the major attack of 2018 was definitely VPNFilter, hitting over half a million devices, mostly routers, from a wide range of known vendors. While such an attack is relatively massive, it is no longer uncommon or unexpected.
Regulatory Efforts Will Increase
Do the increased attacks mean the industry is becoming accustomed to IoT cyber attacks? The regulation around IoT security was this year’s signal that the answer is, fortunately, no. Multiple regulatory actions at different levels were taken.
The DCMS (Digital, Culture, Media & Sport) department of the United Kingdom government published the “Code of Practice for Consumer IoT Security” and the “Secure by Design: Improving the cyber security of consumer Internet of Things Report”, setting guidelines and recommendations for secure IoT devices.
The California government took it a step further and passed the “B-327 Information Privacy: Connected devices” bill, which is the first to focus on IoT devices requiring them to be secure and protect the user’s privacy. This bill demonstrates that governments can, and will, be involved in regulating IoT devices.
Upcoming government standardization efforts will continue to increase substantially in 2019. We foresee regulations expanding beyond authentication and data privacy, and into more detailed requirements of network security and visibility into device bills of materials. These actions will increase the requirements, from security recommendations to actual mandates, that vendors must comply with.
Furthermore, in 2018 we’ve seen the reporting of IoT security incidents move beyond security and technology trade media into the mainstream media. We believe this will only grow in 2019 and, because this will increase awareness of threats with IoT users, it will, in turn, accelerate the regulation process, and put more pressure on manufacturers to raise the security bar for their products.
Three IoT Attack Avenues for 2019
Three avenues of attacks will continue growing rapidly over the coming year.
Attack Complexity Will Increase
While most IoT security research is conducted on devices that are easy to buy, and therefore to disassemble and hack in a lab, we expect to see a gradual increase in research on more high-end connected devices such as critical infrastructure for smart buildings, fire alarm systems and utility infrastructures.
Attackers are becoming more sophisticated and audacious – the VPNFilter attack on a Ukrainian chlorine distillation plant was a great example. This threat had the ability to spread to a huge number of devices, based on its modular mechanism suitable for different architectures, its ability to survive a device reboot, as well as its ability to monitor and intercept the traffic passing through the device. This kind of sophistication will continue to develop and is only an example of what we may see in the future where security implementation is lacking in IoT devices.
Increased Motivation for Secure-By-Design Devices
In addition, we have seen some of the first court cases regarding security and privacy issues ruled in favor of the user, imposing liabilities on the device manufacturer. During 2019, we predict that the number of these cases and rulings will continue to increase. Even if resolved outside of the courts, this trend will be a strong incentive for IoT manufacturers to take security more seriously, making security a critical issue during the development phase.
Furthermore, IoT manufacturers will be incentivized to secure their devices as enterprise buyers will demand secure devices within their corporate environment in order to reduce their risk exposure and attack surface.
The Time for Automation in Cyber Security is Now
The increasing cyber threats stemming from connected devices will have
About the author: VDOO
(SecurityAffairs –IoT, hacking)