Posted by
This is a contributed article by Jan van Vliet, VP and GM EMEA at Digital Guardian
2017 was a landmark year in the evolution of the Internet of Thing (IoT), but not for positive reasons. Unfortunately, it marked the first time that it was successfully targeted by a large scale cyber-attack, in the form of the Mirai Malware, which recruited IoT devices into a network botnet that was used to create large-scale, disruptive denial-of-service attacks all over the world. At the same time, another major IoT security red flag was raised by a group of researchers at the Def Con Hacking Conference, who successfully demonstrated it was possible to lock an IoT enabled thermometer with a targeted ransomware attack.
Before going any further, it’s important to distinguish between the traditional ransomware attacks typically found on PCs and servers, and the type of ransomware attacks starting to emerge on IoT devices. The former infects the target computer or device and then encrypts key data before asking the victim to pay a ransom in exchange for unlocking it again. While it can be possible to use data backups to restore devices without paying the ransom, in many cases victims are forced to cede to the attackers demands, which is why the ransomware industry is considered such a profitable criminal enterprise.
The aim of IoT ransomware is different. Due to their nature, few, if any IoT devices hold meaningful amounts of sensitive data on them, rendering the traditional style of ransomware attack redundant. As a result, attackers have been forced to change tack, instead focusing on using ransomware to lock users out of their devices completely. On the surface this may seem like more of an inconvenience than anything else, but when considered in the context of the example above from Def Con, being locked out of your home’s thermostat in the dead of winter could have significant consequences. When applied to a larger scale example such as the thermostats controlling refrigeration units in a food storage warehouse, or a data center air conditioning system, the motivation behind (and threat posed by) this new form of ransomware starts to become clear.
Unfortunately, the reality is that a huge number of the IoT devices currently in operation are extremely vulnerable to this form of attack. Why? In their rush to surf the crest of the IoT popularity wave over the last few years, manufacturers and vendors were creating and selling millions of IoT devices as fast as they could, with device security seen as little more than an afterthought. As a result, the majority of devices out there today have default credentials, use insecure configurations and protocols, and are notoriously hard to upgrade, making them extremely easy to compromise.
To make matters worse, the appearance of low-level protocol hacks such as KRACK are providing attackers with new ways to bypass and compromise IoT infrastructure and inject or manipulate data found within devices. This will have serious implications if the devices need to synchronize or receive control messages from a cloud application, with manipulated data potentially sending incorrect settings or actions back to the device.
When considering the deployment of any IoT devices both now and in the future, a comprehensive evaluation of device security from a variety of different angles is now an absolute necessity. At the very least the evaluation should cover the following three areas:
When the IoT was in its infancy, everyone was too excited about its potential to worry about future security issues, but now that the honeymoon period is over, manufacturers, vendors and users of the IoT all over the world need to start taking security much more seriously. Implementing basic security principles such as those mentioned above go a long way to defending against many of the emerging threats such as the new wave of ransomware attacks seen in 2017. However, if the IoT is to become truly secure, it’s time to start treating it just like any other IT system and ensuring the protection in place is as robust, effective and long term.
PREVIOUS ARTICLE
«Are governments doing enough to regulate new tech?NEXT ARTICLE
Is the world ready for the end of Excel?»
Phil Muncaster reports on China and beyond
Five reasons companies on the up should start applying machine-learning marketing strategies on their respective scales. 1. It brings 'real...
Kyra Jakai on Human security teams can’t manage the new threat landscape alone
wishful thinking, I guess
great article. as a CIO with over 20 years experience, best test any CIO can do before transitioning to another job, take a vacation for two...
Salah Shakir on Handling the transitional period when leaving your job as a CIO
It's been a joy, honor and adventure supporting David over the last few decades. Vision - creativity - work ethic - integrity - and perspective......
Technology changes every day... no, every second. So, I respect those companies which could survive among the other.
Anna Evans on From the 1800s to today: The world’s oldest technology companies
I agree with the every word! Machine learning have already changed our world!
Anna Evans on Human security teams can’t manage the new threat landscape alone
IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.
Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.
Should the government regulate Artificial Intelligence?
Comments
Wings2i on April 09 2018
Insightful read on cyber security in the IoT space...
Wings2i on April 09 2018
Insightful read on cyber security in the IoT space...