- Reports of IoT breaches are common and efforts have progressed to manage such risks, but some of these developments provoke mixed feelings among security researchers.
- Devices that collect data have become increasingly common, particularly with the uptick in cloud-enabled technology.
- New solutions that are developed to combat ongoing security issues often come with new or different problems.
Internet of Things (IoT) devices are some of the least secure connected machines, but they are also becoming ubiquitous in our lives. The McKinsey Global Institute estimates that 127 new IoT machines go online every second. Data from CUJO AI research shows the significant presence of these gadgets in Western households, where an average consumer home has upwards to 20 online-capable devices.
As we become more connected and 5G-enabled smart city solutions with even more points of connection proliferate, are we putting our connected lives at risk? To even start answering this question, we first have to realise that the IoT threat landscape is not stagnant.
What is the World Economic Forum doing on cybersecurity?
The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. The centre is an independent and impartial platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors.
Since its launch, the centre has driven impact throughout the cybersecurity ecosystem:
- Training a new generation of cybersecurity experts
Salesforce, Fortinet and the Global Cyber Alliance, in partnership with the Forum, are delivering free and globally accessible training through the Cybersecurity Learning Hub.
- Building a global response to cybersecurity risks
The Forum, in collaboration with the University of Oxford – Oxford Martin School, Palo Alto Networks, Mastercard, KPMG, Europol, European Network and Information Security Agency, and the US National Institute of Standards and Technology, is identifying future global risks from next-generation technology.
- Improving cybersecurity in the aviation industry
Through the Cyber Resilience in the Aviation Industry initiative, the centre has been improving cyber resilience in aviation in collaboration with Deloitte and more than 50 other companies and international organizations.
- Making the global electricity ecosystem more cyber resilient
The centre and the Platform for Shaping the Future of Energy, Materials and Infrastructure have been bringing together leaders from more than 50 businesses, governments, civil society and academia to develop a clear and coherent cybersecurity vision for the electricity industry.
- The Council on the Connected World agreed on IoT security requirements for consumer-facing devices to protect them from cybers threats, calling on the world’s biggest manufacturers and vendors to take action for better IoT security.
- The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace, which aims to ensure global digital peace and security.
Contact us for more information on how to get involved.
The myth of perpetual, unchanging threats
Nevertheless, the IoT security landscape has progressed a lot since 2010, even if the perception of IoT vulnerabilities has largely stayed the same. It’s true that people are still playing VNC roulette - trying to remotely access devices at random – or even attempting to hijack cars. For the most part, however, the public image of IoT threats is perpetuated by the media and attention-hungry security researchers. Scary headlines drive clicks.
The real truth is that a decade of threats and increased awareness has pushed IoT security to change course. Some of these changes are welcome, while others provoke mixed feelings among security researchers.
Growth, data collection and shifting security challenges
A decade and a half ago, it was hard to find a smart household device, now it’s hard to find one that is not smart. More than 70% of TVs sold today are smart, and even the “dumb” ones can stream online content through Roku or other smart devices. Analysts predict a compound annual growth rate for Internet Connected Devices of 11% by 2023.
Although some of these devices have useful features, a key driver for developing smart devices is data collection. Some vendors even sell devices with data collection features at a lower price. Customer privacy is a wholly different topic, but it must be noted that having an additional point of contact and connectivity for data collection creates an additional risk vector. To put it simply: the risk of a home network getting hacked increases in line with the number of connected devices, especially if we take IoT devices' long lifespans into account.
Nevertheless, there have also been positive changes in the IoT industry. IP cameras were once notorious hacking targets due to glaring vulnerabilities like open telnet ports. Nowadays, as devices such as these tend to operate via the cloud only, attacking them is more difficult because they do not usually have open ports or hardcoded default credentials and so are more secure.
Cloud connectivity may create more threats than solutions
Cloud connectivity has generally been good for security, but it is important to note that it is a key enabler for data collection in the IoT sector. Also, while the move towards cloud services may have solved some glaring security issues, new ones appear almost instantly.
If a device can only work with an internet connection to cloud servers, operational risk becomes a concern – what happens if the servers go down? Cloud dependency has rendered many devices non-functional in recent years, from smart pet feeders, to home temperature control and security devices, doorbells and vacuum cleaners.
Devices can also be hacked en masse through cloud connectivity. One researcher was able to generate valid camera IDs, use those IDs to connect to a device login screen and guess owners’ passwords or bypass the authentication altogether.
IoT security depends on good practices, which are still not followed by many developers. Standard username and password combinations remain common, as does password reuse. This leaves systems and accounts vulnerable because malicious actors can use that information to target IoT systems. This happened with Ring doorbells before its provider offered two-factor authentication, which significantly reduces the chances of a successful attack, according to our experience at CUJO AI. Sadly, not all IoT service providers offer multi-factor authentication.
Hacking centralised cloud services is also more lucrative for criminals. Once a cloud camera service provider is breached, hackers might be able to access all cameras operated by a provider and then sell that access. The recent case of 150,000 hacked Verkada cameras is a good example of this type of breach.
Another development in the IoT threat landscape is the shift towards targeting higher-value cloud-enabled devices, such as Network Attached Storage (NAS). Criminals focus more on the vulnerabilities of these devices and use them to install ransomware that encrypts the victim’s backups, such as family photos and videos. According to data from CUJO AI Labs, NAS adoption is stable at around 0.2-0.3% of all online devices, which makes it a common, but not pervasive target.
The near-term future of IoT threats and security
The growing number of connected devices is forcing the long-overdue transition to Internet Protocol version 6 (IPv6) addresses. As more Internet Service Providers (ISP) support IPv6 by default, IoT devices will be able to connect to the internet directly rather than operating on private networks. Unfortunately, few of these devices will be powerful enough to run any antivirus or antimalware software. As such, we expect to see more instances of attackers connecting directly to these devices from the internet.
ISPs could block such connections at the gateway (the router) or by adopting better network monitoring solutions, but it is unclear how many ISPs will be willing and able to do this. We will find out whether these new IoT threats appear at the ISP level in the very near future, although hopefully not as part of a new research article about an in-the-wild IPv6 botnet.