5 IoT Security Predictions for 2019

2018 was the year of the Internet of Things (IoT), massive attacks and various botnets hit smart devices, These are 5 IoT Security Predictions for 2019

Insights from VDOO’s leadership

2018 was the year of the Internet of Things (IoT) – massive attacks and various botnets, a leap in regulation and standards, and increased adoption of IoT devices by consumers and enterprises, despite the existence of security and privacy concerns. 2019 will continue these trends but at a faster pace.

IoT Attacks in 2018

Among the multiple IoT attacks in 2018, we saw Wicked, OMG Mirai, ADB.Miner, DoubleDoor, Hide ‘N Seek and even a Mirai-Variant IoT Botnet used to target the financial sector. Yet, the major attack of 2018 was definitely VPNFilter, hitting over half a million devices, mostly routers, from a wide range of known vendors. While such an attack is relatively massive, it is no longer uncommon or unexpected.  

Regulatory Efforts Will Increase

Do the increased attacks mean the industry is becoming accustomed to IoT cyber attacks? The regulation around IoT security was this year’s signal that the answer is, fortunately, no. Multiple regulatory actions at different levels were taken.

The DCMS (Digital, Culture, Media & Sport) department of the United Kingdom government published the “Code of Practice for Consumer IoT Security” and the “Secure by Design: Improving the cyber security of consumer Internet of Things Report”, setting guidelines and recommendations for secure IoT devices.

The California government took it a step further and passed the “B-327 Information Privacy: Connected devices” bill, which is the first to focus on IoT devices requiring them to be secure and protect the user’s privacy. This bill demonstrates that governments can, and will, be involved in regulating IoT devices.

Upcoming government standardization efforts will continue to increase substantially in 2019. We foresee regulations expanding beyond authentication and data privacy, and into more detailed requirements of network security and visibility into device bills of materials. These actions will increase the requirements, from security recommendations to actual mandates, that vendors must comply with.

Furthermore, in 2018 we’ve seen the reporting of IoT security incidents move beyond security and technology trade media into the mainstream media. We believe this will only grow in 2019 and, because this will increase awareness of threats with IoT users, it will, in turn, accelerate the regulation process, and put more pressure on manufacturers to raise the security bar for their products.

Three IoT Attack Avenues for 2019

Three avenues of attacks will continue growing rapidly over the coming year.

1. Attacks that infect a high volume of devices with a direct internet interface (i.e., not located behind routers or firewalls) to conduct future DDoS attacks on data centers and cloud services or for crypto currency mining purposes.

• Targeted exploitation of specific devices for blackmailing individuals and organizations such as hotels, hospitals, or casinos. We foresee a few subsets of attacks on the horizon:

• Hijacking devices and releasing them only upon a ransom payment
• Recording embarrassing or incriminating video or audio
• Hacking devices as part of APT (Advanced Persistent Threat) attacks and utilizing them for lateral movement to gain access to sensitive data assets (i.e., via printers that interact directly with web-services, via smart conference call systems etc.).
• Utilizing connected-devices’ functionality for intelligence collection by state-sponsored agencies and offensive-cyber-security companies.

• The vast research efforts by big security firms as well as individual security researchers to find and disclose zero-day vulnerabilities in a variety of devices (cameras, routers, gateways, NAS, vacuum cleaners) without vendor collaboration. This research, although well intended, will lead to attackers taking advantage of devices that were found to be vulnerable but haven’t been patched by the vendor.

Attack Complexity Will Increase

While most IoT security research is conducted on devices that are easy to buy, and therefore to disassemble and hack in a lab, we expect to see a gradual increase in research on more high-end connected devices such as critical infrastructure for smart buildings, fire alarm systems and utility infrastructures.

Attackers are becoming more sophisticated and audacious – the VPNFilter attack on a Ukrainian chlorine distillation plant was a great example. This threat had the ability to spread to a huge number of devices, based on its modular mechanism suitable for different architectures, its ability to survive a device reboot, as well as its ability to monitor and intercept the traffic passing through the device. This kind of sophistication will continue to develop and is only an example of what we may see in the future where security implementation is lacking in IoT devices.

Increased Motivation for Secure-By-Design Devices

In addition, we have seen some of the first court cases regarding security and privacy issues ruled in favor of the user, imposing liabilities on the device manufacturer. During 2019, we predict that the number of these cases and rulings will continue to increase. Even if resolved outside of the courts, this trend will be a strong incentive for IoT manufacturers to take security more seriously, making security a critical issue during the development phase.

Furthermore, IoT manufacturers will be incentivized to secure their devices as enterprise buyers will demand secure devices within their corporate environment in order to reduce their risk exposure and attack surface.

The Time for Automation in Cyber Security is Now

The increasing cyber threats stemming from connected devices will have greater impact on business and operational continuity, as well as on consumers’ lives. For certain, IoT device manufacturers cannot leave IoT cyber security behind much longer. We foresee that in order to develop secure new devices, as well as patch the enormous catalogs of legacy devices, manufacturers will turn to automation as the only way to truly address security and privacy issues effectively. 2019 will be the year of technology-based solutions that rely on automation to become the guiding light towards a safer IoT ecosystem.

About the author:  VDOO

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs –IoT, hacking)

[adrotate banner=”5″]

 [adrotate banner=”13″]