Are you ready for a surge in hybridized malware? What about IoT botnets mining cryptocurrency? Those are just two of the possibilities that could be lurking on the horizon in the coming year, according to interviews with several IoT security experts. In this article, we dig into these subjects,but also consider what 2018 could have in store, given the rapid growth of related technologies such as artificial intelligence, quantum computing and security and networking automation tools.
1. IoT ransomware and “synthetic malware” grows more common
Ransomware continued to gain ground in 2017. While the majority of traditional ransomware uses encryption to lock users out of computing platforms, next year, hackers will likely begin launching a wider variety of ransomware attacks, says Song Li, co-founder and CTO of NewSky Security. “IoT-based ransomware attacks could focus on stealing data or disabling the functionality of a target device,” Li said. IP cameras can capture sensitive footage from a range of locations, ranging from a factory floor to the inside of a house. “Hackers could say: ‘Unless you give me some Bitcoin, I’ll distribute this footage.’” Another possibility is hackers use IoT devices like webcams to funnel traffic to a malware-infected web address. “That address, in turn, can extract data from the accessing endpoint and demand ransoms for the return of that encrypted data,” said Ofer Amitai, CEO and co-founder of Portnox.
Alternately, a hacker could threaten to disable the functionality of, say, a smart lock or thermostat unless payment is received. Of course, there is no way to ensure hackers abide by their own terms. “We saw this with PCs where hackers would use a ransomware attack to lock someone out of their PC and come back and say: ‘I need more cryptocurrency.’”
In the coming year, we could see a continued hybridization of malware strains, where DDoS, ransomware and other attack types merge. “This gives rise to what I am going to call ‘synthetic malware,’” said Peter Tran, general manager and senior director of RSA's Advanced Cyber Defense division. “Thanks to the skyrocketing numbers of IoT devices, the various permutations of attacks will be unpredictable.”
2. IoT botnets take aim at cryptocurrency
Given the recent uptick in cryptocurrency valuations and heated competition in cryptocurrency mining, it is only natural hackers will work to cash in from the boom. “Many believe the blockchain is unhackable, but we already see an increase in the attacks against blockchain-based applications,” Amitai said. The central vulnerability here is not the blockchain itself, but rather the applications that run on it. “Social engineering will be used more often to extract passwords and private keys to hack these applications,” Amitai predicted.
There has already been a spike in IoT-botnet based mining in the case of the open-source cryptocurrency Monero, said Ankit Anubhav, principal security researcher at NewSky Security Inc. And hackers have repurposed video cameras for Bitcoin mining.
“Like traditional currency value and volatility structures, the risk is to flood the open market through IoT botnet miners, breaches in blockchain and general data integrity disruption, manipulation and outright smash-and-grab robbery of large pools of cryptocurrencies,” Tran said.
3. Vendors will investigate security for the quantum computing era
The global quantum computing race heated up in 2017. In the course of a few months, Intel unveiled a 17-qubit test chip, Microsoft detailed a new coding language for developing quantum programs, and IBM announced a prototype 50-qubit quantum computer. These advances raise the urgency to address potential security threats that come with quantum computing, which will likely become commercially available in less than a decade, said Louis Parks, CEO of SecureRF.
While experts have a variety of opinions regarding practical quantum computing, interest in the subject is on the upswing. As the National Security Agency has stated, quantum computing-based attacks will render common legacy public-key cryptography obsolete, potentially leaving countless IoT products in the field vulnerable to attack. In the face of quantum computing, modern computers could become the “pocket calculator stuff” described in “The Hitchhiker's Guide to the Galaxy,” Li said. “For a classical computer, decryption is like trying a key on a lock each time until it finds the right one. A quantum computer tries all keys of a lock at once to find the right one.”
“We believe 2018 will represent a major inflection point and, for the first time, engineers across a wide range of markets including the medical, automotive, data analysis and aerospace industries will confront the challenges quantum computers pose head on,” Parks said. “Semiconductor vendors, IoT platform providers and electronics manufacturers who are building products that will be in the field for 10 or more years will, in 2018, understand that they must confront the security threat posed by quantum computing. They will prioritize future-proofing their products as they prepare for the security challenges associated with the imminent quantum computing revolution.”
Li agrees quantum computing will change the landscape for IoT security. “That said, quantum computing still has a long way to go,” he said. Current encryption mechanisms could remain useful for the time being while mathematicians develop encryption algorithms that could take years for even a quantum computer to solve.
Another trend on the horizon could be the rise of hackers armed with quantum computers. “Quantum computing will not be used only for offense, but it will also be used for defense,” Li said.
4. Many IoT attacks will fly under the radar
In 2016, the most memorable IoT-based malware was easily the Mirai botnet, which crippled many mainstream websites. One of the most memorable botnets of 2017 is likely Reaper — alternately referred to as IoTroop, which is either substantially more dangerous than Mirai, or considerably less so, depending on whom you ask. Time will tell if Reaper is a sizable threat, but some of the most significant IoT security threats of 2018 may be attacks small enough to evade detection. “We will see more and more of what I will refer to as ‘micro-breaches,’ that being smaller form factor vulnerabilities and compromises slipping under the wire of current security monitoring and detection technologies,” Tran said. While many security tools look for the cyber equivalent of massive red line spikes, many IoT vulnerabilities are analogous to small accounting rounding errors on a general ledger. “They are not too interesting to look at but, at scale, they can be very dangerous. They can adapt, regroup, scale and attack much faster than traditional network-based ‘loud and proud’ attacks.”
Song Li agreed, saying he expects more IoT-based attacks that are so subtle they escape detection. “If hackers were targeting cars rather than computing platforms, it would be like they poked a small hole in their oil tanks. The cars would then be dripping out small amounts of oil, but would otherwise function normally,” he said. ”But the bad thing is: You are still poisoning the environment.”
5. Automation will take center stage
As IoT implementation scales to the point that enterprises have hundreds or thousands of IoT devices, they could become difficult to manage from a networking and data collection perspective. Automation and AI tools could help network administrators and security staff tackle the chaos by enforcing rules and detecting anomalous traffic patterns. “Automation will likely take center stage in 2018 as the leading security trend,” Amitai said. “On the whole, this is good news, because it ensures that more actors have adequate security postures, and it makes sense for modular devices like IoT that present difficulties when it comes to firmware upgrades.”
The prospect of widespread automation also bears the risk, said Tran. AI and machine-learning-based automation in the IoT domain could leave autonomous systems making automated decisions “across millions of functions for larger infrastructures such as transportation, power, healthcare, etc.” In addition, the algorithms behind these systems may be biased.
6. Hackers will target a greater variety of connected devices
In 2016, vast numbers of unsecured IP cameras helped pave the way for the Mirai botnet, one of the strongest on record. IP cameras will continue to pose a significant threat in 2018, given the large numbers of cameras with default (or no) passwords that also offer the bandwidth and computing that can be abused for botnets.
“Hackers are constantly looking for other ways to build botnets using other types of devices. These could be printers with no password or a weak password,” Li said. “In China, hackers are also targeting smart locks.”
7. Sensor attacks will become ubiquitous
Given that the Internet of Things is an outgrowth of sensor networks, it is logical that connected sensors themselves would emerge as a security vulnerability. Hackers could attempt to launch stealthy sensor-based attacks by sending energy to sensors that cannot be sensed by humans. Examples could be sending ultrasonic-based signals to a voice-control system or sending infrared signals to cameras.
8. Privacy will become a vital part of the IoT conversation
Enterprise companies are installing a growing number of IoT devices — connected thermostats and HVAC systems, smart TVs in boardrooms, connected printers and smart lighting. Meanwhile, industrial IoT continues to gain ground and consumers are warming to devices such as smart speakers. Despite this uptick in connectivity, the privacy ramifications of our hyper-connected environments are uncertain. “Privacy will become the elephant in the room,” said Don DeLoach, author of “The Future of IoT: Leveraging the Shift to a Data Centric World.”
The uptick in sensitive data tracking by large companies is already driving public distrust. “Recent events in the United States involving prominent social media sites add to that conversation, but the very real and imminent event is the European Union’s General Data Protection Regulation (GDPR) going into effect in May of 2018,” DeLoach said. “Essentially, this is designed to protect all personal information, and companies violating GDPR can face fines of up to 4 percent of their annual revenue.”
GDPR has already grabbed the attention of both U.S. and international companies doing business in Europe. “Moreover, most expect GDPR to be the leading indicator of the privacy laws that will emerge elsewhere, including North America,” DeLoach explained.
Another consideration is the 2017 Equifax data breach, involving some 145.5 million people, which highlighted the modern difficulties of protecting personally identifiable information such as name, address and social security numbers. Topics of future privacy-related discussions could focus on other types of information, DeLoach said, including IP address, geolocation, web browsing, phone logs, loyalty points and much more. “And IoT data will be filled with this information that will need varying forms of anonymization, DeLoach added. “This will take a while. Unfortunately, for the EU-based or involved companies, they don’t have a while. So like other earlier ‘burdensome’ regulatory requirements such as Basel-II and MiFID in the financial services industry, GDPR will be a cold wake-up call for the privacy discussion everywhere.”
If the Equifax breach was a reminder of the vulnerabilities of PII, IoT could complicate matters substantially, serving as a force multiplier for attacks targeting personal identifiable information (PII), Tran said. “In 2018, I anticipate a rise in using technologies like Blockchain and data tokenization to revamp current PII data structures such that we de-value and render useless the current PII data structures,” Tran said. “Keep in mind that hackers look for very specific attributes for their targets such as data value/quality, volume and ease of access. Take one or more of these attributes away and the data has little value as a commodity for cybercriminals.”