The dark web’s criminal minds see IoT as the next big hacking prize

The dark web’s criminal minds see IoT as the next big hacking prize

Krisanapong Detraphiphat | Moment | Getty Images

John Hultquist, vice president of intelligence analysis at Google-owned cybersecurity firm Mandiant, likens his job to studying criminal minds through a soda straw. He monitors cyber threat groups in real time on the dark web, watching what amounts to a free market for criminal innovation ebb and flow.

Groups buy and sell favors, and one hot idea—a business model for a crime—can take off quickly when people realize that doing harm or making people pay works. Last year, it was ransomware, when criminal hacker groups figured out how to shut down servers through what are called targeted denial of service attacks. But 2022, experts say, may have marked a turning point due to the rapid proliferation of Internet of Things (IoT) devices.

Attacks evolve from those that shut down computers or steal data, to include those that can more directly disrupt everyday life. IoT devices can be the entry points for attacks on parts of countries’ critical infrastructure, such as electrical grids or pipelines, or they can be specific targets for criminals, as in the case of cars or medical devices containing software.

“What I want is for cybersecurity vulnerabilities to never negatively affect people’s lives and infrastructure,” said Meredith Schnur, cyber brokerage leader for the US and Canada at Marsh & McLennan, which secures large companies against cyberattacks. “Everything else is just business.”

Over the past decade, manufacturers, software companies and consumers have rushed to the promise of Internet of Things devices. Now there are an estimated 17 billion in the world, from printers to garage door openers, each packed with software (some of it open source) that can be easily hacked. Speaking to The Financial Times on December 26, Mario Greco, CEO of insurance giant Zurich Insurance Group, said that cyber attacks could pose a greater threat to insurers than pandemics and climate change, if hackers aim to disrupt lives, rather than just to spy or steal data.

IoT devices are a key entry point for many attacks, according to Microsoft’s Digital Defense Report 2022. “While the security of IT hardware and software has strengthened in recent years, the security of the Internet of Things (IoT) … has not kept pace ,” according to the report.

A rash of attacks that reached the physical world through the cyber world in the past year shows the increasing stakes. In February last year, Toyota stopped operations at one of its factories due to a cyber attack. In April, Ukraine’s power grid was targeted. In May, the Port of London was hit by a cyber attack. It followed a 2021 that included major attacks on critical infrastructure in the United States, shutting down the energy and food supply operations of Colonial Pipeline and the JBS meatpacking conglomerate.

See also  Ethereum and Ethereum Classic have survived the crypto market. This long but big eye coin has plans to overthrow them

What many experts anticipate is the day enterprising criminals or hackers affiliated with a nation-state figure out a scheme that is easy to replicate using IoT devices on a large scale. A group of criminals, perhaps linked to a foreign government, can figure out how to take control of many things at once – like cars or medical equipment. “We’ve already seen major attacks using IoT, in the form of IoT botnets. In that case, actors exploiting unpatched vulnerabilities in IoT devices used control of those devices to perform denial-of-service attacks against many targets. These vulnerabilities have been found. regularly in ubiquitous products that are rarely updated.”

In other words, the opportunity already exists. It is only a matter of when a criminal or a nation decides to act in a way that targets the physical world on a large scale. “It’s not always the art of the possible. It’s a market-driven thing,” Hultquist said. “Someone figures out a scheme that succeeds in making money.”

Apart from reacting quickly to attacks, the only answer to the “cat-and-mouse game” is constant innovation, says Shlomo Kramer, an early investor in Palo Alto Networks and currently one of the top cybersecurity investors worldwide.

There are a handful of companies, new regulatory approaches, a growing focus on cars as a particularly important area, and a new movement in the software world to do a better job of incorporating cybersecurity from the start.

The Internet of Things has a major update problem

The cybersecurity industry is stepping up its game. Companies including ForeScout and Phosphorus are focusing on Internet of Things security, which places a heavy emphasis on constant inventory of “endpoints” — where new devices connect to a network.

But one of the main problems in Internet of Things security is that there is not a good process for updating devices with patches as new vulnerabilities, hacks or attacks are discovered, says Greg Clark, former CEO of Symantec, currently chairman of Forescout . Many users are used to downloading updates and patches to computers and phones; and even in these cases, a significant number of users do not bother to do the updates.

The problem is much worse in IoT: Who bothers to update the garage door opener, for example? “Not many of the IoT devices have a system to update the code,” says Clark. “It will be a serious problem to remedy the vulnerabilities in the IoT.”

See also  LastPass Says Employee's Home Computer Hacked, Corporate Vault Taken - Ars Technica

He said a focus for cybersecurity companies has become putting controls around devices so they can only do a certain set of things. That way, the devices cannot be armed to launch attacks on other networks. “There are a lot of hammers swinging,” Clark said of products that make the IoT more secure).

Medical equipment, which is seen as particularly important and particularly vulnerable, is one focus. Last month, Palo Alto Networks announced a new product aimed at medical device manufacturers.

IoT device manufacturers are not regulated enough

Because the challenges are new and cut across industries, the US guidelines and regulations remain a patchwork. That has left much of IoT cybersecurity up to consumers and companies across sectors, rather than the many manufacturers making IoT devices.

“I’m hoping there will be some new standards and new regulations that will force providers to do more,” said Randy Trzeciak, director of the Scientific Information and Security Policy and Management Program at Carnegie Mellon University. “There should be a national discussion around ensuring device safety, and where the manufacturer has to take some ownership and responsibility.”

Clark said CISA and the National Institutes of Standards and Technology are working together, issuing guidelines for the thousands of manufacturers that make IoT devices that cover such things as ensuring that IoT devices identify themselves to networks when they are added to them. In 2020, the US Congress made the guidelines into law, but only for companies that supply the US government with IoT devices. A spokesman for the National Institutes of Standards and Technology says this is the only national law the agency is aware of. Some state-specific and industry-specific laws also exist: for example, data in medical devices will be covered by HIPAA, and the National Highway Traffic Safety Administration has some jurisdiction over automobiles.

Some investors and managers cautiously welcome the growing involvement of regulators. “It’s just too complicated,” Kramer said. “There are not enough qualified and experienced security personnel.”

How cars are targeted

As more criminal hackers target the physical realm, cars are a target. That includes theft, with attackers exploiting the keyless entry systems, but also attacks on sensitive information now stored in cars, such as maps and credit card data.

Led by the EU, countries around the world are rapidly adopting automotive cyber security regulations, with the EU coming into effect last July.

See also  France 3 Poland 1 LIVE RESULTS: Impressive Mbappe brace sets up potential World Cup quarter-final with England - updates

The transition to electric vehicles has created an opportunity for regulators to get ahead of the criminals. As the new technology lowered the barriers to entry, more car companies entered the market. In turn, that has created an opportunity for regulators to work with industry groups that want to protect their homegrown industries.

Concerns about cars are nothing new. In one landmark experiment in 2015, two hackers attacked a Jeep Cherokee. “They stopped the engine on the highway — the brakes didn’t respond. This is not a pleasant situation,” said David Barzilai, CEO of a six-year-old Israeli company called Karamba Security, which helps car companies make their IoT devices more secure.

Barzilai says that in the past 12 months there have been dozens of attacks, both by serious criminal gangs and teenagers. – When we started six years ago, the attacks were from states, mostly China, he says. “In the last 12 months, there’s been a democratization” of car hacking, he said, pointing to the January 2022 case of the teenager who figured out how to access the control systems of a few dozen Teslas at once last January – has already finished.

Connected cars typically have SIM cards, which hackers can attack via cellular networks, he said. “All cars of the same vehicle model use the same software,” he said. “Once hackers identify a vulnerability, and a way to exploit it remotely, they can replicate the attack on other vehicles.”

Cybersecurity as an industry grew mostly as an after-the-fact attempt to fix software and hardware that had long been on the market, as criminals and foreign governments discovered vulnerabilities in systems that they could exploit. A study by IBM’s System Science’s Institute found that it costs six times more to fix a security problem while the software is being implemented than while it is being developed. IoT is still relatively new as an industry, giving security-minded developers a chance to get ahead of the cat-and-mouse game, says Trzeciak, and there’s a growing movement of researchers and developers working on it, including Carnegie Mellon’s Software The Engineering Department’s DevSecOps initiative, which aims to add security to earlier phases of software development. The process-based innovation can make all kinds of software, including that in cars and medical devices, more secure – and therefore devices safer.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *