Internet of Things attacks unlikely - but the cloud is another matter

News by Doug Drinkwater

Security software vendor Trend Micro says that nascent infrastructure means that there will be few attacks from cyber-criminals on Internet of Things devices next year.

In its 2015 predictions report, Trend Micro looks at a myriad of issues, from increasing security threats against Android mobile devices and advancing use of tools like the Blackhole Exploit Kit (BHEK) to the growing number of darknet users and targeted attacks coming from countries such as Indonesia, India and Malaysia.

However, it is on the Internet of Things where the ‘Security Predictions for 2015 and Beyond: The Invisible Becomes Visible' study is arguably most interesting, with researchers insisting that the diversity of devices, a lack of security protocols and the lack of a ‘killer app' will make it hard for hackers to carry out ‘truly effective attacks against them'.

“While we expect to see an upward surge in smart device use, securing the IoE/IoT (Internet of Everything, Internet of Things) space will entail a broader approach to keep endpoints and networks protected against potential threats,” reads the report on page 16.

“Though we will not see widespread IoE/IoT attacks in 2015, we will see whitehack attempts to spot weaknesses in already-available smart devices like smart refrigerators and cameras as well as wearables.”

However, Trend Micro believes that cyber-criminals will target the data collected by these devices and claims that attacks could ramp up as they become more familiar with such devices, and as common protocols (like the Open Interconnect Consortium) emerge.

“As we increasingly 'smartify' our homes, we should also pay attention to cloud security. Attackers are, after all, bound to employ better tactics to hack the data that we increasingly store in the cloud. Remember that failing to secure the data kept in the cloud can translate to giving virtually anyone, even bad guys, access to it. Though security practitioners will be compelled to better respond to breaches to regain public trust, at the end of the day, you are responsible for your own data.”

One attack vector the firm expects to see is ransom-related attacks against connected cars, the first of which are due to hit the road in 2015. Trend Micro is advising cards manufacturers to “incorporate network segmentation in their smart car designs to adequately shield users from such threat”.

This news comes just days after UK-based security consultancy Context Information Security warned that security remains an afterthought for most vendors making Internet of Things devices.

Speaking at the firm's Oasis conference last Thursday, principal consultant Paul Stone detailed how the company has tested the likes of the D-LINK NAS, LIFX Light Bulb (a Wi-Fi enabled multi-colour LED light bulb that can be controlled from a smartphone), the Canon Pixma Printer and Karotz Smart Rabbit over the last year, finding significant vulnerabilities with all of them.

These flaws included a lack of authentication, weak encryption and no digital signing of the firmware.

The light bulb – for example – had no authentication and was based on the largely unencrypted 6LoWPAN wireless network (based on the IEE 802.15.4 standard), which is how the ‘master' bulb communicates to the smartphone via the Wi-Fi network. In a blog post published at the time, the firm revealed that it used a peripheral device based on the same IEE standard to monitor IPv6 data packets and even identify the bulb containing the Wi-Fi network details.

They could then request these details from the LIFX system, and attempt to crack the encrypted credentials by ‘sitting outside in your car using the right equipment', according to Stone.

The Canon MG6450 Wi-Fi printer, meanwhile required no user authentication on its web interface – enabling hackers to make changes to the proxy DNS and maliciously intercept and insert firmware updates. They could also print out hundreds of documents or even install a Trojan on the device to spy on print commands.

In addition, the firm found that the printer's firmware used basic Xor Encryption. The consultancy eventually managed to get the popular 1990s videogame Doom running on the printer.

Canon and LIFX have since patched these flaws after Context disclosed the vulnerabilities, but that hasn't stopped Stone from saying that security remains an afterthought with such devices.

“At the moment these devices are rushed out to market and security isn't a priority. Fewer vulnerabilities – and more testing – are needed in future,” Stone said at the conference.

Context isn't alone in voicing concerns on the IoT. Fellow security consultancy Beecham issued a report in September warning of the potential failures around such connected devices.

“IoT security failures have the potential to impact every level of society needs, including food supplies and heating,” said Jon Howes, technology director at Beecham.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews