The criminal masterminds of the dark web see IoT as the next big hacking prize

John Hultquist, vice president of intelligence analysis at Google-owned cybersecurity firm Mandiant, likens his work to studying the minds of criminals through a soda can. It tracks cyber threat groups in real time on the dark web, tracking what amounts to a free market in the ebb and flow of criminal innovation.

Groups buy and sell services, and a hot idea – a business model for crime – can quickly take off when people realize that it works to cause harm or make people pay. Last year it was ransomware, as criminal hacker groups figured out how to shut down servers through what are called direct denial-of-service attacks. But 2022 could be a turning point, according to experts, due to the rapid proliferation of IoT (Internet of Things) devices.

Attacks evolve from attacks that shut down computers or steal data, to attacks that can more directly disrupt daily life. IoT devices can be entry points for attacks on parts of a country’s critical infrastructure, such as power grids or pipelines, or they can be a specific target for criminals, as in cars with software or medical devices.

“My wish is that cyber security vulnerabilities never affect lives and infrastructure,” says Meredith Schnur, head of cyber brokerage for the US and Canada at Marsh & McLennan, which insures large companies against cyberattacks. Everything else is just business.”

Over the past decade, manufacturers, software companies, and consumers alike have jumped at the promise of Internet of Things devices. There are now nearly 17 billion in the world, from printers to garage door openers, each filled with easily hackable software (some of it open source). Mario Greco, CEO of insurance giant Zurich Insurance Group, told The Financial Times on December 26 that cyberattacks could pose a bigger threat to insurers than pandemics and climate change if hackers aim to disrupt people’s lives rather than just spying. or steal data.

According to Microsoft’s Digital Defense Report 2022, IoT devices are a key entry point for many attacks. “While IT hardware and software security has been strengthened in recent years, Internet of Things (IoT) security … has not kept pace.” according to the report.

Last year, the number of attacks that reached the physical world through the cyber world showed an increasing share. Last February, Toyota suspended operations at one of its plants due to a cyber attack. In April, Ukraine’s electricity network was targeted. In May, the Port of London suffered a cyber attack. This will be followed by major attacks on critical infrastructure in the US in 2021, the shutdown of Colonial Pipeline and the energy and food supply operations of meatpacking conglomerate JBS.

What many experts anticipate is the day when enterprising criminals or nation-state-affiliated hackers will find an easily replicable scheme using IoT devices at scale. Perhaps a group of criminals with ties to a foreign government can take control of many things at once – such as cars or medical devices. “We’ve already seen large-scale attacks using the IoT in the form of IoT botnets. In this case, actors exploiting unpatched vulnerabilities in IoT devices used the control of those devices to launch denial-of-service attacks against multiple targets. Those vulnerabilities were discovered and rarely updated. regularly in products everywhere.”

In other words, the possibility already exists. It’s just a matter of when a criminal or a nation decides to act in a way that targets the physical world on a large scale. “It’s not always the art of the possible. It’s a market-based thing,” Hultquist said. “Someone finds a successful scheme to make money.”

Shlomo Kramer, an early investor in Palo Alto Networks and now one of the top cybersecurity investors in the world, says that the only answer to the cat-and-mouse game is constant innovation, apart from responding quickly to attacks.

There are several companies, new regulatory approaches, an increased focus on cars as a particularly important area, and a new movement in the world of software engineering to do a better job of cybersecurity from the start.

The cybersecurity industry is upping its game. Companies including ForeScout and Phosphorus are focusing on IoT security, placing a heavy emphasis on a constant inventory of “endpoints” where new devices connect to the network.

Greg Clark, former CEO of Symantec and now chairman of Forescout, says that one of the main problems with Internet of Things security is the lack of a good process for updating devices with patches as new vulnerabilities, hacks or attacks are discovered. . Many users are used to downloading updates and patches to computers and phones; and even in such cases, a significant number of users do not bother to update.

The problem is worse in IoT: For example, who bothers to update their garage door opener? “Many IoT devices don’t have a system to update the code,” Clark said. “Fixing vulnerabilities in IoT is becoming a serious challenge.”

One of the areas of focus for cybersecurity companies, he said, is controlling the environment around devices so they can only do a certain set of tasks. So devices cannot be weaponized to attack other networks. “A lot of hammers are swinging,” Clark said of products that make the IoT more secure.

The focus is on medical devices that are considered particularly important and particularly sensitive. Last month, Palo Alto Networks announced a new product aimed at medical device manufacturers.

Because the challenges are new and cut across industries, US guidelines and regulations remain patchy. This has left a lot of IoT cybersecurity up to consumers and companies across sectors, rather than the many manufacturers who make IoT devices.

“Hopefully there will be some new standards and new regulations that will force vendors to do more,” says Randy Trzeciak, director of Carnegie Mellon University’s scientific information and security policy and management program. “There needs to be a national debate about insuring the safety of devices and for the manufacturer to take some ownership and responsibility.”

Clark said CISA and the National Institute of Standards and Technology are working together to provide guidance for the thousands of manufacturers who make IoT devices, including things like ensuring IoT devices identify themselves on networks when they’re attached to them. In 2020, the US Congress turned the guidelines into law, but only for companies supplying the US government with IoT devices. A spokeswoman for the National Institute of Standards and Technology says it’s the only national law the agency is aware of. There are also some state- and industry-specific laws: For example, data on medical devices will be covered by HIPAA, and the National Highway Traffic Safety Administration has some jurisdiction over automobiles.

Some investors and executives are cautiously welcoming the increased involvement of regulators. “It’s just too complicated,” Kramer said. “There are not enough qualified and experienced security personnel.”

As more criminals turn their hacking attacks to the physical realm, cars are also becoming a target. This includes theft where attackers use keyless entry systems, as well as attacks on sensitive data stored in cars, such as maps and credit card information.

Countries around the world, led by the European Union, are rapidly adopting cybersecurity regulations for cars, with the EU coming into force in July last year.

The shift to electric vehicles has given regulators an opportunity to get ahead of criminals. As new technology lowered entry barriers, more car companies entered the market. This, in turn, has created an opportunity for regulators to work with industry groups that want to protect their local industries.

Concerns about cars are nothing new. In a remarkable experiment in 2015, two hackers attacked a Jeep Cherokee. David Barzilai, CEO of Karamba Security, a six-year-old Israeli company that helps car companies build their IoT, said: “They turned off the engine on the highway – the brakes didn’t respond. It’s not an unpleasant situation.” devices are more secure.

Barzilai says there have been dozens of attacks in the past 12 months by both serious gangs and teenagers. “When we started six years ago, the attacks were by states, mainly China. “There’s been a democratization in the last 12 months” of car hacking, he said, pointing to the work last January of a teenager who figured out how to hack into the control systems of several dozen Teslas at once in January 2022. was done.

Connected cars usually have SIM cards that hackers can attack through mobile networks. “All cars of the same car model use the same software,” he said. “Once hackers identify the vulnerability and a way to remotely exploit it, they can replicate the attack on other vehicles.”

Cybersecurity as an industry has long grown as an attempt to fix software and hardware on the market after criminals and foreign governments discovered vulnerabilities in systems they could exploit. A study by IBM’s Systems Science Institute found that it costs six times more to fix a cybersecurity vulnerability during software deployment than it does during development. Trzeciak says IoT is still relatively new as an industry and gives security-minded developers a chance to get ahead of the cat-and-mouse game, and there’s a growing movement of researchers and developers working on it, including Carnegie Mellon’s Software Engineering. The Institute’s DevSecOps initiative, which aims to add security to earlier stages of software development. This process-based innovation can make all kinds of software, including cars and medical devices, more secure, and therefore devices.