Internet of Everything will change our lives but cyber gangs can't wait to pounce

Things will never be the same again: 'We know that lot of cars are stolen digitally,' says expert Rik Ferguson. '

Roisin Kiberd

November 10 2016 02:30 AM

The statistic we so often hear about the Internet of Things is that by 2020 there'll be 20.8bn connected devices in operation worldwide. What we often overlook, however, is that all of them will be talking to each other, and that with each communication there's a possibility of it being intercepted.

For hackers, a connected world is one of infinite possibility. Attacks can spread like wildfire between 'things', granting unprecedented access and damage. What dystopian realities lie ahead - driverless cars commandeered, 'smart homes' rebelling against their owners and 'connected' appliances suddenly behaving like Hal 9000?

That last one might still be a dystopian fantasy, but it's worth considering the dangers of our increasing reliance on machines.

"We're no longer just talking about the Internet of things," said Rik Ferguson of Trend Micro, who is a speaker at Dublin Info Sec 2016 at the RDS next Tuesday.

"'IoT' has morphed into 'IoE', the Internet of Everything. It's no longer simply about connected devices; it's about connected services, individuals and devices and the exchange of information between them, along with automated decision-making based on its input."

Ferguson is vice president of security research at Trend Micro, the global information security company founded in Los Angeles in 1989. Researching online threats and the underground economy, Ferguson also works as project leader with the International Cyber Security Prevention Alliance (ICSPA) and is a Special Advisor to Europol EC3.

Increasingly, connected devices are considered as pieces of their wider networks, which are only ever as strong as their weakest constituent part. "Certainly the widest adoption of so-called things right now would be non-consumer," said Ferguson. "There are many kinds of connected device beyond police cameras and Fitbits - there's a whole gamut of 'things' in between."

These devices also bring with them a gamut of security measures, which are all too often overlooked. In Japan, Trend Micro recently released a software development kit aimed at the automotive industry, addressing the urgent need for security standards for 'smart' vehicles. "We've already seen (security researcher) Charlie Miller and his colleagues take over a jeep remotely," said Ferguson, "and we know that lot of cars are stolen digitally: rather than breaking the window, thieves can intercept the signal from a keyless entry card. The signal can be replayed, and someone can gain entry and drive off."

This, as with other IoT-related crime, relies on the absence of basic security technology which would come as standard in everyday computers. Devices continue to appear on the market without security software, and moral dilemmas around the safety of 'things' such driverless cars are complicated further. Only last week a botnet called Mirai (a Japanese word which means - intriguingly - 'the future') used unsecured IoT devices to leverage one of the biggest Distributed Denial of Service (DDoS) attacks of recent times. The botnet was able to take down major sites including Netflix, Twitter and Paypal, by infecting devices with weak default passwords and recruiting them into the botnet.

"DDoS can be an easy attack to pull off, but what makes it so powerful is that it's a very difficult attack to mitigate against," Ferguson said. "It relies on volume, which is why it can be so large. Even companies which specialise in mitigating DDoS struggled to fight the Mirai attack. It gets difficult to defend against when it's that size, and the consequence of failing is that you're not connected any more, and can no longer do business. What we saw a week ago was the fabric of the internet being disrupted; anyone who's connected is vulnerable. "

Ferguson predicted further attacks, pointing out that Mirai could easily create greater devastation; "Mirai hasn't been dismantled or destroyed in any way… It was a pure denial of service attack, but by using amplification techniques it could become exponentially bigger. This isn't the full extent of its capabilities, not by a long way."

The future of cyber crime lies in targeting not only IoT devices, but the storage facilities they send their data to. "Research tends to focus on that device, looking for vulnerabilities either a hardware perspective or a software perspective. But what you have to remember is, a lot of those connected devices are there for the purposes of collecting information, but aren't capable of processing or even just storing it. Instead the information sent to a data centre, where it can be stored and mined and collated, and all the value can be extracted from it." The onus will be on providers to secure centres, with Ferguson saying: "It's the data centres which will be really attractive to criminals, because that's where the value is."

Debate has centred around the role of Internet Service Providers (ISPs), which might prevent future IoT attacks with blocking and filtering, or simply promise to notify their customers if they encounter malicious traffic.

"But there's also the question of the legions of unsecured devices already out there, rushed to market without regard for security. Regulation, meanwhile, seems to be a long way off, despite IoT's escalating role in industries such as healthcare.

Ferguson advised businesses to carefully manage their network infrastructures, taking care to monitor traffic and to keep IoT networks and corporate data networks entirely separate. "You need to minimise, or eliminate completely, any crossover between the two.

"That way the vulnerability of the less securely engineered network is not going to affect your data networks where you keep financial data, or intellectual property."

Technology is evolving too quickly to keep itself safe. "The prime driver for people developing connected devices so far has been the prospect of being quick to market," Ferguson agreed. "Security, if it's thought of at all, remains an afterthought."