7 Menacing IoT Cyberthreats
While many headlines simplistically declare that the Internet of Things is intrinsically insecure, it’s helpful to look at the specific vulnerabilities.
March 6, 2017
![IoT Security IoT Security](https://eu-images.contentstack.com/v3/assets/blt31d6b0704ba96e9d/blt0fa6a285071e0cab/63abe8a0e2fcbe5c31e7ec34/ThinkstockPhotos-615488702-4.jpg?width=700&auto=webp&quality=80&disable=upscale)
Thinkstock
Internet of Things devices could open up digital extortion attacks against targets such as thermostats, smart lights, transportation networks, autonomous vehicles, and critical infrastructure.
After the Mirai botnet, it’s apparent that connected devices can themselves be an attack platform. Open-source IoT-enabled DDoS attacks make it possible for even an amateur cybercriminal to knock almost any organization offline.
Connected factories haven’t traditionally been targets of ransomware-style attacks. That could change because of the high potential for extortion in the industrial realm. “What would you pay to turn your factory back on?” Ed Skoudis of SANS asked at RSA.
In Ukraine in 2015, cyber-attackers launched a well-organized coordinated battle against three of the nation’s utilities. The attackers cut off power to some 225,000 people for more than three hours. Similar attacks like this are to be expected, warned Michael Assante, director of critical infrastructure at the SANS Institute at RSA.
Many so-called random number generators fail to work as advertised, yet high-quality randomness is vital for data encryption. Furthermore, it can be difficult to encrypt data from IoT devices, many of which have limited functionality. “How do you pick good random numbers from a device that has pretty much no input?” asked Johannes Ullrich, dean of research for the SANS Technology Institute at RSA. In 2015, a research team beat one of the most common IoT encryption platforms, the Algebraic Eraser.
Many IoT devices have limited storage capacity and are not an ideal platform for cybercriminals to launch persistent cyberattacks. To get around these limitations, bad guys often attack the management infrastructure associated with the IoT device or some other device that controls the that device, such as a tablet or a phone, explained Ed Skoudis of SANS at RSA.
Connected cars, medical devices, and industrial control systems could easily be used for a decade or more. In cases like this, having a secure architecture becomes a priority. “You have to think about your practices,” said Michael Assante of SANS. “How do you interact with your technology. How do you do your PLC programming? How do you move an update into a test environment? Our housekeeping needs to focus on the attack vectors into our system.”
Connected cars, medical devices, and industrial control systems could easily be used for a decade or more. In cases like this, having a secure architecture becomes a priority. “You have to think about your practices,” said Michael Assante of SANS. “How do you interact with your technology. How do you do your PLC programming? How do you move an update into a test environment? Our housekeeping needs to focus on the attack vectors into our system.”
For the past decade, one of the most popular conference sessions at the RSA security conference has been a presentation titled “The Seven Most Dangerous New Attack Techniques, and What's Coming Next.” This year, the specter of IoT cybersecurity was front and center in this session. Here, we recount seven central IoT-related risks loosely inspired by that presentation.
About the Author(s)
You May Also Like