Dark web criminals see IoT as the next big hack prize

John Hultquist, vice president of information analytics at Google’s cybersecurity firm Mandiant, likened his job to studying the psychology of criminals with a soda straw. He monitors cyberthreat groups on the dark web in real time and monitors the equivalent of a free market for criminal innovation.

The group is buying and selling services, and one hot idea (a criminal business model) is as soon as people realize it helps them do damage or make people pay. It can spread. Last year it was ransomware. A hacking gang has figured out how to shut down a server with a so-called denial of service attack. But experts say 2022 could be an inflection point due to the rapid adoption of Internet of Things (IoT) devices.

Attacks have evolved from shutting down computers and stealing data to include more direct threats that can wreak havoc on daily life. IoT devices can be a gateway for attacks against some of the country’s critical infrastructure, such as power grids and pipelines. It can also be a particular target for criminals, as is the case with automobiles and medical devices containing software.

“What I want is to ensure that cybersecurity vulnerabilities do not adversely affect human lives and infrastructure,” said Marsh & McLennan, US and Canadian cyber mediation leader, insuring large enterprises from cyberattacks. said Meredith Schnur, “Everything else is just business.”

Over the past decade, manufacturers, software companies, and consumers have rushed to tap into the potential of Internet of Things devices. There are now an estimated 17 billion units in the world, from printers to garage door he openers, each packed with easily hackable software (some of which is open source software). In a Dec. 26 conversation with the Financial Times, Mario Greco, group CEO of insurance giant Zurich Insurance Group, said that if hackers aim to disrupt lives rather than just spying, then cyberattacks are He said it could pose a bigger threat to insurers than a pandemic or climate change. Or steal data.

According to Microsoft’s Digital Defense Report 2022, IoT devices are a key entry point for many attacks. According to reports.

A series of attacks that have reached the physical world through the cyber world over the past year indicate a growing danger. Last February, Toyota shut down operations at one of its factories after a cyberattack. In April, the Ukrainian power grid was targeted. In May, the Port of London was hit by a cyberattack. 2021 included a massive attack on critical U.S. infrastructure, shutting down Colonial Pipeline and his JBS meat processing conglomerate’s energy and food supply operations.

Many experts foresee the day when enterprising criminals and state-sponsored hackers will figure out schemes that will allow IoT devices to be used at scale and easily replicated. Criminal groups, presumably linked to foreign governments, can figure out how to control many things at once, such as cars and medical equipment. Attacks have already been observed, where actors leveraging unpatched vulnerabilities in IoT devices used their control of those devices to perform denial-of-service attacks against many targets. “These vulnerabilities are discovered regularly in ubiquitous products that are rarely updated.”

So the possibility already exists. The only question is when criminals and states will decide to act in such a way as to target the physical world on a large scale. “It’s not always the art of possibility. It’s market-driven,” Hultquist said. “Someone will come up with a plan to make money successfully.”

Aside from reacting quickly to attacks, the only answer to the cat-and-mouse game is constant innovation, says Palo Alto Networks early investor and now one of the top cybersecurity investors in the world. One Shlomo Kramer said.

With fewer companies, new regulatory approaches, and a growing focus on automotive as a particularly important area, there is a new movement in the world of software engineering to do a better job of building cybersecurity in from the ground up.

The cybersecurity industry is gaining momentum. Companies like ForeScout and Phosphorus are focused on Internet of Things security and are focused on keeping an inventory of the “endpoints” where new devices connect to the network.

However, one of the key issues in Internet of Things security is the lack of proper processes for patching and updating devices when new vulnerabilities, hacks, or attacks are discovered. said Greg Clark, former CEO of Symantec and now Chairman of Forescout. Many users are accustomed to downloading updates and patches to their computers and phones. Even then, a significant number of users will not bother to update.

With IoT, the problem is even more acute. “There aren’t many IoT devices he has with a system to update the code,” he says Clark. “Fixing IoT vulnerabilities will be a serious problem.”

He said the focus of cybersecurity companies is to put controls around devices so that they can only do a certain set of things. That way the device cannot be weaponized to launch attacks on other networks. “A lot of hammers are swinging,” says Clark about products that make IoT safer.)

Medical devices, which are considered particularly important and vulnerable, are a focus. Last month, Palo Alto Networks announced a new product for medical device manufacturers.

The challenges are new and cross-industry, so US guidelines and regulations remain a patchwork. As such, much of IoT cybersecurity is left to consumers and businesses in various sectors rather than the many manufacturers of IoT devices.

Randy Trzeciak, director of the Scientific Information and Security Policy and Management Program at Carnegie Mellon University, said: “There needs to be a national debate about ensuring device security and where manufacturers should take ownership and responsibility.”

CISA and the National Institute of Standards and Technology are working together to help thousands of manufacturers of IoT devices, Clark said, including ensuring that IoT devices are identified to the network when they are added to the network. Issuing guidelines. In 2020, the U.S. Congress turned the guidelines into law, but only for companies that supply his IoT devices to the U.S. government. A spokesman for the US National Institute of Standards and Technology said this is the only national law the agency is aware of. Some state-specific and industry-specific laws also exist. For example, medical device data is subject to his HIPAA, and the National Highway Traffic Safety Administration has some jurisdiction over automobiles.

Some investors and executives cautiously welcome increased regulatory involvement. “It’s simply too complicated,” Kramer said. “Lack of competent and experienced security guards”

Cars are targeted as criminal hackers turn their attacks on the physical realm. This includes theft, where attackers exploit keyless entry systems, but also attacks on sensitive information currently stored in cars, such as maps and credit card data.

Starting with the EU, which came into force last July, countries around the world are rapidly implementing automotive cybersecurity regulations.

The move to electric vehicles has created an opportunity for regulators to get ahead of criminals. More car companies entered the market as new technologies lowered the barriers to entry. As a result, regulators have had the opportunity to work with industry groups that want to protect their industries.

Car concerns are nothing new. In a groundbreaking experiment in 2015, two hackers attacked his Cherokee Jeep. “They stopped the engine on the highway. The brakes didn’t respond. This is not a favorable situation,” said Karamba Security, whose six-year history helps car companies go IoT. David Barzilai, CEO of the Israeli company, said. Make your device more secure.

Barzilai said there have been dozens of attacks by both serious criminal gangs and teenagers in the past 12 months. “When we started six years before him, the attacks were mostly state by China,” he says. He points to the case of his teenager who found a way to access the control systems of dozens of Tesla cars at once in January 2022, noting that the car attack “democratized within the last 12 months. progressed,” he said. end.

Connected cars usually have SIM cards, which hackers can attack via the cellular network, he said. “All cars of the same vehicle model use the same software,” he said. “Once hackers identify vulnerabilities and how to remotely exploit them, they can replicate attacks on other vehicles.”

Cybersecurity has grown as an industry as an attempt to retrofit software and hardware long after they have been on the market as they discover vulnerabilities in systems that can be exploited by criminals and foreign governments. One of his studies by IBM’s System Science’s Institute found that he found it cost six times more to fix cybersecurity vulnerabilities during software implementation than during development. According to Trzeciak, the IoT is still relatively new as an industry, giving security-minded developers a chance to get over the cat-and-mouse game, and Carnegie has worked on it, including his engineering software at Mellon University. There is a growing movement of researchers and developers who The Institute’s DevSecOps initiative aimed at adding security to the early stages of software development. This process-based innovation could make software of all kinds, including automobiles and medical devices, safer and, in turn, safer devices.