Everything is a target, Threats to IoT Shoot Up
In recent past, IoT (Internet-of-Things) devices were hijacked to shut down a huge section of the Internet. Stolen documents were used in an attempt to influence the US presidential election. Ransomware began to reach epidemic proportions, including high value targeted ransom cases. These and similar attacks have had sweeping impacts beyond their victims.
Watching cyber threats evolve over the past year, a few trends have become apparent to Fortinet:
The digital footprint of both businesses and individuals has expanded dramatically, increasing the potential attack surface.
Everything is a target and anything can be a weapon.
Threats are becoming intelligent, can operate autonomously and are increasingly difficult to detect.
We are seeing two threat trends: automated attacks against groups of smaller targets and customized attacks against larger targets. These two trends are increasingly being blended together, with automated attacks being used as a first phase, and targeted attacks as a second.
Based on these trends, FortiGuard Labs is making six predictions about the evolution of the cyberthreat landscape for 2017.
IoT manufacturers will be held accountable for security breaches
We are in the middle of a perfect storm around IoT. A projected growth to over 20 billion connected devices by 2020, a huge M2M (machine-to-machine) attack surface, built using highly vulnerable code and distributed by vendors with literally no security strategy. And of course, most of these devices are headless, which means we can’t add a security client or even effectively update their software or firmware.
Right now, attackers are having a lot of success simply exploiting known credentials, such as default usernames and passwords or hardcoded backdoors. Beyond these, there is still much low-hanging fruit to exploit in IoT devices, including coding errors, back doors and other vulnerabilities resulting from the junk code often being used to enable IoT connectivity and communications. Given their potential for both mayhem and profit, we predict that attacks targeting IoT devices will become more sophisticated, and be designed to exploit the weaknesses in the IoT communications and data gathering chain.
One likely development is the rise of shadow nets – or IoT botnets that can’t be seen or measured using conventional tools. Shadow net attacks will initially take the form of targeted DDoS attacks combined with demands for ransom. Collecting data, targeting attacks, and obfuscating other attacks are likely to follow.
The security issues around IoT devices are becoming too big for governments to ignore. We predict that unless IoT manufacturers take urgent action, they will not only suffer economic loss, but will be targeted with legislation designed to hold them accountable for security breaches related to their products.