IoT vendors must shoulder security burden as hackers outpace users: ESET

Home and business users are likely to keep missing attacks on their increasing numbers of connected devices as hackers focus on new ways of exploiting the new 'Internet of Things' (IoT), an ESET security researcher has warned.

Such hacks often go unnoticed for months on end because users simply aren't monitoring the traffic between compromised equipment – routers, IP cameras, printers, scanners, and a new breed of casually-connected, non-computer devices – and the outside world, ESET research fellow Peter Košinár told CSO Australia.

“Many such devices are misconfigured, unpatched, and a good source of data when it comes to stealing information,” he said. “This makes them very interesting starting points when it comes to probing your network.”

Hackers have become increasingly interested in testing the limits of IoT penetration, with persistent router botnets already becoming a reality two years ago and the recently discovered 'Spike' toolkit automating the process of infecting connected computers, routers, and other devices to form massive botnets.

Exposure to IoT threats wasn't only due to human oversight, however: penetration of such equipment to date has generally been undertaken surreptitiously and often falls outside the purview of security tools predominantly deployed to monitor internal threats.

“From observations, it seems there are very long gaps – months to years – between when the attack was started and the observer noticed it,” said Košinár, who has researched the IoT threat extensively ' secret life of routers' and is in Australia presenting at this week's AVAR conference.

“Often, these attacks are not disruptive in terms you would notice,” added Košinár, who half-jokingly referred to IoT as the 'Internet of Attackable Surfaces'.

“[Monitoring] devices are usually sitting in front of their networks, monitoring the attacks on these devices – but the people monitoring the inside network are not seeing the traffic directed to the end point.”

That lack of visibility had opened the door to an increasingly complex range of potential attacks – and the potential compromises are set to explode, according to figures out this week from Gartner.

Read more: 3 steps to total compromise – why Google’s 86,000 indexed printers should have your IT team jumping.

According to the research firm's latest IoT forecasts, some 4.9 billion connected 'things' will be in use by next year – up 30 percent on this year – and the number is on track to reach 25 billion by 2020.

This growth will support an explosion in new services, Gartner has said, with IoT-related services spending jumping from $69.5 billion next year to $263 billion by 2020. Yet Gartner vice president and fellow Steve Prentice agreed that the new paradigm introduced new threats: “Organisations must straddle the tension of all the information available from smart things by balancing their desire to collect and analyze it with the risk of its loss or misuse,” he said in a statement.

“Executives now face a decision regarding the future of security in their enterprise and who governs, manages and operates it,” Gartner's analysis noted, adding that by 2017 more than 20 percent of organisations expected to have digital security services devoted to protecting IoT-connected devices.

Relying on vendors for fixes is continuing to prove problematic, Košinár warned, since many manufacturers don't ship products in a secure state and take some time to patch them even after vulnerabilities are discovered.

Read more: Few SMBs worried about document and data security risks: Konica Minolta

“It would be useful if, when it comes to home users, vendors were providing connectivity to provide devices in a better configured state,” he said. “It is very much a question of accepting responsibility – and the situation is only going to get worse with the number of devices that are being plugged in.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags IoT vendorsSteve PrenticehackersPrintersPeter KošinárAVAR conferenceroutersScannersesetIP cameras'Internet of Things' (IoT)Gartner

More about CSOEnex TestLabExposureGartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts