The Internet of Things (IoT) is expanding rapidly. The number of connected devices in homes, businesses, and vehicles across the world is expected to increase from around 8 billion today to over 24 billion within the next decade, with much of this growth enabled by the introduction of 5G.
This expansion represents greater opportunities for cybercriminals, however, many of whom will expand their operations by exploiting vulnerabilities in often poorly protected IoT devices to achieve their goals.
Open to exploitation
The rollout of 5G networks around the world is set to lead to an explosion in connected IoT devices. According to Steve Szabo at Verizon Business, “several characteristics of 5G lend themselves to transforming industries and connectivity” – among them its ultra-high throughput of up to 10Gbps, its high sensor density for data gathering, and its capacity for ultra-low latency.
But, as device manufacturers rush to capitalize on this new potential, many will overlook fundamental security settings, leaving devices – and the homes and businesses in which they’re located – open to exploitation and attack by opportunistic criminals.
Botnets, for example, are a relatively easy way for hackers to weaponize the IoT. Comprising an army of connected devices infected with malware and instructed to attack a specified target, botnets can cause considerable damage. In the infamous Mirai botnet attack of 2016, for example, attackers used an army of 600,000 connected cameras, home routers, and storage devices to launch a huge DDoS on DNS provider Dyn, bringing services including Twitter, Netflix, and Reddit to a halt. This was undoubtedly frustrating for the site’s users, but the consequences of a similar attack on critical national infrastructure such as a hospital or transportation system are unthinkable.
A very real threat, it shows no signs of going away.
Security researchers recently disclosed a series of security flaws, dubbed Amnesia:33, in the firmware of products from over 150 connected device manufacturers. Exploiting one of these vulnerabilities would allow attackers to take full control of a device and use it for a range of purposes – to gain entry into an organization’s network, to impair its functionality, or to add it to a botnet to carry out a larger attack on a different target.
While a number of the vulnerabilities were due to memory corruption issues – hence the name – the researchers found many of them to be little more than the result of basic programming oversights, such as a lack of input validation checks that would have prevented a system from accepting problematic operations.
Given the rate at which IoT devices are coming on to the market, lapses in due diligence like this are especially concerning.
Lack of consideration
Ensuring the security of the IoT depends on ensuring the security of the devices and software that comprise it. Security by design is crucial. A lack of proper consideration can result in devices being shipped with out-of-date software and operating systems that can’t be patched, hard-coded and easy-to-crack default device passwords that can’t be updated, and firmware and software vulnerabilities that can be easily exploited.
5G’s increasing role in enabling the IoT creates further risks – especially for organizations using public 5G networks. Probably the most significant of these risks comes from the fact that, unlike its predecessors, the 5G network is managed by software. This dramatically increases the attack surface – if criminals are able to gain control of that software, they can control the network itself and the devices connected to it.
Furthermore, US research group The Brookings Institution suggests that the dramatic expansion of bandwidth that makes 5G possible creates additional avenues of attack, with low-cost, short range, small-cell antennas deployed throughout urban areas becoming new hard targets for hackers.
From consumer devices such as smart TVs and connected refrigerators, to industrial applications like manufacturing robots and environmental sensors, the IoT represents considerable efficiency, productivity, and cost-savings benefits. But inherent vulnerabilities in many of these devices make it a potential playground for cybercriminals – one whose size has been vastly expanded through the recent addition of 5G networks. And with an estimated 13 connected devices per person by 2030, the level of risk this represents is vast.
Every part of the IoT ecosystem has a role to play in managing this. Device manufacturers must ensure security is baked in from the start, network providers must ensure their 5G is well protected, and businesses and consumers need to make sure their internet has adequate safeguards in place.
Sophisticated cybercrime groups will be looking to scale their operations as the IoT grows. By putting security front of mind, we can help foil their plans. This topic and several other trends that we anticipate impacting 2021 are discussed in the “Where Do We Go From Here? 2021 Security Predictions”. We invite you to listen the fire side chat here.