iconimage - Fotolia

IoT security threat is real, says researcher

The security threat posed by IoT devices is not hype, says security researcher James Lyne

The internet of things (IoT) poses a very real threat to cyber security, according to James Lyne, global head of research at security firm Sophos.

“When you dig into them, IoT devices have fundamental and scary weaknesses. The risk is not hype. It is real,” he told attendees of IPExpo at Excel in London.

Lyne said investigations of a selection of IoT devices had revealed all kinds of security failures, such as unpatched versions of OpenSSL.

In some instances, he said, passwords were hardcoded and protected using an outdated encryption method that meant root passwords could be recovered  by attackers in less than a second.

In other cases, IoT services were coded to accept any certificate from a certain certificate authority, meaning attackers simply needed to get their own certificate from that authority to gain access.

Recently reported record distributed denial of service (DDoS) attacks exploiting the bandwidth of internet connected cameras is evidence attackers are aware of the potential of IoT devices.

“The only reason we have not seen a massive attack before now is that attackers are only just beginning to wake up to the opportunities,” said Lyne.

Another core issue of 2016, he said, is that most individuals and organisations still do not understand why their data is valuable to cyber criminals.

“The real risk is not uber, super, undetectable malware, but opportunistic attackers who are able to make a few dollars simply by stealing a username and password,” said Lyne.

Cyber criminals are “awesome” at making money from stolen data, he said, and 2016 has seen a “massive shift” to using social engineering to access the data they want.

According to Lyne, many of the scams are “simple” but use social engineering extremely effectively to trick and pressure people into parting with credentials or clicking on something malicious.

Part of this trend is the huge uptick in the instances of CEO fraud, where emails that appear to come from the CEO are used to trick financial officers into making money transfers into criminal accounts.

“In this day and age, there should be better safeguards against this in place. Better indicator of compromise,” said Lyne.

Another strong trend in 2016, he said, has been the rise of ransomware that encrypts critical data and demands payment in return for the decryption key.

While some ransomware campaigns have been found to contain flaws that enabled cyber defenders to decrypt the data, the attackers have rapidly perfected their encryption methods.

“We are now seeing instances of perfect encryption implementations that companies will have no way of countering unless they are well prepared,” said Lyne.

Some recent ransomware samples have demonstrated a “mammoth development effort, which is monumentally impressive,” he said.

According to Lyne, recent ransomware attacks underline the need for organisations to be well prepared in advance to detect, block and recover from this type of attack.

Read more on Privacy and data protection