Interview: F-Secure’s Mikko Hyppönen on the Nordics, Russia and the internet of insecure things
Computer Weekly sat down with Finnish cyber security expert Mikko Hyppönen to talk about security in the Nordics, Russia and the trouble with connected devices
After the recent US Central Intelligence Agency (CIA) hack, the Yahoo data breach and the UK’s introduction of the Investigatory Powers Act, the Nordic region might seem like a safe haven. For Finnish cyber security company F-Secure, its northern location is a definite selling point, but Mikko Hyppönen, the company’s chief research officer, is quick to point out that cyber threats do not care about geographical borders.
“When we look at the risk level of Nordic companies, it is the same risk as everywhere else,” says Hyppönen. “Most of the things we see are not targeted, they are not looking for victims in the Nordics, they are just looking for victims. For example, ransom Trojans hit your network, they encrypt your laptop, they encrypt the corporate network and then ask for bitcoin. They don’t care where in the world you are.”
Or whether you share a 1,340km border with Russia. Finland’s complex relationship with its neighbour – it is currently celebrating its centenary of independence from Russia – also makes it uniquely positioned to gain insights into the country, says Hyppönen.
“We monitor Russian cyber crime operations and Russian espionage operations very closely, so I think we are actually very well equipped to defend ourselves against Russian attacks,” he adds.
In 2015, F-Secure published a report on Russia-based hacker group The Dukes, which covers the group’s operations from targets to malware. According to Hyppönen, the report received plenty of downloads from IP addresses belonging to the Russian government, but The Dukes continued their operations as if nothing had happened.
“They didn’t care,” he says. “They didn’t change their IP address, their malware, their encryption keys. What does this tell us? It tells us that whoever the attackers are, they are not worried about getting caught. Why? Because they are the government. And if not the government, they are protected by the government.”
Internet of insecure things
The current global internet of things (IoT) boom is not making life any easier. The race to equip everything from dishwashers to heat pumps with internet access is estimated to be on course to create 20 billion connected devices by 2020, but the price to pay for all this connectivity is a growing number of security headaches. Hyppönen calls this the internet of insecure things.
“There are two risks,” he says. “The first is that the administrative interfaces of these smart devices are way too often exposed to the public internet. This typically happens because [the devices] are misconfigured or the configuration is too hard to do right because the supplier is not really doing its job right.”
The second part of the problem is that IoT devices often end up being the weakest link in a network, says Hyppönen. Even if you have secured your network and computers, your “smart” coffee machine can make the entire setup vulnerable and risk leaking private information.
“It could be the same in the corporate setting, where employees bring IoT devices into the office and the IT staff don’t even know they are there,” says Hyppönen. “Employees connect to the corporate Wi-Fi and end up exposing your whole network to the outside world because of an IoT device.”
On a path to regulation?
You don’t have to look far for examples of failing IoT appliances. Baby monitors, teddy bears and even network-connected dishwashers have all posed security threats, but the most notorious case is the distributed denial of service (DDoS) attack on DNS services supplier Dyn last October. The attackers used a Mirai botnet harnessing tens of thousands of hijacked IoT devices to temporarily shut down popular web services, including AirBnB, Amazon Web Services, Netflix and Zendesk.
Despite the wide coverage of the attack, Hyppönen remains sceptical about its wider impact on the industry. As long as cyber security is not a selling point for consumers, it is unlikely that manufacturers will invest huge amounts to change the situation, he says.
“This is unlikely to fix itself – the suppliers are not going to change this,” says Hyppönen. “The only way out I can see is some sort of certification or regulation. And those are both hard things to do.”
“If there is going to be regulation, what would be a good idea is to simply make IoT suppliers liable for the problems they cause”
Mikko Hyppönen, F-Secure
Hyppönen stresses that he is not a fan of regulation and does not want the EU to dictate how IoT suppliers secure their devices – but something needs to change.
“If there is going to be regulation, what would be a good idea is to simply make IoT suppliers liable for the problems they cause,” he says. “They are the best party to figure out how to secure their own gear and this would simply force them to make the investment.”
But the scenario that Hyppönen really champions is industry self-certification.
“This is happening,” he says. “There is an IoT certification group working on a self-certification scheme and I know the Linux Foundation is working on its self-certification scheme. With any luck, we could get one of these initiatives rolling and then we don’t need regulation.”
Currently, the main users of IoT appliances are consumers, but industry applications are rapidly gaining traction. And Hyppönen’s view of IoT security in a corporate context is not much brighter. He says F-Secure regularly finds factories, including those in critical infrastructure, that have their administrative interfaces publicly available on the internet. When these factories are contacted, the typical response is disbelief.
“The discussion always ends with something like ‘the interfaces weren’t on the internet, they were only internally available, so we didn’t put a password’, says Hyppönen. “And then somebody connected two networks, or added a bridge or router somewhere or a remote modem for remote access, and because it’s a routable protocol, it’s now on the internet.”
And the Nordics aren’t exactly a role model here. For example, says Hyppönen, more exposed factory systems have been found in Finland than in many other European countries. He thinks part of the explanation is the high levels of connectivity and IoT devices in the Nordic countries.
Take it to the board
The advice Hyppönen gives companies boils down to two steps. The first is treating cyber security as a business-critical issue and taking it all the way to board level.
“This isn’t something that belongs to the IT department or to the nerds of the company – it is a critical issue,” he says. “And if you are a business leader and don’t believe this, the only examples you need to look at are the cases where executives get fired after their company gets hacked. The merger price of Yahoo dropped by $350m just because of a hack.”
The second step is regular auditing to assess the state of company networks and identify any vulnerabilities and threats.
“For most companies, this isn’t something they can do or want to do it internally,” says Hyppönen. “They want to outsource it just like you outsource your physical security. That’s my advice. Take it seriously, take it to board level and if you don’t have the skills to do it yourself, outsource it.”
