By Keith Martin
In an increasingly common scheme reminiscent of an American heist movie, cyber attackers extracted about 10 GB of high-profile data through an undisclosed North American casino. Casinos comprise one of the most extensively secured compounds, with a multi-tier security framework ensuring their digital and physical security. For George Clooney and Brad Pitt in Oceans Eleven, it was an opportunity. For cyber criminals, the attack was a success.
So how did the real-life thieves do it? To everyones surprise, the attackers targeted an internet-connected thermostat installed in a fish tank within the casinos lobby. Then they used the compromised thermostat to move across the network, gaining access to the high-roller database. The data was ultimately transmitted to a device in Finland.
Another question is that if such high-security compounds cannot secure their internet connected devices, what are the chances that ordinary smart devices designed for homes will be effective in doing so?
Smart, but not safe?
Smart devices have become day-to-day household items. They can be found in air conditioning systems, refrigerators, televisions, electronic gadgets, network cameras, sensors, toys, and other accessories. One estimate is that the number of smart devices has grown to over 20.35 billion vis-à-vis 3,578 billion global internet users, or more than five internet of things (IoT) devices per user globally. IoT device penetration is expected to experience a further two-fold-plus increase, exceeding 51 billion remotely-operated devices in a span of five years. Can this exponential increase in IoT devices be seen as a threat to users security of its users? Domain experts will indicate that this is so.
IoT equipment currently houses more than 70,000 known common vulnerabilities and exposures that can be used by a cyber attacker. And this threat prevails when IT experts believe that substantial vulnerabilities are waiting to be discovered in the IoT systems. Undiscovered vulnerabilities apart, IoT devices can still be compromised if device manufacturers ignore any of these.
Putting ongoing developments within the cybersecurity industry into perspective shows that globally-leading cybersecurity solutions providers are already preparing their systems against and Artificial Intelligence-driven attacks. Their volume, velocity, and precision could well leave the contemporary cybersecurity framework flustered. Introducing an enormous threat surface of IoT devices to present dynamics only makes such attacks more potentially damaging. We also need to understand how difficult it is gradually becoming to trace a cyber attack.
Our ignorance is their bliss
Some 3.2 million debit cards were suspended following a first-of-its-kind banking breach right before the demonetisation drive. The breach was conducted via a malicious code present within Hitachi Payment Services payment systems. The ingenious code concealed its traces right after conducting a successive exploit so that the breach could not be detected when the code was inactive. It was only discovered after card network companies such as Visa and MasterCard detected unsymmetrical transactions. Only the attackers that drove the assault know its duration and true extent, even now. The incident was also grave from the point of view of the global accountability of such payment system vendors, especially considering the nature of their operations (financial transactions).
Weve narrowly escaped a global WannaCry ransomware attack, which had infected more than 300,000 systems in a span of four days. This was when it was limited to a single-point vulnerability in a single operating system (Windows) that Microsoft had previously discovered, and patched a month before the WannaCry attack surfaced. Imagine what would happen if 51 billion IoT devices fall prey to a similar attack in the future, where not even IT experts know about a vulnerability beforehand. Such an incident could potentially bring down the entire global IT infrastructure to its knees, damaging the safety and security of day-to-day users of such devices. Cyber attackers will continue to enjoy their undue advantage as long as we keep ignoring this imminent threat. Our ignorance, is undeniably, their bliss.
Keith Martin is Head of Asia Pacific and Corporate Business at F-Secure.