The Internet is not something new. And today, it can be used as the main link between two devices through the Internet of Things, including how it can be successfully applied in education.
Beware the latest security threat: Shadow IoT.
So says Silicon Valley security firm 802 Secure in a new report about what it describes as a threat to “infiltrate” corporate networks through Internet of Things-enabled devices and their wireless connections.
“While most organizations prepare for IOT enablement, our threat intelligence shows that most companies are still vulnerable to 10 year old wireless vulnerabilities,” said Mike Raggo, Chief Security and Threat Research Officer at 802 Secure.
Hackers have infected at least 500,000 routers and storage devices in dozens of countries in a campaign that Ukraine said was preparation for a future Russian cyber attack.
The US Department of Homeland Security said it was investigating the malware, which targets devices from Linksys, MikroTik, Netgear, TP-Link and QNAP, advising users to install security updates.
Ukraine’s SBU state security service said the activity showed Russia was readying a large-scale cyber attack ahead of the Champions League soccer final, due to be held in Kiev on Saturday.
“Security Service experts believe the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation aimed at destabilising the situation during the Champions League final,” it said in a statement.
Sensing is a major component of the IoT and an essential part of most Industrial IoT (IIoT) applications. By adding wireless connectivity and a microcontroller or other processor to a sensor node, one can create a smart sensor. These sensors can be widely distributed without need for a sensor hub. However, they then become extremely vulnerable targets for attackers. Without security, they can become a weak link in the system. Fortunately, the Trusted Computing Group (TCG) techniques that have been developed for other computing, network, wireless, and IoT applications are applicable to these sensor nodes as well. This topic will be explored at a TCG workshop at Sensors Expo in June.
Here’s the brutal truth: It doesn’t matter how much your organization spends on the latest cybersecurity hardware, software, training, and staff or whether it has segregated its most essential systems from the rest. If your mission-critical systems are digital and connected in some form or fashion to the internet (even if you think they aren’t, it’s highly likely they are), they can never be made fully safe. Period.
This matters because digital, connected systems now permeate virtually every sector of the U.S. economy, and the sophistication and activity of adversaries — most notably nation-states, criminal syndicates, and terrorist groups — have increased enormously in recent years. Witness the attacks in the United States on Atlanta’s municipal government and on a data network shared by four operators of natural-gas pipelines, the theft of data from Equifax, and the global WannaCry and NotPetya malware attacks. In many of the most notorious incidents of recent years, the breached companies thought they had strong cyber defenses.
The Internet of Things (IoT) is increasingly becoming an integral feature of our daily business environment. More organisations are using devices in a distributed network to support the day-to-day running of the business in order to improve productivity, enhance customer service and reduce maintenance overheads.
With the number of IoT devices expected to reach 125 billion by 2030, it is clear that many industries have already begun using them for critical business processes. It is therefore important that businesses understand as early as possible, the radically differing requirements of IoT devices, their criticality to the business and the implications for businesses that don’t get it right.
Tenable, the Cyber Exposure company, recently discovered a critical remote code execution vulnerability in two Schneider Electric applications heavily used in manufacturing, oil and gas, water, automation, wind and solar power facilities in the U.S. If exploited, the vulnerability could give cybercriminals complete control of the underlying system. Attackers would also be able to use the compromised system to move laterally through the network, exposing additional systems to attack, including human-machine interface (HMI) clients. In a worst case scenario, attackers could use the vulnerability to disrupt or even cripple plant operations.
When EM Forster exhorted his readers to “Only connect!” at the end of his novel Howards End, he couldn’t have imagined how connected we would all become barely a century later. Not only does ubiquitous internet mean that we are plugged into media services constantly, but it is becoming increasingly difficult to buy technology that is not ‘smart’ in some way. For most of these devices, that smartness derives from connectivity to the Internet and to other devices and systems.
The average UK house already contains around 15 connected devices, some obvious such as phones, laptops, tablets, televisions and smart meters, and some much less so, such as kettles, coffee makers, thermostats and switches. This number will only grow in the coming years.
In 2016, hackers were able to use 100,000 internet-connected devices to bring down Twitter, Spotify and PayPal. They recruited and infected simple household appliances, such as digital video recorders and fridges, to attack a large network infrastructure provider and create chaos. Consumers were not aware that their own appliances were being used in this way.
The internet of things already consists of nearly triple the number of devices as there are people in the world, and as more and more of these devices creep into enterprise networks it’s important to understand their requirements and how they differ from other IT gear.
The major difference is that so far they are designed with little or no thought to security. That stems from having comparatively little memory and compute power to support security but also because often they are designed with time-to-market, price and features as top considerations to the exclusion of security.