IoT is an incredible technology that will enable further economical and technological progress. Unfortunately, as is the case for all fast-growing new tech, it can be hard to properly manage the security aspect of IoT. Here are four threats to IoT security to look out for.
IoT devices are insecure by nature. Being connected is both their major strength and weakness, as it allows them to be accessed remotely. Also, IoT devices often lack the processing power for basic defences like encryption. Their high value for money means users can deploy large numbers of them. In a company setting, IT could be completely unaware of these devices, and often the employer does not even own them. All of these characteristics make IoT devices the perfect target for ransomware attacks, botnets, APTs, DDoS attacks and many others. As automation becomes more and more commonplace in supply chain and manufacturing operations, so will attacks that target these sectors, where IoT is used widely and updating equipment often is not a priority for businesses.
AI has long been used for social engineering attacks and enhancing DDoS attacks, its malicious use though has only been common knowledge since a couple of years. As AI development progresses, it is going to be easier to mimic human users on a network and foil detection systems looking for unnatural behaviour. The democratisation of AI building tools has only made this threat possibility more real. In addition, AI is far better than humans at repetitive tasks, and processing large datasets, making it an ideal component of IoT threats. These will not necessarily be new-fangled exotic threats, just the usual network breaches and other attacks deployed much faster, at larger scale, with more flexibility, and automation.
The same technology behind deepfake videos could be used by attackers for brute force attacks or biometrics spoofs. For example, GANs have been shown to successfully brute-force fake but functional fingerprints. We have witnessed the first malicious uses of these technologies: first with faked voices used to impersonate CEOs and order employees to make money transfers and the like. By now audio and image deepfakes have been perfected, video is only just lagging behind. It is only a matter of time until attackers will be able to use them for video-call social engineering attacks, network breaches, and extortion and blackmail.
Specialized Cyber Crime
Attackers are always getting increasingly refined in their attacks, often mirroring trends in business. This will surely continue with regards to IoT threats. We are probably going to see larger scale operations involving multiple hired actors cooperating for a greater pay. The same way businesses have been specialising and outsourcing skills, so are cyber criminals. These organisational trends will further blur the line between state-sponsored attacks and others, this is self-evident if we think about who is actually performing these attacks. With increased specialization and outsourcing, states will be often offered the fruits of cyberattacks for money in exchange for even less accountability. Even today it is difficult to tell whether an attack was state-sponsored or not, and it might become even harder.