By Ben Seri
The year may be coming to a close, but the proliferation of IoT devices over the past decade means new opportunities for hackers are only beginning. IoT security is getting some much-needed scrutiny as we’re seeing a wave of new risks -- from low-hanging vulnerabilities to corporate espionage -- and in 2020, enterprises will have to take note.
It is estimated that there will soon be over 25 billion connected devices globally -- deployed everywhere from healthcare to the manufacturing floor -- giving adversaries a greater variety targets than ever.
Here are my predictions for the IoT security landscape in 2020 and beyond.
IoT for corporate espionage goes public
The sheer volume of IoT devices tapped into enterprise networks creates a tempting attack vector for attackers, and all industries are exposed to some degree. However, 2020 will be the year where this increased risk plays out in a novel way: corporate espionage. Because corporations lack visibility into the connected devices in their network, they are unprepared to ferret out snoops who gained undetected access through IoT security flaws.
For example, Microsoft recently spotted Strontium attempting to compromise popular IoT devices across multiple customer locations by using VOIP phones, an office printer and a video decoder as an entry point into their targets' internal networks. Once in, they scanned for other vulnerable systems to expand this initial foothold and moved laterally. I expect that this is only a prologue to a huge influx of corporate espionage attacks.
Hardware and chip manufacturers will offer IoT bug bounties
Hardware manufacturers are beginning to understand the valuable role the research community plays in developing secure devices. In 2020, we’ll see increased dialogue between hardware vendors and the security community and more bug bounty programs as part of an effort to speed up the process of vulnerability discovery and mitigation.
Bug bounty programs can help vendors find and fix bugs faster than they could on their own, which reduces the change hackers will exploit them. It’s difficult to attack Windows devices today because of the rigorous process Microsoft went through.
2020 will be the year that APT hits IoT
In 2020, APT attacks will start leveraging insecure IoT environments. There’s a history here -- in April, Microsoft spotted Russian state hackers attacking their customers through IoT devices like VOIP phones, office printers, and video decoders. As more victims publicly acknowledge these attacks, the industry will be able to better spot and block foreign adversary attacks exploiting IoT for advanced persistent attacks.
Attackers will favor low hanging IoT attacks instead of complicated cryptographic attacks like KRACK or Meltdown
IoT-based attacks will continue to prove more popular and successful than more complicated cryptographic attacks. While threat research may reveal new vulnerabilities, in reality, the time and effort required to crack highly-secure networks doesn’t add up when IoT promises a simpler -- and often unprotected -- vector of attack. Researchers will continue to hunt for cryptographic attacks, but we won’t see them in the wild.