Predictions for Tomorrow’s Internet
Currently, an estimated 6.4 billion Internet-of-Things (IoT) devices are connected, with 67 percent residing in North America, Western Europe and China. By the end of 2017, IoT growth is predicted to continue with an explosive 8.4 billion connected devices with a high concentration in electric utility and commercial security applications. However, the development and use of cross-industry devices targeted at smart buildings, such as control of lighting, HVAC and security systems, will take the lead.
In the last two years, 48 percent of US companies (with IoT deployed) experienced at least one security breach and the financial impact of these breaches is significant. For small business, the cost per breach is estimated to be 13.4 percent of annual gross revenue, while large businesses (revenue of $2 billion and greater), approached $20 million per breach. Some of the major IoT targeting malware strains that have been unleashed and continue to attack connected devices include:
- October 2016, Mirai botnet DDoS attack blocked more than 1,200 websites.
- October 2016, NyaDrop targeted IoT connected CCTV cameras by use of brute force.
- April 2017, Brickerbot infected targeted IoT devices, seeking firmware destruction.
- May 2017, Persirai botnet targeted webcams to conduct DDoS attacks.
- June 2017, DvrHelper was introduced to bypass the solutions following Mirai.
Growth of IoT deployment, while significant, lags behind actual demand due to security concerns. Industry leaders are inhibited by several factors, including:
- Physically unsecure endpoints;
- Poor endpoint authentication;
- Application security vulnerabilities; and
- Unsecured communication between networks and devices.
A significant number of consumer and business devices lack basic security protocols, making them ripe for digital compromise. Rapid industry growth, demand for new applications and a widely divergent manufacturing base has exacerbated the problem in several ways:
- Response to consumer demand feeds the frenzy to mass produce products without security considerations in the design phase.
- Rapid development of IoT took place without a governing body or security-driven regulations, resulting in independent decision making by each device manufacturer.
- Devices are deployed with default, static passwords with no opportunity for end users to modify.
- In order to keep production costs down and time-to-market periods short, many IoT devices are produced without the ability to update firmware to address future security vulnerabilities.
Since delivery of ransomware has been at the forefront of traditional cyber security measures due to its widespread proliferation and relatively easy delivery methods, IoT devices are not immune to the threat and may very well be involved in the next wave of ransomware attacks. Ransomware targeting IoT devices will seek to control devices and processes they support, causing much more harm and potentially increasing ransom demands. We anticipate that lawmakers will need to set forth regulations that govern the secure design of IoT devices and software deployed within critical infrastructure.