The IoT is vulnerable — hackers just need a business model

Concerns about vulnerable connected devices in enterprise and industrial settings have recently been widespread, but for the most part, any hacks have been relatively small and committed by nation states. The Stuxnet virus is one example. However, once a business model emerges that can turn an attack into profits, the danger will explode.

That is the conclusion of a new report from Trend Micro, which is based on its predictions for the coming year. TrendMicro already did a deep dive into risks that will come from hackers figuring out how to monetize the IoT back in September, but it still ranked highly in its 2020 predictions list. Other predictions affecting the IoT involve serverless computing and the threat of supply chain attacks via home workers.

Hackers have already found a business model for enterprise and industrial networks, although currently they primarily attack computers. Hospitals, school districts, and companies fall victim to malware that runs on their computer systems and freezes access until the victim pays a ransom. If hackers can figure out how to apply ransomware to more connected devices, consumers might see their thermostats stop working until they or the thermostat vendor pays a ransom. In the manufacturing world, data theft is already a big concern, but imagine the ability to hold a company hostage with the threat of damaging sensitive connected equipment.

Another IoT-related worry for organizations is the proliferation of containers and serverless computing architectures. As I’ve pointed out in prior columns, serverless computing provides the right economics for IoT because instead of keeping a server always on and configured to receive sensor data and then react to it, an organization can spin up an AWS Lambda or Azure Functions whenever a sensor reports, take an action on that data, and then spin back down. Using a computing instance as needed, and only as needed, makes more sense for the IoT.

In a similar vein, containers also provide the ability to quickly scale a software application up and down as needed. A recent survey found that slightly more than half of the containers used by an organization (54%) only exist for five minutes or less. So what’s the security issue? According to TrendMico, both serverless computing and containers are tough to configure (based on the conversations I have with developers, this is true). Meanwhile, the risk of configuration errors leading to vulnerabilities is high and only getting higher as more companies adopt these ephemeral architectures.

Of particular interest to me, because I work from home and because and it’s something I’ve already been thinking about, was this idea that home-based workers will act as a source of potential risk based on their own insecure networks or compromised devices. According to the report, “Connected home devices serving as a gateway for enterprise attacks is an unavoidable development considering how employees may find these devices (e.g., smart TVs, speakers, and assistants) convenient for work use as well. Enterprises will have to decide on what information security policies to implement to deal with such scenarios.”

Having an employee use a virtual private network to access corporate files is fine for protecting computerized data, but if someone can target a valuable employee and hack their smart speaker to listen in on phone calls, that’s a new level of risk. Perhaps high-level employees will get the SCIFs (Sensitive Compartmented Information Facility) found in government buildings.

The report offers plenty of other risks to worry about and also a few suggestions for how to mitigate them, but it makes for good reading if you’d like to add a bit of doom and gloom to your holiday.