by Tom Van de Wiele, Principal Security Consultant, F-Secure Consulting
Another worm or Mirai-like attack will occur in the next 1-3 years and reoccur periodically until effective quality control measures that address the security and privacy of internet-connected devices are widely implemented.
For 2021 there won’t be a lot of changes when it comes to the transparency of internet of things (IoT) devices (what they are made of, what they communicate with and what data they handle, etc.) Not knowing what the devices are sending back and what kind of leverage an attacker is able to gain over the device (and thus your data and personal life) is still one of the major drawbacks of buying anything “smart”. And unfortunately, this will continue for the years to come. The end user has no clue about the total attack surface and what data is being communicated back and forth, how the security of that communication is managed, and what data is transmitted and stored.
And it’s important to remember that the IoT has significant privacy implications that will stay with us for years, increasing the risks that our personal information’s will be stolen in a data breach. If you think about the amount of data a single device, such as a smart TV, can collect, and then consider how quickly these devices are proliferating, it becomes clear that device vendors are now in a position to learn a startling amount of information about us. And this information allows them to explore new revenue streams and businesses. That means smart TV manufacturers can still make money on the after-sales market with the information they can gather from your device (how you use it, when you use it and what choices you make or do not make).
Although institutions like the European Union are trying to enforce laws when it comes to privacy (for example, the default use of microphones), the larger part of the software development process is performed without any transparency on what technology is used, how it is used, how long it will be supported, and what information is gathered and sent to third parties. There are other initiatives in the works, but they are still in the early stages of development and implementation. Until then, data pollution will continue to fill the virtual landfills companies are learning to monetize. And DDoS bot herders will find strength in numbers of vulnerable devices of a certain class, brand, or model, and build massive botnets to sell for use in disruptive operations.