Many types of attacks have been around for a very long time. What’s new is the scale and relative simplicity of attacks in the Internet of Things (IoT) – the millions of devices that are a potential victim to traditional style cyber attacks, but on a much larger scale and often with limited, if any protection. At its core, IoT is all about connecting and networking devices that up until now have not necessarily been connected. This means that all of those devices, whether it is your brand new connected refrigerator or your connected vehicle, are creating a new entry point to the network and therefore posing an increasing security and privacy risk.
While the type of attacks often follow the same procedure as previously, the impact of each attack can vary dramatically, depending on the ecosystem, the device and environment, the available protection level and many more.
Over the last few weeks, we ran a small series of the 5 most common cyber attacks and how their threat rises to an unprecedented level with the possibilities of the IoT. In this blog you will find a summary of all the possible attacks, but follow the links for in-depth coverage on each attack – all of them have been covered on our blog in previous weeks!
A botnet is a network of systems combined together with the purpose of remotely taking control and distributing malware. Controlled by botnet operators via Command-and-Control-Servers (C&C Server), they are used by criminals on a grand scale for many things: stealing private information, exploiting online-banking data, DDos-attacks or for spam and phishing emails.
With the rise of the IoT, many objects and devices are in danger of, or are already being part of, so called thingbots – a botnet that incorporates independent connected objects.
Botnets as well as thingbots consist of many different devices, all connected to each other – from computers, laptops, smartphones and tablets to now also those “smart” devices. These things have two main characteristics in common: they are internet enabled and they are able to transfer data automatically via a network. Anti-spam technology can spot pretty reliably if one machine sends thousands of similar emails, but it’s a lot harder to spot if those emails are being sent from various devices that are part of a botnet. They all have one goal: sending thousands of email requests to a target in hopes that the platform crashes while struggling to cope with the enormous amount of requests.
The man-in-the-middle concept is where an attacker or hacker is looking to interrupt and breach communications between two separate systems. It can be a dangerous attack because it is one where the attacker secretly intercepts and transmits messages between two parties when they are under the belief that they are communicating directly with each other. As the attacker has the original communication, they can trick the recipient into thinking they are still getting a legitimate message. Many cases have already been reported within this threat area, cases of hacked vehicles and hacked "smart refrigerators".
These attacks can be extremely dangerous in the IoT, because of the nature of the "things" being hacked. For example, these devices can be anything from industrial tools, machinery, or vehicles to innocuous connected "things" such as smart TV's or garage door openers.
While the news is full of scary and unpredictable hackers accessing data and money with all types of impressive hacks, we are often also our own biggest security enemy. Careless safekeeping of internet connected devices (e.g. mobile phone, iPad, Kindle, smartwatch, etc.) are playing into the hands of malicious thieves and opportunistic finders.
The main strategy of identity theft is to amass data – and with a little bit of patience, there is a lot to find. General data available on the internet, combined with social media information, plus data from smart watches, fitness trackers and, if available, smart meters, smart fridges and many more give a great all-round idea of your personal identity. The more details can be found about a user, the easier and the more sophisticated a targeted attack aimed at identity theft can be.
Social engineering is the act of manipulating people so they give up confidential information. The types of information that criminals are seeking can vary, but when individuals are targeted, the criminals are usually trying to deceive the user into giving them passwords or bank information. Or they could be trying to access a computer in order to secretly install malicious software that will then give them access to personal information, as well as giving them control over the computer. Typically, social engineering hacks are done in the form of phishing emails, which seek to have you divulge your information, or redirects to websites like banking or shopping sites that look legitimate, enticing you to enter your details.
A denial of service (DoS) attack happens when a service that would usually work is unavailable. There can be many reasons for unavailability, but it usually refers to infrastructure that cannot cope due to capacity overload. In a Distributed Denial of Service (DDoS) attack, a large number of systems maliciously attack one target. This is often done through a botnet, where many devices are programmed (often unbeknownst to the owner) to request a service at the same time.
In comparison to hacking attacks like phishing or brute-force attacks, DoS doesn’t usually try to steal information or leads to security loss, but the loss of reputation for the affected company can still cost a lot of time and money. Often customers also decide to switch to a competitor, as they fear security issues or simply can’t afford to have an unavailable service. Often a DoS attack lends itself to activists and blackmailers.
A major concern in the IoT is the assurance of privacy. How will consumer data be used and by whom? An environment where your home, office, vehicles, appliances, office equipment and many other devices are connected to the internet raises new concerns for both consumers and businesses about where their data will go and how, of course, it will be used. Companies will have to evaluate the policies for privacy and data security to up their game and ensure collected data is safeguarded and kept private. Only when companies start doing this, there will be assurances of privacy.
While your business is likely to be faced with numerous types of attacks over the time, the main goal is not to get distracted by the exploit of the week.
Invest your time and money in a solid security structure, focus on the most common attacks, offer regular training to your staff to ensure they are able to spot attacks when they happen. Focus on the threats that are most likely to affect your business and are most likely to have a severe outcome. The answers to security concerns are out there: in the form of increased security, authentication and management of data.