Threats, Regulations, and Vendor Responses to Risks in the Internet of Things
The Wild West, a place of exaggerated lawlessness in the United States during the 1800s, has returned once again as a metaphor for the Internet of Things (IoT). Driven by similar issues of exploration, homesteading, and prospecting for riches, IoT devices are becoming as common as the bison that once roamed these lands. Hundreds of thousands of device types, organized into vast networks that will generate an immeasurable amount of data, are being incorporated into almost every industry and proposed for every type of consumer activity.
We discussed the future of IoT threats, regulations, and likely vendor responses with experts throughout the company, and distilled their thoughts in the McAfee Labs 2017 Threat Predictions report. IoT devices should really be thought of as part of a network. Their connections to the cloud make threats and responses closely linked to the cloud. Some of the top issues include an increasing fear of a somewhat formless threat, rookie mistakes by device makers unfamiliar with cybersecurity practices, and ongoing regulatory challenges.
Growing fear, but of what?
IoT devices are definitely going to attract criminal activity as a source of data or as an attack vector. We have already seen the beginnings of this, including data breaches that gained initial access through a connected IoT device, and the recent distributed denial-of-service (DDoS) attack on Internet infrastructure from compromised webcams. So the fear of attack is legitimate, but the form of future attacks remains uncertain. Cybercriminals are driven by money, and it remains unclear how they will leverage the vulnerability of these devices for profit. We expect ransomware of some kind, including DoS attacks that prevent the devices from being used properly, to be the easiest way for attackers to make money, and thus the biggest initial threat. The relative security weaknesses and broad attack surface of IoT devices also make them a prime target for hacktivists.
Many companies are adding IP functionality to their devices in order to improve efficiency and collect data about device usage. Too many of these companies have little experience with Internet connectivity, and we expect them to make rookie mistakes, with things such as default passwords (which enabled the recent DDoS attack), unnecessary privilege levels, and unpatched (or even unpatchable) vulnerabilities. They will learn, but it will take years of breaches, attacks, litigation, regulation, and painful lessons.
Ongoing regulatory challenges and cultural privacy norms
Similar to what has happened with the cloud, the rapid adoption of IoT devices is creating a big gap in regulation. With consumers at the forefront of IoT device adoption, privacy concerns will be the biggest initial driver of legislation. Different jurisdictions already have divergent attitudes and regulations toward privacy, which IoT devices will only exacerbate. Lawmakers will have great difficulty keeping up with these technological advancements. Incidents and the resulting litigation, protests, consumer backlash, and corporate accountability will affect the development of legislation differently in each jurisdiction. Contradictions and uncertainty surrounding IoT regulations will be a significant challenge for multinational corporations and may even restrict IoT device adoption in some markets.
To read the full details about these and other IoT predictions, download the McAfee Labs 2017 Threats Predictions report.