National Cyber Security Centre and National Crime Agency warn more must be done to secure critical service from threat of IoT hacks.
Cyberattacks exploiting the insecurity of the Internet of Things,and hackers attempting to compromise industrial connected devices are among the biggest threats to the UK, those responsible for ensuring national security have warned.
Citing incidents including the internet crippling Mirai botnet cyberattack and vulnerabilities in a children’s doll which could potentially be exploited to conduct espionage on unsuspecting victims, a new report by the intelligence services has warned that the rise of IoT devices is providing threat actors with more opportunities to attack targets than ever before.
The joint report from the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA), titled The cyber threat to UK business, details the growing threats to individuals and organisations from cyberattacks.
Noting how many IoT devices are shipped with insecurities which make them vulnerable to remote takeover — and without means to update or otherwise fix the devices — the report warns about the increased threat of IoT botnet attacks and says this form of cyberattack is going to get more frequent and more damaging in future.
If attackers continue to turn their efforts towards attacking industrial connected devices, then it could have potentially devastating consequences. In a worst case, hackers could turn off infrastructure such as electricity, water, or heating by hijacking or overwhelming insecure IoT devices.
The NCSC/NCA report warns that “sufficient safeguards are still not in place to protect these systems that were never designed to connect to the internet”, which could ultimately result in damaging real-world consequences.
The National Cyber Security Centre cites a cyberattack in Finland, where a DDoS attack disabled residential automated heating systems in apartment blocks for more than a week.
The report also warns on the increasing threat posed by ransomware, which has risen to become one of the biggest threats on the internet.
Citing ransomware-as-a-service schemes on the dark web which allow almost anyone to become a cybercriminal, the report warns how ransomware allows “individuals and groups to have an impact disproportionate to their technical skill”, especially as those carrying out the attack are increasingly targeting businesses.
Cybercriminals are already targeting smartphones with ransomware, but the report warns how 2017 will see hackers attempt to lock down other types of mobile devices including fitness trackers and TVs.
While the information stored on these is unlikely to be worth much for anyone looking to sell it on the digital underground, the report predicts that “the device and data will be sufficiently valuable to the victim that they will be willing to pay for it”.
“Cyberattacks will continue to evolve, which is why the country must work together at pace to deliver hard outcomes and ground-breaking innovation to reduce the cyber threat to critical services and deter would-be attackers,” said Ciaran Martin, CEO of the NCSC, speaking ahead of the agency’s CYBER UK conference in Liverpool.
Nonetheless, the NCSC — part of the GCHQ intelligence service — believes that IoT security is likely to “eventually” improve, but the government needs to play a role in ensuring these devices are secured.
“Government also has a part to play in promoting smart device security and helping to develop standards such as the NCSC’s and the Department for Business, Energy & Industrial Strategy’s work to ensure the Smart Metering System has proportionate security measures in place,” says the report.
However, the threat is set to loom large for the immediate future, thanks to the millions of insecure smart devices which are already connected to the internet — especially as millions more will be connected in the years to come, the report warns.
“Malware authors will continue to exploit them to mount attacks and will continue working to find fresh vulnerabilities. The ‘botnet of things’ will present a serious challenge to cybersecurity for a considerable time to come,” the report says.
The release of the NCSC/NCA report comes shortly after tech industry body the Online Trust Alliance (OTA) issued a rallying cry for vendors, retailers, and users to act together to “avoid digital disaster” caused by insecure IoT devices.