6 min read

IoT = Internet of Threats

Catalin Cosoi

May 05, 2016

IoT = Internet of Threats

The Internet of Things will soon become the biggest vector of attacks on companies, as the number of connected devices is set to reach between 20 billion and 50 billion units by 2020.

Gartner predicts that, by 2020, more than 25 percent of identified attacks on enterprises will involve the IoT, but IoT security spending will remain no bigger than 10 percent of the total IT budget. Spending on IoT security is expected to reach $547 million in 2018, almost double last year’s $281.54 million.

Moreover, recent surveys place employees who don’t follow security policies as the biggest threat to endpoint security in organizations (81%). Employees’ use of mobile devices and commercial cloud applications continues to increase endpoint risk significantly. Respondents report the use of commercial cloud applications (72 percent), BYOD (69 percent), and employees who operate from home offices and offsite (62 percent) have further raised endpoint risk. Mobile devices, vulnerabilities in third-party applications and malicious insider risks have also jumped since 2011. Despite the risk associated with mobile devices, 56 percent of respondents say their employees are allowed to use personal devices to connect to the network. The threat caused by the growing number of insecure mobile devices in the workplace has increased from 33 percent to 50 percent in the past year.

It’s easy to understand why IoT will be used so often to penetrate company networks in a search for vulnerabilities that might bring criminals huge amounts of money. It’s been exactly one year and 18 days since Bitdefender launched its integrated home cybersecurity solution for the IoT. And we are still the only security company with such a product. During the past year, we have seen what IoT exactly is. It’s a big mistake to believe criminals use the IoT to target only the consumer. By targeting your smart devices, an attacker can gain a foothold in the company through an employee. Imagine you have a smart bracelet that measures your activity and you charge it at home and then at work, so that device is plugged in your home computer and also in the work computer within the company network. IoT will be the biggest vector of attack for the enterprise environment in coming years.

Gartner predicts 20 billion devices will be shipped by 2020, IDC says 30 billion, and Cisco expects to see 50 billion IoT gadgets delivered in the next five years. This means an average of four devices for every person on the planet. It creates a huge potential of vectors of attack for organizations. Attacks on households and consumer IoT environments will also occur, but we should be more worried about how to immediately detect company breaches. Sometimes, backdoors are included in IoT terminals by the vendor itself. We found smart home devices that have default passwords such as 123456 embedded in the system, as a backdoor introduced by the vendor for possibly support purposes. Obviously, this is not security, but sheer negligence. If someone successfully hacks into the memory of an IoT device and reads the backdoor password, every identical device that is or has been shipped becomes vulnerable. Anyone can get into a network until the manufacturer is notified and repairs the vulnerability. In the future, a security audit on IoT devices should be routine, placing a green stamp on them to attest that they are secure.

Security vendors can raise the cost of the attacks so attackers will need to spend more time and money to penetrate a network. Not just anybody can afford to spend hundreds of thousands of dollars to target an organization. Very few attackers are caught and put in jail so, by doing this, law enforcement agencies encourage them to commit frauds - they are unable to track cyber criminals. It’s a big problem when it comes to jurisdiction, as these attackers can switch countries of operations within minutes, leaving law enforcement powerless. International jurisdiction might temper these attacks.

Some vendors, like Philips and Apple, have created a locked-in ecosystem for better security. However, at this stage in IoT development, interoperability, although clunky, proprietary, resource-intensive, and largely controlled by vendors – is very important. So, most vendors leave their platforms open-source and, consequently, more exposed to code manipulation.

Recently, researchers from Bitdefender Labs examined four Internet-connected consumer devices and found several common vulnerabilities. The analysis reveals that current authentication mechanisms of internet-connected devices can easily be bypassed to expose networks and users to privacy theft.


Contact an expert



Catalin Cosoi

As Bitdefender's Chief Security Strategist, Alexandru Catalin Cosoi wears many hats, from energizing and publicizing the company's technological progress from within the CTO Office to leading the cyber-intelligence team tasked with helping local and international law enforcement agencies fight cybercrime. Alexandru is also a member of the Internet Security Advisory Group at Europol and Bitdefender’s liaison with Interpol, and he is in direct contact with 60 CERTs worldwide. Alexandru specializes in pattern extraction and recognition technologies, with an accent on neural networks and machine learning. His technical achievements have so far materialized in six granted patents and a series of classification technologies being implemented in Bitdefender software. Alexandru has a bachelor degree in bioengineering and machine learning and a PhD in natural language processing. Throughout the past decade, Alexandru has been delivering talks and trainings to numerous international events, evangelizing the threat landscape of the cybersecurity industry, dissecting attacks and training people to use different technologies. Catalin specializes in pattern extraction and recognition technologies, with an accent on neural networks and clustering algorithms. His technical achievements have so far materialized in six granted patents and a series of classification technologies being implemented mostly in Bitdefender software. As a consequence of his interests, he also has a PhD in natural language processing.

View all posts

You might also like