IoT Devices, Cyber Warfare, and the Future of Security
If you think about it, the technology we have around us today is pretty incredible. From generative AI tools like ChatGPT to DNA testing, so many technological abilities that are normal now would have been something out of a sci-fi film or a James Bond movie thirty years ago. But just like in science fiction, new technologies come with new risks. If you have wifi-connected appliances or “smart” gadgets on the Internet of Things (IoT), these IoT devices are at risk from attackers. And on an even larger scale, new technology has opened more opportunities for cyber warfare.
See Securing IoT and Cyber Warfare with Mikko Hypponen for a complete transcript of the Easy Prey podcast episode.
Mikko Hypponen is an old-school hacker from Helsinki, Finland. He started programming as a teenager, sold his first programs when he was seventeen, and reverse-engineered malware for the first time in 1991, when he was twenty-one. He has spent the past thirty-two years tracking online attackers, finding out where organized cybercrime gangs come from, and tracking government cyberattacks, especially from Russia. In addition, he has written for the New York Times, Wired, and Scientific American, lectured at the Universities of Oxford, Stanford, and Cambridge, and sits on an advisory board with Europol.
Mikko’s mother got into computers in the 1960s, when very few people were working with computers. During the defining years of his childhood, she brought home computer punch cards and stories of working with technology. When he was sixteen years old, she told him, “Mikko, you should study telecommunications. Telecommunications is the future.” This was before mobile phones were common, so the advice was prescient. If you had told Mikko back then that eventually everyone would have a computer in their pocket, he wouldn’t have believed you. But his mother was right.
IoT Devices and Security
IoT devices, also known as “smart” devices, are quite popular. And there’s a good reason for that. Though some smart devices seem useless or unnecessary, many others can benefit our lives. For example, Mikko doesn’t have a smart fridge himself. But he has seen people out grocery shopping who can’t remember if they need milk, so they pull out their phone to see what’s in the fridge. Those kinds of features make IoT devices helpful in everyday situations.
I understand perfectly well why people have smart doorbells or smart fridges. … The problem really is that nobody configures these correctly.Mikko Hypponen
But IoT devices also come with a lot of security risks. Part of that is because in the marketplace, the cheapest product wins. For vendors building an appliance, there’s no incentive to make it secure. If they invest the time and money to make their smart fridge more secure than their competitors, in the end they’ve just made the product more expensive.
Another problem is that nobody configures their IoT devices correctly. Nobody plans to update the firmware on their refrigerator. And when people go shopping for new appliances, they ask questions about the color, or the size, or the price. Nobody asks questions about security. That’s a large problem.
Regulation for IoT Device Security
In many ways, the lack of security in IoT devices is a market failure. Even though security is important, the market doesn’t reward it. The way we typically try to fix market failures is through regulations. Mikko is generally not a fan of regulation. But if we’re going to regulate something, this would be a good place to do it.
If you buy a washing machine and it catches fire in the middle of the night and burns your house down, the vendor who built that washing machine is liable for damages. But if that same washing machine has weak security, a hacker can get access to your home network, and you wake up to every device in your house infected with ransomware, the vendor who left the security so weak isn’t liable for anything. Regulation could make the vendor liable. That would provide incentive for vendors to build IoT devices that are more secure.
How to Secure Your IoT Devices
IoT devices have risks. But that doesn’t mean you can’t use them if you want to be secure. There are steps you can take to manage your IoT devices to be more secure. Mikko’s first piece of advice to anyone with any kind of “smart” device: Read the manual!
Many of these hackable devices wouldn’t be hackable if the consumers would simply read the manual.Mikko Hypponen
Lots of information comes with every product you buy. If you buy an IoT device, the manual probably has instructions to change the default password, configure the security, prevent outsiders from accessing the controls, or even how to segment your whole network so someone who accessed your smart gadget can’t access any of your computers. The problem is that nobody reads the manual.
Vendors should have some responsibility for IoT device security. But consumers have to take some responsibility, as well.
Malware for Smart Devices is Increasing
When Mikko looked at internet traffic over the IPv4 space, especially malicious traffic, he found some surprising changes. In the past, malicious traffic was mostly malware for Windows devices. But it isn’t anymore. Most malware traffic now is Linux-based.
The reason for this is IoT malware. There are plenty of IoT devices running on Linux. And much of this malware is very simple. Known as “Mirai” malware, it tries to infect devices by trying known weak username and password combinations.
Why Hackers Want Access To Your IoT Devices
You might be thinking, “I can understand why a hacker would want to get into my laptop or my wifi network. But what could they do with my washing machine or my refrigerator?” And the answer is, a lot! IoT devices can be used to “pivot” through your home network – if it’s not properly configured, a hacker could get into your smart lightbulb and use that to attack your laptop or phone. These attacks, though, are most commonly done against businesses, not home networks.
But even if a hacker isn’t using your IoT device to get into your other devices, there are other things they can do with it. A lot of people think there’s not much computing power available to steal from these devices. But there is more than you would think. Mikko regularly sees security cameras that have been taken over by botnets that hackers use to send malware, spam, and scams to others. They can also be used to launch “denial of service” attacks, which can be very powerful if there’s several thousand IoT devices behind it. Russia used botnets for denial of service attacks against a recent NATO summit in Lithuania.
Another thing that hackers can use your IoT devices for is cryptocurrency mining. There are cryptocurrencies designed so you don’t need a dedicated device to mine them. Hackers can put crypto mining software on your smart device and create money for themselves – while you pay for the electricity and the bandwidth it needs to run.
What You Can Do Before (and After) You’re Compromised
Even the smartest people can make mistakes. Anyone, even security experts, can be anxious, in a hurry, or not paying attention. That includes Mikko. Mikko works in security, but he’s had his credit card number stolen twice and has accidentally infected several computers with malware.
I completely understand why people get infected or why people get fooled. When you are tired, when you’re anxious, when you’re in a hurry, we all make mistakes. I make mistakes.Mikko Hypponen
Before your computer or IoT device is compromised, the number one rule is backups. You have to have some kind of recovery method. What that is differs depending on whether you’re backing up a business device or a personal one. But especially for home users, a cloud-based backup is a great option. Apple, for example, puts most things in their iCloud by default, so backups are practically automatic. And even if the current version is corrupted, companies can roll back to a previous version and recover your data.
But what if the compromise has already happened? The hackers have taken over your IoT devices, or your laptop is riddled with ransomware. Mikko’s top tip for this applies to any crisis situation. Whether you think you’ve been hacked, you got scammed, or you got a phone call or an email about something important, you can apply this tip. It’s very simple: Take a break. Step out of the room or take a walk around the block if you can. Clear your head and reconsider what’s happening. Think it through before you take any action. What’s the real information? Are you being tricked? Did you make a mistake? Who should you call for help about this? Acting without thinking it through could make the situation even worse. Take time to think first.
Russia and Cyber War
Finland shares about nine hundred miles of border with Russia, and both of Mikko’s grandfathers fought Russians in World War II. Because of this, Finnish cybersecurity companies pay attention to what’s happening in Russia – not just the cybercrime gangs, but also government actors. There have been plenty of attacks by the government over the last fifteen years, most of which were espionage. But now, things are becoming more concrete. They’re not just doing espionage with cyber tools, they’re also doing sabotage.
These should be called cyber weapons and this should be called cyber war.Mikko Hypponen
War has expanded from its original domain. Thousands of years ago, we only had wars fought on land. Now, if you look at the war between Russia and Ukraine, they are fighting in five domains: Land, sea, air, space, and cyberspace. And the technology that allows these new domains allows spying and espionage, which is crucial. In World War II, the only way to find out about troop movements and gatherings was to send someone over there to look. The Russia-Ukraine war still uses tanks and people in ditches with assault rifles. But now tech allows both sides to send drones and satellites to track troops, triangulate radio signals, and track mobile phones. It’s a huge difference.
Cyber Attacks are the Game-Changer
Technology is shaping war in many ways, but the real game changer is cyber attacks themselves.Mikko Hypponen
Russia has been targeting Ukraine with cyberattacks for the past seven years, both trying to gain access and information and to destroy things. When war broke out in February last year, there were days-long waits at the border because of a successful Russian cyberattack. They had wiped all the Ukrainian border control computers. The borders were open, but everything had to be done by pen and paper so it was much slower. That’s what normal modern cyber war looks like.
Ukraine has become the best company in Europe at defending against Russian governmental cyberattacks. It’s because they have been targeted by these attacks for so long. When you do something over and over again, you become an expert in it. Mikko is in the military reserves in Finland, and when he goes in for refresher training they give him a keyboard because that’s what he’s best at. They rehearse and play war games, imagining what they would do in various scenarios. But Ukraine isn’t rehearsing. They’ve been fighting a cyber war against Russia for years, so they have the expertise.
The Future of Cyber War
War is shaped by technology. Whatever the next domain of war will be will also be shaped by technology. Thirty years ago, cyber war sounded like science fiction. Whatever the next domain of war is will sound like science fiction to us right now, too.
Mikko isn’t sure what it will be, but he can make a guess. It may be nano warfare. With advancements in nanotechnology, armies could disperse aerosols over battlefields that are full of nanobots. Those nanobots could get into enemy soldiers’ bloodstreams, travel to their brains, and change their thoughts.
Does that sound like science fiction? Absolutely. But thirty years ago the idea of cyber war also sounded like science fiction, and it’s happening now.
AI in Cyber War, Malware, and Security
Mikko started working with machine learning systems for cybersecurity products in 2005. That was almost two decades ago. All that time, he has been waiting for enemies to catch up and start using the same AI and machine learning technology. Mostly, he’s still waiting. We have seen deep fakes and the first malware written in Python with the help of GPT AI tools. But we have yet to see it used for the most dangerous potential option – fully automated malware.
What really is still missing, which could happen any day, is complete automation of malware campaigns.Mikko Hypponen
Many security companies can use machine learning technology to attract attacks with bait, get a sample, run it in virtual systems, analyze it, and build detection systems in a matter of minutes. But right now, attackers are still working manually. They write new ransomware, craft malicious emails, register domain names, and send spam at human speeds, while we’re defending at machine speeds. When the attackers shift into full automation, it will be a whole new challenge. If they can compromise your IoT devices and put malware on your computers just as fast as we can defend them, we don’t really know who’s going to win. At that point, the best thing to defend you from bad AI is good AI.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
When your kid reaches a certain age, they need a phone. Whether it’s because they need to…[Read More]
As a super strong extra layer of security, two-factor authentication prevents a thief who knows your login...[Read More]
In the modern world, we need the internet for daily life. Work, school, banking, shopping, social connection,…[Read More]