As we wrap up 2020, it’s time to look ahead to 2021 and a new chapter in the cybersecurity book. While there is no doubt that there are a multitude of possible attacks, here are five types of attacks that are becoming more popular and more common among attackers using Internet of Things (IoT) threats.
1. Embedded IoT threats
As entities embrace the IoT, they are still lagging behind in the departments of defense and guidelines. And, threat actors will exploit the gap between the risks IoT poses and how prepared people are to address those risks.
IoT devices are inherently insecure. They are connected, which means the bad guys can access them. But IoT devices lack the processing power for basic protection like encryption. They also tend to be very valuable and inexpensive, making it easy for users to deploy large numbers of them (possibly 35 billion IoT devices worldwide at the end of 2021).
IT may not have authorized or even be aware of these devices. In many cases, the employer does not even own them.
IoT is likely to become the preferred target for ransomware attacks. Botnets, advanced persistent threats, distributed denial of service (DDoS) attacks, identity theft, data theft, man-in-the-middle attacks, social engineering attacks, and others are also likely options.
IoT threats, including those affecting databases, also intersect with other 2021 trends. In a world of increased automation, many attacks are focused on the supply chain and manufacturing. IoT is heavily used in these fields, and upgrading equipment is not always a priority. As we encounter more novel attacks on IoT networks, one question is especially important. Can we update outdated firmware to give you the defenses you need?
2. AI in IoT threats
2021 is likely to be the year of AI-driven IoT threats. And, that is not surprising.
AI-based attacks have been carried out since 2007, mainly for social engineering attacks (simulating a human chat) and to enhance DDoS attacks. The malicious use of AI appeared on everyone’s radar in 2018, when a groundbreaking study about the threat was published.
Over time, more refined algorithms will get better at mimicking normal users on a network to thwart detection systems that look for odd behavior. The biggest recent development in the use of AI in cyber attacks is the democratization of tools for building and using AI systems. Threat actors can build AI tools now that just a few years ago only researchers could build.
AI systems are better than humans at performing many of the elements of IoT threats, such as repetitive tasks, interactive responses, and processing of very large data sets. Overall, AI will help the bad guys amplify their IoT threats, automate them, and make them more flexible.
And, don’t just look for new exotic AI-based IoT threats in 2021. Look for the usual network breaches and other attacks instead, but deploy faster, at larger scale, and with more flexibility, automation, and customization than in the past. .
3. Deepfakes for IoT threats
Attackers will use the same tools behind fake videos for IoT threats like brute force attacks and phishing biometrics. For example, university researchers have shown that generative adversarial network (GAN) techniques can generate fake but functional fingerprints through brute force. They do it in the same way that passwords are cracked by trying thousands of attempts.
In fact, we have already seen the use of deepfake technology in malicious attacks. The first wave of these involved false voices. The attackers taught a computer system to sound like a CEO, who then called employees to order money transfers and the like.
Audio and image deepfakes have now been basically perfected, meaning you can create voices and photographs that most humans can’t tell are fake.
The holy grail of deepfakes is video. Today, videos made this way still look weird. But it’s only a matter of time before attackers perfect deep fake video as well, enabling convincing social engineering attacks using video calls. They could also use fake videos for network leaks, extortion and blackmail.
4. More specialized cyber crimes
The entire history of cybercrime has involved increasing refinement on the part of attackers. It often reflects trends in honest business. And this long-standing trend in IoT threats will continue, as we can expect much more specialization and outsourcing in 2021. Threat actors will be looking for better paydays. Instead of one person or a gang doing an entire job, expect groups to offer robbery services for pay. Therefore, a single attack can involve multiple groups, each of which is adept at doing its part.
For example, a group may specialize in reconnaissance at scale and then offer their knowledge on the dark web for a price. Another group can buy this and then hire another group to rape the victim with a social engineering attack. That group can, in turn, hire native speakers and graphic designers to create more compelling emails. Once they gain access, the client can hire multiple gangs of specialists for ransomware, bitcoin mining, extortion, and other attacks.
In the same way that companies have specialized, diversified and benefited from outsourcing, the people who create IoT threats do too.
5. Breakdown between state-sponsored and criminal attacks
The organizational trends described above, specialization and outsourcing, will further blur the line between state-sponsored attacks and gang attacks. And, this makes sense. Many so-called state-sponsored cyberattacks are already carried out by criminal gangs linked to government agencies, including military and espionage agencies.
With increased specialization and outsourcing, nation-states will be offered the fruits of cyber attacks, such as IoT threats, in exchange for more and more money. And nation-states will hire otherwise unaffiliated cyber gangs to do specific jobs of malicious attacks, or specific parts of them.
Even today, it is difficult to know whether a detected attack was state-sponsored or not. In the future, from 2021, it may become almost impossible. Without a doubt, the year 2021 will be another exciting year in the field of cybersecurity. Look for these five trends in IoT threats as areas to focus on.