Mikko Hyppönen is one of the world’s leading experts in computer security and privacy and since 1990 he has been advising the governments of the USA and European and Asian countries on cybersecurity matters. Born in Finland in 1969, Hyppönen is chief research officer at F-Secure, where he has fought against the biggest viruses in the history of the Internet. He is also known for Hyppönen’s law, whereby: “Whenever an appliance is described as being ‘smart’, it is vulnerable”. Mikko Hyppönen, keynote speaker at the last edition of the Internet of Things World Solutions Congress, explored this concept in depth, along with the need for the IoT ecosystem to adopt its own security measures to tackle all kinds of cyber threats. Hyppönen calls for the professionalization of IoT installations and a radical change in traditional cyber protection systems.
What is the present situation of IoT technology in terms of security?
In many corporate and home networks, IoT devices are the weakest link. Outsider attackers might have a hard time gaining access to internal networks via the servers and workstations, but they might be able to do it via, say, an IoT security camera or another appliance. In corporate setting, an additional problem is that employees are bringing in IoT devices and connecting them to the corporate network on their own. The two most common security problem we see in IoT devices today are exposed admin interfaces and security vulnerabilities. Exposed admin interfaces are cases where attackers from the internet can connect to an IoT device and gain access to the configuration settings of the device. This might happen because the network isn’t segmented correctly or user accounts aren’t set right or maybe the default credentials were not changed. Security vulnerabilities are a different problem: they start from a programming error done by the developers. Attackers can then use those bugs to exploit the system and gain access to the device.
What new opportunities is IoT giving to cybercriminals?
Most criminals are after money. Making money by hacking IoT devices typically involves creating large botnets of the hacked devices. These botnets can be very large and very powerful. Such botnets can then be used to launch denial-of-service attacks to take down services (and demand ransom payments from companies in order to stop the attacks). Distributed computing power can also be used to mine cryptocurrencies such as Ethereum, Monero and Litecoin. One day, we might also see ransomware attacks targeting IoT. Such attacks would prevent you from using your appliances until you pay a ransom.
What IoT industry verticals present more vulnerabilities? Healthcare, Gas & Oil, Manufacturing, Connected cars…?
Critical infrastructure is definitely being targeted, but they are not being targeted by criminals: they are targeted by foreign governments. We’ve already seen examples of attacks against industrial systems used in critical infrastructure, and those attacks have been launched by hostile nations during times of crisis. That’s as close as we’ve been to a cyberwar, yet. Connected cars might be targeted by criminals. It would be easy to imagine self-driving cars to become self-stealing cars…
How can we secure a connectivity environment that is growing at a rate of one billion devices every 10 years?
The vendors have the responsibility to make sure their devices are safe and secure. We can’t protect IoT devices in the traditional way; we will never be installing an antivirus program on our washing machines. So, the devices have to be built secure.
What is the future of security in IoT platforms?
If vendors don’t take the responsibility, they will be forced into it. Which would mean regulation. And nobody wants that. I believe we will see some kind of a voluntary self-certification system adopted by IoT vendors to increase customer trust.