The Internet of Things (IoT) and smartphones will continue to be under attack in 2015 as cyber criminals find ways to exploit more devices, according to cyber security experts.
Symantec Pacific region vice president and managing director, Brenton Smith, said the vendor is anticipating that consumer devices such as CCTV cameras and remote access controls for alarms, lighting and climate control systems will be under attack.
“While embedded and small devices continue to become more prevalent, unfortunately not many of these devices are deployed with Internet security in mind. These devices tend to have limited memory and system resources,” he said.
Smith added that there is now an online search engine that allows people to search for Internet-enabled devices ranging from cameras to home heating systems.
“Although the search engine does not reveal vulnerabilities, it makes it easier for IoT devices to be found, which cyber criminals can target and exploit. Insecam.com was broadcasting feeds from CCTV or IP cameras all over the world, including 900 cameras from Australia,” he said.
However, Smith is not anticipating any large scale attacks that leverage IoT but more one-off attacks against connected devices.
According to Websense director of product marketing, Bob Hansmann, IoT attacks will focus on business use cases rather than consumer products.
“There will be at least one major breach of an organisation via a newly introduced Internet-connected device, most likely through a programmable logic controller, or similar connected device in a manufacturing environment,” he said.
According to Hansmann, targeting consumers who have IoT devices is “easy to do” but the data is not as valuable as company records or corporate intellectual property.
“I would need to hit one thousand homes to get the same data I could harvest from one business,” he said.
“More and more companies are putting products that are Wi-Fi related like the lights, heating and air conditioner. I could do something to disrupt all air conditioning services and shut that building down.”
For example, these attacks are likely to attempt to use control of a simple connected device to move within an organisation to steal valuable data, said Hansmann.
- Cloud, privacy, big data and smart cities top HDS predictions
- Australia,Canada,UK and China weigh in on Insecam privacy issue
- Cybercrime reporting site launches in Australia
Turning to mobile cybercrime, Kaspersky Lab Australia and New Zealand product specialist, Daniel Kadane, said smartphones remain an evolving security problem.
Analysis of spam by the vendor shows a three-fold increase in mobile banking Trojans during 2014.
“We’re likely to see quite a large growth in malware targeting Mac OS X and iOS. With an increasing user base, criminals have more to gain as the time and effort required to attack these platforms becomes more profitable for cyber criminals. As with all things relating to cybercrime, when the economy of scale becomes worthwhile, cyber criminals will shift their focus accordingly.”
He added that Kaspersky Lab has noticed seasonal declines of advertising spam during non-holiday periods, and an increase in the number of phishing attacks which appear to come from social networks or financial organisations.
“The recurring trends into the new year will present fluctuations between a focus on advertising spam based on seasonal holidays and events, towards a focus on phishing scams outside of the traditional holiday periods,” said Kadane.
Symantec has also forecast that mobile devices will become even more attractive targets for cyber criminals due to the rise of mobile payments.
“Should Apple Pay and other mobile payment options take off, attackers are likely to rigorously test the security in place around near field communications [NFC] payments,” said Brenton Smith.
In addition, he said that some users will continue to trade their privacy in exchange for mobile apps. While many Internet users are reluctant to share banking and personal information online, others are willing to share information about their location in exchange for apps.
With the auto-login capability of mobile apps, smartphones will be targeted for broader credential-stealing or authentication attacks to be used at a later date, said Hansmann.
“These attacks will use the phone as an access point to the increasing cloud-based enterprise applications and data resources that the devices can freely access.”
This potentially means that cyber criminals could access people’s emails or other sensitive data.
Follow Hamish Barwick on Twitter: @HamishBarwick