2024 was the worst year on record for attempted cyber attacks, Rahul Tyagi, CEO and Founder of SECQAI told IoT Insider on the latest episode of IoT Unplugged, which raises a very serious question: what can be done to combat the rising tide of cyber attacks against a growing number of connected devices?
A couple of the reasons behind the increased number of cyber attacks, Tyagi explained, was due to growing geopolitical tensions causing attacks perpetrated by state threat actors, and a more interconnected world.
An infamous example speaking to the dangers of a more interconnected world was the Crowdstrike IT outage which brought banks, airports, and financial services, to name some of the affected critical infrastructure, to a grinding halt.
“Another one that comes to mind was the UK MoD supply chain attack that occurred,” said Tyagi. “That’s quite telling for us because there are a lot of organisations trying to be at the forefront of cyber and unfortunately even third party suppliers to our own ministry of defence are liable to these attack vectors.”
The attack in question saw hackers exploit vulnerabilities in the MoD’s IT system, causing a huge data breach that affected 270,000 personnel, reservists and veterans. The information that was stolen included identities and bank accounts. Tyagi said attacks like these should be “raising alarm bells”.
Challenges of connected devices
Organisations of all sizes are affected, from the UK’s MoD to SMEs, and the IoT industry in particular is interesting for how it is perceived.
“Most people when talking about IoT devices don’t see the need or the want from a cyber attacker to attack those devices,” Tyagi explained, “but if you can weaponise a set of IoT devices, you can do distributed denial-of-service attacks and that’s the thing we’re seeing actively going on.”
Back to the issue of connected devices, Tyagi said he saw manufacturers of these devices less aware of their attack surfaces and therefore less likely to consider the cyber vulnerabilities.
“I think that’s where there’s a difference between a large financial organisation that knows what the attack vectors are, versus a smaller player in the device space that may not necessarily consider why someone would try and attack a kettle or a fridge.”
Connected IoT devices are susceptible to cyber attacks because the manufacturer is responsible for integrating and updating systems once a device is online, to prevent exploits from occurring. “If that’s not done, then the software won’t be patched and there’ll be an exploit,” said Tyagi.
He recommended that manufacturers make use of Mitre’s Common Vulnerabilities and Exploits (CVE) database which lists known exploits for different devices.
“The further challenge is that when you’re doing an update to a system, you’re typically doing what’s called a firmware, or an over-the-air update. It’s a challenge for the biggest organisations all the way through to the smallest to do these updates. It doesn’t only impact the embedded devices in your house, but autonomous vehicles as well.”
As a result, Tyagi said they had been looking at integrating the firmware signing process with post-quantum signatures, “because we see the longevity of these IoT devices being longer than the five-year period that you would have in a server.”
Key recommendations
Tyagi’s recommendations for securing connected devices was split between the homeowner and the manufacturer: “For homeowners, the big thing is if you can password protect everything as much as possible with strong passwords … I don’t think it is something that the homeowner should be focused on. These things should be a default thing from the manufacturers’ side.
“When we go to the big manufacturers now, we automatically assume they’re going to be doing security updates and keeping our devices secure, even give us timelines for how long they’re going to secure that device for. I think that’s something that the IoT world needs to start thinking about.”
The full episode with Rahul Tyagi can be listened to here.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
