The proliferation of “stupid” internet-connected smart devices will be the “IT asbestos of the future”, cybersecurity expert Mikko Hyppönen has warned.

“Asbestos was such a great innovation. It looked like a miracle material, originally,” explained Hyppönen, chief research officer at Finnish cybersecurity firm F-Secure.


“Cheap, easy to manufacture, perfect in every way. You can mould it into any shape you want, it’s great for insulation. It’s great for fireproofing. And it’s also lethal.”


Hyppönen draws parallels between the rampant use of cancer-causing asbestos in the 1960s and 1970s to the cybersecurity risks that come with the explosion of smart devices worldwide today.


“Such a great innovation, which then decades later turned out to be the worst innovation,” he said, speaking to press at F-Secure’s headquarters in Helsinki.


According to IoT Analytics, there are currently seven billion internet of things devices worldwide. Forecasts vary, but the consensus is the number will grow exponentially over the coming years, with some estimates as high as 40 billion connected IoT devices by 2025.


Security in IoT devices has repeatedly been shown to be lacking: from a vulnerable child location-tracking watch to office printers at risk to Russian cyberattacks.


Often, this is as simple as device owners failing to change the password from a weak factory setting. In the race to get products to market ahead of competitors, security is also often an afterthought.


The ever-growing number of IoT devices, in combination with this lax security, is a perfect storm for cyberattacks.


“What’s happening right now, around us, I guess would be characterised as IT asbestos,” said Hyppönen.

The IoT revolution

Hyppönen explained that while the internet revolution brought every computer online, the IoT revolution is “taking everything else online”.


We are currently in the early stages of this revolution, said Hyppönen, but eventually “anything that uses electricity will be online”.


And when being offline is no longer an option, the internet will become so pervasive that we won’t even notice it. Or, as Hyppönen puts it: the internet will be “as natural as air”.


This means that everything will become a computer. And that’s where it gets dangerous.


“As connectivity becomes cheaper and cheaper, eventually, it’s not going to be just smart things going online, it’s going to be stupid things,” explains Hyppönen. “And I’m actually much more worried about stupid things online than smart things.”


He gives the example of smart toasters and fridges – “things consumers don’t really need to be online”.


For tech company’s this data will be valuable – the time you toast, your favourite settings, how many people are making toast around the world, the country that makes the most toast, and so on. But there is an asymmetry in value for the consumer and for the company. And when the security risks are factored in, it becomes a pretty bad deal for consumers.

Hyppönen’s Law

According to the Hyppönen Law, if an IoT device is ‘smart’, it’s vulnerable. F-Secure has seen evidence that this is already becoming a problem. Recently, the firm noted for the first time that Linux – the most commonly used operating system for IoT devices – was the most common operating system filling its honeypots (a method to detect cyberattacks in a separate virtual environment).


“When you look at the actual infections, it’s all IoT, Linux models. So these are worms and bots, which infect IoT devices running the Linux kernel.”


F-Secure also noticed a resurgence of Telnet among IoT devices, an unencrypted terminal protocol that hasn’t been seen since the 1990s, suggesting that IoT propagation is bringing old security problems back from the dead.


“So this is going to happen, whether we like it or not. Everything will become a computer,” said Hyppönen. “And right now this seems like an excellent idea, to many of the companies in this business.


“And it’s not the first time, technology taking us to the wrong direction. So I think this is dangerous. It’s very dangerous for our privacy. It’s dangerous for our security.


“This is going to be the IT asbestos of the future. This is what our kids will hate us for.”

Main image courtesy of Ministerio de Cultura de la Nación Argentina

Share this article

Go to article: Home | 2020's Biggest ThreatGo to article: ContentsGo to article: From the editorGo to article: The briefing on cybersecurityGo to article: Silent Starling: Pioneering Vendor Email Compromise, 2020’s “Biggest Financial Threat”Go to article: TECHWAN SAGo to article: The Evolution of RansomwareGo to article: From the InfluencersGo to article: Edward Snowden: “The problem isn't data protection; the problem is data collection.”Go to article: PhonexiaGo to article: Mending Leaky Buckets: Overcoming the Unsecured Cloud Server CrisisGo to article: Five Tips for Staying Safe in the CloudGo to article: TradogramGo to article: “IT Asbestos”: Mikko Hyppönen on the Dark Side of IoT DevicesGo to article: When Insider Threat Bites: A Lesson from Trend MicroGo to article: International Security Expo 2019Go to article: How the Threat of Hacking Looms Over the 2020 ElectionGo to article: Reflections of a Red Teamer: Tom Van de WieleGo to article: The Price of Data on the Dark WebGo to article: Applying AI to Cybersecurity: The View from HuaweiGo to article: Duo Security’s Dug Song on Cisco, Cybersecurity and SkateboardingGo to article: Dark Times Ahead as Cybercriminals Target Power GridsGo to article: Deals in BriefGo to article: Cybersecurity EventsGo to article: In the next issue