Internet of Things
Mikko Hyppönen on the Dark Side of IoT Devices
Smart devices are everywhere, but according to F-Secure chief research officer Mikko Hyppönen, they are an ever-growing cybersecurity threat that we’ll come to regret deeply. Robert Scammell finds out more
The proliferation of “stupid” internet-connected smart devices will be the “IT asbestos of the future”, cybersecurity expert Mikko Hyppönen has warned.
“Asbestos was such a great innovation. It looked like a miracle material, originally,” explained Hyppönen, chief research officer at Finnish cybersecurity firm F-Secure.
“Cheap, easy to manufacture, perfect in every way. You can mould it into any shape you want, it’s great for insulation. It’s great for fireproofing. And it’s also lethal.”
Hyppönen draws parallels between the rampant use of cancer-causing asbestos in the 1960s and 1970s to the cybersecurity risks that come with the explosion of smart devices worldwide today.
“Such a great innovation, which then decades later turned out to be the worst innovation,” he said, speaking to press at F-Secure’s headquarters in Helsinki.
According to IoT Analytics, there are currently seven billion internet of things devices worldwide. Forecasts vary, but the consensus is the number will grow exponentially over the coming years, with some estimates as high as 40 billion connected IoT devices by 2025.
Security in IoT devices has repeatedly been shown to be lacking: from a vulnerable child location-tracking watch to office printers at risk to Russian cyberattacks.
Often, this is as simple as device owners failing to change the password from a weak factory setting. In the race to get products to market ahead of competitors, security is also often an afterthought.
The ever-growing number of IoT devices, in combination with this lax security, is a perfect storm for cyberattacks.
“What’s happening right now, around us, I guess would be characterised as IT asbestos,” said Hyppönen.
The IoT revolution
Hyppönen explained that while the internet revolution brought every computer online, the IoT revolution is “taking everything else online”.
We are currently in the early stages of this revolution, said Hyppönen, but eventually “anything that uses electricity will be online”.
And when being offline is no longer an option, the internet will become so pervasive that we won’t even notice it. Or, as Hyppönen puts it: the internet will be “as natural as air”.
This means that everything will become a computer. And that’s where it gets dangerous.
“As connectivity becomes cheaper and cheaper, eventually, it’s not going to be just smart things going online, it’s going to be stupid things,” explains Hyppönen. “And I’m actually much more worried about stupid things online than smart things.”
He gives the example of smart toasters and fridges – “things consumers don’t really need to be online”.
For tech company’s this data will be valuable – the time you toast, your favourite settings, how many people are making toast around the world, the country that makes the most toast, and so on. But there is an asymmetry in value for the consumer and for the company. And when the security risks are factored in, it becomes a pretty bad deal for consumers.
According to the Hyppönen Law, if an IoT device is ‘smart’, it’s vulnerable. F-Secure has seen evidence that this is already becoming a problem. Recently, the firm noted for the first time that Linux – the most commonly used operating system for IoT devices – was the most common operating system filling its honeypots (a method to detect cyberattacks in a separate virtual environment).
“When you look at the actual infections, it’s all IoT, Linux models. So these are worms and bots, which infect IoT devices running the Linux kernel.”
F-Secure also noticed a resurgence of Telnet among IoT devices, an unencrypted terminal protocol that hasn’t been seen since the 1990s, suggesting that IoT propagation is bringing old security problems back from the dead.
“So this is going to happen, whether we like it or not. Everything will become a computer,” said Hyppönen. “And right now this seems like an excellent idea, to many of the companies in this business.
“And it’s not the first time, technology taking us to the wrong direction. So I think this is dangerous. It’s very dangerous for our privacy. It’s dangerous for our security.
“This is going to be the IT asbestos of the future. This is what our kids will hate us for.”