By: Vladimir Dashchenko, security evangelist at Kaspersky

Researchers estimate the number of IoT devices will be more than 13 billion in 2022. This figure is predicted to grow remarkably further. Since an average IoT gadget contains 25 vulnerabilities, it gives a huge attack surface for perpetrators, which led many cybersecurity researchers not to sleep too well at night. First signs of the upcoming cyber “decuman wave” are already here – gigantic botnets, pandemic bugs, and so on. Vladimir Dashchenko, security evangelist at Kaspersky, ponders about the future of IoT security in the coming year.

Demand for initial access to IoT devices

To begin with, there will be a greater demand for IoT vulnerabilities from cyber criminals. The underground black market will be offering and demanding vulnerabilities like Remote Code Execution and Local Privilege Escalation in various smart/IoT devices, especially those which has direct internet access (cameras, routers, etc.). This boosts underground vulnerability research and exploits broker businesses. Besides DDoS botnets and initial access vectors into internal networks, these smart/IoT devices can be used as proxy servers for cyber criminals to pivot network traffic through the compromised devices.

In addition, initial access brokerage will highly likely be on the rise in the nearest future. A large proportion of the initial accesses leading to incidents comes from remote access and management, and one of the most popular ways to acquire these credentials is to buy them on the Darknet from initial access brokers. Usually, those credentials are gathered from infected devices: the more attacks there are on IoT, the higher the possibility that attackers will be providing access to these devices as a first entry point to corporate networks via Darknet.

Emerging online-to-offline cybercriminal services

Online-to-offline cybercriminal services might emerge, as this could be an additional way of monetization of assets that attackers have already acquired. For instance, a botnet based on video surveillance near banks or shops can be a spy service for “classical” criminals, such as thieves. Therefore, security services and products become increasingly important because they help to stop the spreading of stolen information.

Unauthorized sharing of sensitive data from devices with third parties

IoT devices are already a piece of cake for state-sponsored attackers or shady-marketing platforms, as they gather sensitive personal data such as biometry, which can also be handed to third parties for advertising or espionage purposes. Moreover, turbulent geopolitical times also turn IIoT (Industrial Internet of Things) into a target of state-sponsored threat actors, as it allows them to conduct attacks on industrial organizations, disrupting technological processes, safety systems, and so on.

IoT cyberattacks lead to actual physical damage

IIoT cyber threats, among other things, can include threats to human life since any external intervention in industrial processes may possibly lead to cyber-physical damage – when a cyber-attack causes physical damage, which might affect humans. Consider enterprises from oil and gas, chemical and other industries, where there is a high probability of leakage of explosive, toxic and other gases. Special gas monitoring systems are used in companies like these to monitor working areas for gas contamination to spot the emergency on time. These systems immediately notify staff responsible for safety and all personnel in the danger zone. But these smart systems are vulnerable to remote control as well, and might be a target of hacktivists or cyberterrorists, especially amidst volatile political climate we observe now across many countries. If safety alerts are modified during an attack, this can lead to catastrophic consequences, affect people’s lives. Perhaps in the near future we will see more cybercriminals targeting smart/IoT/IIoT gadgets not only to get direct financial profit, but also to cause (physical) damage, conduct intelligence or spy campaigns and, probably, create new areas of cybercrime.

IoT-focused APT and IoT-brokers to be a hot research topic

The hottest topics for security researchers will be IoT-focused APT, IoT brokers, and IoT clouds. Concerning the first topic, detection of such APTs will be extremely difficult since there are no existing unified technologies to monitor malicious behavior on endpoints. IoT brokers and IoT clouds will be also a hot topic for security research being a possible point of failure for a big group of smart/IoT devices.

Cyber immunity in IoT as a proactive way of protection

The main problem for IoT devices, with their availability and a huge amount of data, is that usually they are secured reactively – in other words, when they are already compromised. Now experts across the world are creating proactive ways of protection, such as secure by design architecture principles, security development standards and vulnerability testing programs. The increasing number of incidents is speeding up the process. Today IoT cybersecurity regulation doesn’t only concern security standards but also employs best practices such as cyber immunity approach.

Cyber immunity is a modern concept in cybersecurity when a device is built with a strict limitation of functionality, based on high-security standards, and using secure coding practices. We are following this concept by creating KasperskyOS, but there are other examples.

Various smart devices are used in completely different spheres, making our life easier and more convenient - whether it's smart vacuum cleaners for home or advanced monitoring systems in large corporations. The IoT threat landscape is evolving as rapidly as gadgets infiltrate the daily routine - making this segment of cybersecurity especially relevant on the eve of 2023. The good news is that we are now at the ideal moment to reverse this process with research and advanced security tools, making IoT threats much less dangerous or eradicating them altogether.