NEWS ANALYSIS: Black Hat 2015 showed that the Internet of things will massively increase the opportunity for cyber-attacks and that code analysis offers the best hope for detecting the latest exploits.
LAS VEGAS—Black Hat 2015 showed that security technology is better, smarter and faster than ever before, but still one step or more behind the bad guys.
If one step doesn't seem like a lot, it is. There are up to 500,000 "malware events" happening every day. Security companies like Trend Micro are collecting hundreds of terabytes of exploit and attack data per day. What they are doing with that data is promising, but scaling threat detection systems is difficult and the threat landscape is constantly shifting.
Hacks are so commonplace that last Thursday's news of a breach of the Pentagon's email system
barely registered among the vendors and attendees at the annual gathering here
Admittedly, what's one more government hack after the massive OPM breach
? But the method, allegedly an email phishing scheme, shows once again that every link in the security chain has to be accountable, and that enterprises need to be better prepared from a policy and training perspective.
Here are some more numbers that highlight the scale of the security challenge. More than 50 billion will be connected to the Internet by 2020. Each house will have hundreds of devices connected to the Internet by 2020, according to Cognosec
IoT device proliferation is the result of a wave of innovation across many industries, and spurred by demand for ways to automate everything in daily life. What those numbers really mean is there will be billions more access points for attackers to infiltrate systems.
Cognosec's team of Sebastian Strobl and Tobias Zillner gave a Black Hat presentation on how ZigBee
, a wireless communication protocol for connected devices, can be fairly easily compromised through weak network security key mechanisms.
They tested their exploits on home automation systems, including door locks. The problem isn't only with ZigBee, they said, but with device vendors who don't implement security very well, or at all, in the name of usability and time to market. Device vendors "are not IT companies, and not experienced in data security," said Strobl.
Other Black Hat sessions dissected exploits of a variety of devices, including cars and even a high-end, "Linux-powered" precision-guided rifle
Businesses shouldn't feel comfortable that IoT threats are confined to the home, said Norse Senior Data Scientist
Mary Landesman. They are everybody's problem. "Where's the line between home and office when it comes to IoT? That smart fridge is as likely to end up in a break room of a company as it is in somebody's kitchen," she said in an interview. "IoT could be anywhere, anytime. That's the point that people who talk about IoT minimize, because that's a 'home user' issue."
So, as has been asked many times before, what is to be done? That's a good question, because as always with cyber-security, there's a high level of mistrust between vendors, government, researchers and every day citizens along with a lot of disagreement about what needs to be done.