Aside from obvious risk factors, many not-so-obvious vectors need to be addressed, according to two experts.

With more smart devices than ever getting onto the internet, what will the next year bring in terms of economic benefits and cyber risks?

Compounding the complexity of threats are the major impact of geopolitical and climate-change agendas.

Offering their views on the matter to CybersecAsia.net readers are two experts from Check Point: Miri Ofir, Research and Development Director; and Gili Yankovitch, Technology Leader (software).

Cyber threats targeted at IoT

According to Ofir and Yankovitch, countries like Russia, China, North Korea and Iran have advanced cyberattack capabilities that nevertheless can be tracked. An example of such type of campaign is a supply chain attack. In 2024, the two experts foresee the IoT as a highly targeted sector that will be prone to supply chain attacks. The rapid proliferation of these devices, often in absence of robust security measures, means a vast expansion of potential vulnerabilities. “Malicious actors will try to exploit IoT weak points to gain unauthorized access, steal data, or launch attacks,” Ofir and Yankovitch feel.

On the industry front, IoT manufacturers are already facing evolving regulation and control in two ways:

    • Mandatory regulations to help firms manage Software and Hardware Bills of Materials (SBOM) and verify that their products will go to market with some basic cybersecurity protection. SBOMs will help manufacturers get a better understanding of the components inside of their products and maintain them through patches and other mitigations.
    • Initiatives to regain trust in the technology through labeling programs such as the US Cyber Trust Mark, which aims to provide clarity about privacy and security risks in the product and to allow educated users to select safer products.

Despite the increased regulatory oversight, 2024 also presents a business opportunity for manufacturers. For example, the US sanctions on China are not only financially motivated; the Americans see China as a national security concern and the new sanctions will push major competitors out from the market. Manufacturers can substantially strengthen the cybersecurity of their products to capture more customer trust, said the two experts.

Known and little-known IoT risks

On the industry front, IoT manufacturers are already facing evolving regulation and control in two ways:

    • Mandatory regulations to help firms manage Software and Hardware Bills of Materials (SBOM) and verify that their products will go to market with some basic cybersecurity protection. SBOMs will help manufacturers get a better understanding of the components inside of their products and maintain them through patches and other mitigations.
    • Initiatives to regain trust in the technology through labeling programs such as the US Cyber Trust Mark, which aims to provide clarity about privacy and security risks in the product and to allow educated users to select safer products.

Despite the increased regulatory oversight, 2024 also presents a business opportunity for manufacturers. For example, the US sanctions on China are not only financially motivated; the Americans see China as a national security concern and the new sanctions will push major competitors out from the market. Manufacturers can substantially strengthen the cybersecurity of their products to capture more customer trust, said the two experts.

Known and little-known IoT risks

According to Ofir and Yankovitch, the three risk vectors of IoT are:

    1. Weak login credentials: Although manufacturers take such credentials much more seriously these days than previously, weak/leaked credentials still plague the IoT world because of the existence of a lot of legacy devices already deployed in the field, and still easily-cracked login credentials. One such example is the famous Mirai botnet that continues to plague the internet in search of devices with known credentials.
    2. Command injection: Due to performance constraints, developers sometimes take “shortcuts” when implementing the devices’ software. Such shortcuts can leaving a gaping security hole for attackers. These developer actions can be completed in a “safer” way, but this will take longer to implement and change. In 2024, expect to see more cases of command weaknesses being used as entry points for attackers.
    3. Vulnerabilities in third-party components: IoT devices are usually not built from scratch by the same vendor, and can contain third party code (usually open-sourced) as part of the their system software. Although these software components are actively maintained and researched, new vulnerabilities are discovered all the time—at a rate which is higher than manufacturers can handle software update cycles. This causes devices to remain unpatched for a very long time, even for years.

However, the less obvious risks to be addressed in 2024 are:

    • IoT devices require autonomous security features
      Unlike endpoints and servers, IoT devices are physical devices that can be spread across a large geographical landscape. These are usually fire-and-forget solutions that are monitored in real time (at best) or once-a-month (or worse). When attention to these software components is that low, the devices need to be able to protect themselves rather than wait for human interventions.
    • Detecting an intrusion is already too late:
      Attacks on IoT devices are fairly technical, in contrast to things such as the ransomware that we see on endpoints. Usually, detection security controls will only allow for the operator to reboot the device at best. Instead, the less prevalent approach is prevention, which can take care of the threat entirely from the system. This way, not only is mitigation immediate, it is also appropriate and reactive, in accordance with each threat and attack a system faces.
    • The mentality of “if it isn’t broken, leave it alone”
      The most common security mistakes that Ofir and Yankovitch find in firmware are usually things that “technically work” so developers will have left them unmonitored for a while. For example, outdated libraries/packages and servers all start “growing” CVEs over time. They technically still function, so no one bothers to update them, but when the day comes, an outdated server can and will be the point of entry in 2024 and beyond.
    • When private keys lose their value due to unnecessary accessibility
      “A common thing we see is private keys exposed in firmware, that are available for download online. Private keys that are supposed to hold some cryptographically strong value. However, if they are available for anyone who anonymously downloads the firmware for free, the keys no longer hold a cryptographically strong value,” the two experts reiterated, alluding to possible exploits in the year ahead.

In highlighting their industry observations and trend predictions, both experts recommend that IoT device firmware must in 2024 be treated by manufacturers with an abundance of vigilance in three ways:

    • Extraction: This a huge, unsolved problem. When it comes to extracting firmware, it is not a flawless process. It is important to verify the results, extract any missed items, create custom plugins for unsupported file types, remove duplicates, and detect failed extractions.
    • Analysis: Proper software design is key. A security expert is often required to assess the risk, impact and likeliness of exploit for a discovered vulnerability. The security posture depends on the setup and working of the IoT device itself.
    • Report: After firmware analysis is performed properly, developers can end up with a lot of actionable data. It is critical use this valuable data to improve the device’s security posture.

CybersecAsia thanks Miri Ofir and Gili Yankovitch for sharing their IoT cybersecurity insights and foresights with readers.

Miri Ofir, Research and Development Director Check Point Software Technologies, Ltd.
Gili Yankovitch, Technology Leader (software) Check Point Software Technologies, Ltd.