New technologies such as Google Glass and IPv6 will lead to new, deadly forms of cyber attack if current manufacturing security practices continue, according to experts from Europol, Trend Micro and The International Cyber Security Protection Alliance (ICSPA).
The experts made the warning in a recently published Scenarios for the Future of Cyber Crime white paper. The paper explored what threats the experts expect to emerge in the next six and a half years and is the result of collaborative research between law enforcement, academia, governments and industry.
Trend Micro’s vice president of security research Rik Ferguson highlighted innovations moving us towards an “always-on society” as a key development leaving web users and businesses open to new forms of attack, during a press event attended by V3.
“The inevitable miniaturisation of technology, where Google Glass becomes Google Contact Lens and wearable tech means technology will eventually be embedded in everything we do and have – from your running shoes to your car, to any mobile devices that you carry around. For the more technically advanced younger generation we’re even beginning to talk about implants, so it won’t even be stuff you wear it’ll be stuff that’s with you all the time,” he said.
“Everything will be connected, everything will be running an operating system and everything will be directly addressable. Think about IPv6. Consider the fact you can fit the entirety of the IPv4 internet into one allocation block of IPv6 and it should give you an idea of the scale of things – everything is going to be rootable.”
ICSPA chief executive officer John Lyons said the interconnectedness of society could also leave users open to more dangerous attacks, with the potential to cause real world harm.
“At the moment cybercrime’s damage is fairly ephemeral: you lose money from your bank account, the bank gives it back to you and nobody cares. We’re going to see a development where some of these elements could actually cause real harm to citizens,” he said.
Lyons’ comments mirror widespread warnings within the security community about the danger of rushing new or unsuitable technologies online. Many security researchers have highlighted the government’s misguided decision to get critical infrastructure areas, such as power plants, outdated Scada systems online as proof of the claim. These warnings were given weight in 2011 with the emergence of Stuxnet, a malware designed to physically sabotage Iranian nuclear plants.
“I put a call out to ICT manufacturers for less reckless behaviour, throwing out products without properly testing them, without checking for vulnerabilities that could be secured and as a result starting to put people in danger. I know they are pressed by marketing requirements and what have you, but they could be doing an awful lot better,” he said.
Ferguson mirrored Lyons’ sentiment, arguing that lacklustre security testing will also offer traditional cyber criminals a new avenue for financial gain. “If you look at a lot of business the goal seems to be ‘release early, release often’. This means you address the vulnerabilities after release, as for them it’s about being first to market,” he said.
“They need to start addressing vulnerabilities during the manufacturing process, particularly when things like 4D printing become more widespread – things like 3D printed components that will then self assemble in some remote locations – here there’s a real opportunity for criminals to hijack systems and have them appear at another location.”
Europol assistant director and head of the European Cybercrime Centre (EC3) Troels Oerting added that law enforcement will need to rethink its current strategies to act at an international level if it hopes to protect businesses and citizens from the threats.
“The internet is probably one of the greatest things ever invented. It helps us in so many areas, but unfortunately it also makes crime much, much easier. My background as a Danish police officer from a small country that’s very peaceful with a population of 5.5 million and 12,000 police officers designed to provide a service to these people,” he said.
“But in cybercrime they’re not tasked to look at these 5.5 million people, but at 2.7 billion on the internet. For the first time the police cannot block people out using border control.”
Lyons supported Oerting’s claim, citing the new threats as proof of the need for more international collaboration.
“We wanted to look at what the challenges might be and how we can collaborate. Even in the EU, with its 28 states, we’re not co-ordinated, we’re all moving at different speeds. Law enforcement is more advanced in some countries when it comes to combating cybercrime. There’s an awful lot of good practice out there that we could share,” he said.
The ICSPA chief highlighted improving the world’s education as another key step, necessary to counter the increased threat. “If we don’t take citizens on this journey with us and help them understand what the threats are and what they can do about them with some very simple measures, they won’t change their behaviour,” he said.
“We need a campaign to make them more aware of what’s going on and a personal sense of responsibility for securing their own systems.”
The security experts also announced plans to launch the Project 2020 film series to help educate web users about the new dangers facing them. The nine-episode web series showcases the potential dangers listed in the white paper using a fictional narrative.
The white paper and web series are two of many initiatives designed to alert web users and businesses to the dangers facing them. Within Europe both the UK government and European Commission have listed improving the region’s cyber defences as key goals.
Cisco PIX 515E Firewall