Mikko Hypponen has intercepted and averted some of the biggest cyberattacks in history. If anyone can predict where the threats will come from in the age of the IoT, it's him. At the CeBIT Global Conferences today, the Chief Research Officer at F-Secure showed how easy it is to wreak havoc – and explained why he is worried about what the coming years will bring.
There have been a number of successful cyberattacks reported over the last few months. To the average citizen, these were reflected in falling stock prices – or in an embarrassment that led to the boss suddenly having to step down. But what financial damage do hackers actually cause when they steal data? According to Hypponen, last year’s Yahoo hack gave some indication; the search engine provider’s value fell by 350 million US dollars.
As a general rule, hackers sell the stolen account data to the highest bidder, explains the security expert. The question is why third parties are so willing to pay millions of dollars for it. Hypponen uses the example of LinkedIn: "In 2012, cyber criminals downloaded 130 million datasets, including email address and passwords." Around one in ten was linked to a Google account – and 10 percent of these shared a password with LinkedIn. So hackers accessed 1.3 million Google accounts that served as login portals for a variety of web services. In this way, they were also able to use strangers' identities to make purchases on the likes of Amazon.
But how do cyber attackers steal data from enterprise networks? "Hackers commonly target staff in human resources," says Hypponen. HR employees constantly receive applications by email – with CVs attached as word documents. These can contain malware, which is activated with a single click on "Enable Content". "They might as well just write 'Infect My System' on the button," quips Hypponen. Once the malware is active, hackers can quite easily access more of the company's systems and download data from there. Or they can use ransomware to encrypt the data, demanding the organization pay them to reverse the encryption. Cyber criminals do not yet have a benchmark for what to charge their victims for decryption. However, this is set to change next year when a new GDPR regulation comes into effect. The ruling will see EU companies fined four percent of their global revenue if they are hacked and have not done enough to prevent it.
"Ransomware that kindly offers to decrypt the data for free is a particularly clever trick," states Hypponen. "Instead of paying a sum of money, the company just has to infect the systems of two other organizations." This triggers a classic pyramid scheme with a greater payoff in the end.
Mikko Hypponen expects the age of the IoT to bring up two major issues. Firstly: naïveté amongst people. For the most part, hackers don't even need to hack at all; they can acquire administrative rights to a system just because it still uses the default password. "People simply don't bother with security. Who wants to flick through an instruction booklet to find out how to change security settings?" The issue will only escalate as more and more things become connected – from thermostats to washing machines. "All it takes is one vulnerable device for a hacker to gain access. Cyber criminals might soon be able to hack an entire smart home because the connected coffee machine isn't well enough protected." Manufacturers are unlikely to strive for greater security as the cost would allegedly outweigh the payback.
The second problem is governments. "What we are experiencing now is essentially the next arms race," claims Hypponen. The difference is that in physical warfare, you had a good idea how powerful a country was; this isn't the case with cyberwar. "Who knows what damage Germany could do in a cyberattack? And what about Vietnam?" Moreover, without the immediate threat of physical weaponry, the deterrent that stopped the Cold War from turning hot no longer exists.
For many, the term "cyberwar" might sound overly dramatic – after all, it's only data we're talking about here. But that's where you'd be mistaken: "More and more soldiers are being killed because an enemy has hacked into their smartphone to reveal their location and direct missiles right at them." This is a very real war – and we need to be prepared for it.
Cybersecurity is today's topic of focus at the CeBIT Global Conferences . Find out more – in Hall 8.