It’s hard to know what the future will bring–unless you’re talking about online security. “We rarely see things that just sort of appear out of nowhere,” says Ryan Olson, intelligence director at enterprise security company Palo Alto Networks.
People will continue to be ill-prepared because the caution and vigilance—verging on paranoia—that are required to be safe online are not in most folks’ nature. “We are conditioned to be social, to collaborate,” says Geoff Webb, a VP at security firm Micro Focus, which specializes in preventing security breaches. “These are all good things . . . but they are absolutely, ruthlessly, and vigorously exploited by attackers.” Governments and marketers can exploit too, he warns.
We asked Olson, Webb, and Ondřej Vlček, COO of antivirus maker Avast, what new or growing dangers the public should watch out for in 2016. Three rose to the top: attacks on smartphones, ransomware that holds data or devices hostage, and leaks from new connected gadgets like TVs and home automation systems.
“It’s interesting to see how the bad guys are moving from the desktop environment, like the traditional viruses, the malware [malicious software] on Windows, or maybe on Mac,” says Vlček, “and more toward the mobile environment.” Mobile malware is progressing from isolated or theoretical to widespread and dangerous, especially on Apple’s iOS operating system, says Olson.
For example, Apple has opened up a program allowing corporations to create apps for their employees directly, without having to go through the App Store. Stealing or forging digital documents called certificates, which show that the app is from a trusted source, makes it easier to get malware onto devices. The danger has been around for a few years, says Olson, but it was first exploited in 2015 with a family of malware called WireLurker. Hackers are tricking phone owners on various platforms, too. For example, they offer apps or links to sites that promise ways to unlock new levels in games like Cut The Rope or Temple Run without paying, says Vlček. Clicking on mobile pop-up ads is a way to start downloads of these apps, says Olson.
A glance through security headlines in 2014 and 2015 turns up references to a boom in ransomware, including CryptoWall and CryptoLocker. These are forms of malware that infect PCs and Macs the way other baddies do, through bogus attachments or links or infected web pages. As with other malware, these attacks are also moving to mobile devices, says Olson. One of the earliest was SimpleLocker, which started to infect Android devices in 2014.
Rather than destroy or steal data, ransomware encrypts it, and then crooks demand payment to unlock the data. This is more innovative than an attack like stealing a credit card number, says Olson, because crooks don’t have to worry about anti-fraud measures that prevent them from using the card, nor do they have to go through the “cashing out” process of buying something with the stolen card info, having it shipped somewhere, and then selling it. These are all opportunities to get caught.
Instead, they ask for payment through the difficult-to-trace Bitcoin cryptocurrency. The crooks have to provide “customer service,” as Olson calls it, teaching victims how to set up and use Bitcoin. In 2016, he expects crooks to make more money by targeting really valuable files belonging to people and companies that can pay more. “I think what we’re going to see is ransomware that looks for file types that belong to really specialized software, he says. “They might be in a position where it’s worthwhile for a company to pay 50 grand to get back those files.”
The Internet of Things (IoT) includes the profusion of gadgets and machines connected to the digital world—fitness bands, smart TVs, baby monitors, smart thermostats, connected cars, and much more. “That means that the attack surface of our lives is growing extremely rapidly,” says Webb, using a popular piece of lingo among security pros. “Many of the companies and engineers don’t really think about security,” says Vlček. Data, for example, is often transmitted without any encryption, making it easy to steal or fiddle with.
A string of vulnerabilities in the routers and other hardware that move web traffic increases the risk. “The security situation with [home] routers is actually pretty bad,” says Vlček, noting that 2015 saw by far the most attacks on routers. These devices are often left in the factory setup with default usernames and passwords that anyone can look up online. Like all online devices, routers have security flaws that emerge, requiring patches to their operating programs, called firmware. “Most of the companies do a relatively good job of . . . patching the vulnerabilities,” says Vlček. “But the problem is that no one updates the firmware in the routers. The user doesn’t at all, and usually the ISP doesn’t either.”
Just what attackers will do with this access isn’t clear. “We are in the phase where attackers are kind of playing with these devices instead of posing a real threat,” says Vlček. But nightmare scenarios are plenty. In summer 2015, hardware hackers Charlie Miller and Chris Valasek found and publicized a vulnerability in Chrysler-Fiat’s Uconnect system that allowed them to get into a Jeep’s onboard entertainment system over the Internet, and from there, control critical components such as the accelerator, brakes, and transmission—a vulnerability that Vlček calls ludicrous. It gets even scarier with self-driving cars, though not yet, says Olson. “I don’t expect there to be an army of self-driving cars [in 2016] that are taken over by attackers,” he says. “That’s probably 10 years away.”
Webb worries more about the loss of privacy with the IoT. “It’s like painting a picture with little dots of information,” he says. “Some of that is lightbulbs going on and off in your house. Some of it is, where is your car, and some of it is where is your phone. It’s, is your TV on right now? And some of it is, what’s happening at your front door? And, what is your fridge saying?” Even if all this information is anonymized (which Webb fears it won’t be), it starts to build an identifiable profile of a person, a body of metadata analogous to that collected by the NSA from phone call records, but far more extensive, says Webb. He admits not having a clear prediction of what will happen with the data, but he expresses suspicion of both marketers and governments.
The challenge with the IoT, and all online services, is that it’s so appealing to feed them data in exchange for convenience. “The world is going to respond to you in a way that is incredibly centered around your needs and desires,” Webb says. “[Online services] will just know when to order a pizza, because you usually order pizza after you go to the gym, and you’ve been there three times this week. This is just awesome. The challenge, the downside of that is, you gain a lot of value, but you lose a lot of control over information about yourself.”