Interpol last week held a simulated training exercise for global investigators designed to help overcome Internet of Things (IoT) skills shortages.
The international police organization’s annual Digital Security Challenge saw 43 cybercrime investigators and digital forensics experts from 23 countries face a simulated cyber-attack on a bank launched through an IoT device.
During the course of the simulation, investigators found that the malware was sent in an email attachment via a hacked webcam, and not direct from a computer.
Interpol claimed this is an increasingly popular tactic designed to obfuscate the source of attacks, but warned that police may not have the skills to forensically examine IoT devices.
“The ever-changing world of cybercrime is constantly presenting new challenges for law enforcement, but we cannot successfully counter them by working in isolation,” said Noboru, Nakatani, executive director of the Interpol Global Complex for Innovation.
“A multi-stakeholder approach which engages the expertise of the private sector is essential for anticipating new threats and ensuring police have access to the technology and knowledge necessary to detect and investigate cyber-attacks.”
The first two Digital Security Challenge exercises in 2016 and 2017 simulated cyber-blackmail involving Bitcoin and a ransomware attack, so the new focus on IoT is reflective of the changing nature of threats.
Last week, Trend Micro claimed in its 2017 roundup report that IoT devices are increasingly being “zombified” to mine crypto-currency and launch cyber-attacks like DDoS.
Hackers can target exposed IoT endpoints to infiltrate corporate networks, conscript into botnets or even interfere with critical infrastructure.
However, nearly half (49%) of all IoT “events” observed by the security vendor last year — amounting to a total of 45.6 million — involved crypto-currency mining.
Adam Brown, security solutions manager at Synopsys, argued that IoT attacks will continue until firmware flaws are addressed.
“Good practices by vendors around configuration and authentication need to be initiated or matured to prevent this in future,” he added.
"I would love to see certification for IoT devices become commonplace so that consumers can know that the devices are cyber-safe, much in the same way that if you buy a toy with a CE mark you know it has been through a process of assessment and it won’t, for example, poison anyone because it has lead in its paint.”