Cybersecurity is a constant game of cat-and-mouse — with every security improvement and criminal crackdown, there is a corresponding evolution in attacker methods and techniques.
One of the best ways to gain insights into these evolving tactics is to follow the hacking announcements that come out each year at the Black Hat and DEF CON security conferences. These twin hacker cons, which take place in August this year, are a bellwether of sorts for the information security field. They cover a vast range of new hacking research and tend to be a good predictor of the new trends emerging in the hacker and cybercrime communities.
Right now, there are three big trends to watch:
Mobile has moved up the target list
Mobile devices have been on the hacker’s radar for a while, but they weren’t especially important — until now.
Smartphones are now the central hub for so many things: banking, retail transactions, two-factor authentication, biometric authentication, Internet of Things access/control (plus cars, too), personal health, etc. And this list seems to grow by the day. As these devices take on more responsibility and control in a user’s life, they also become more important for the hacker.
In order to continue their illicit operations, hackers now increasingly have to gain access to these devices. For instance, one of the most traditional areas of cybercrime is the bank account takeover. However, as more users are now protecting their online accounts with two-factor authentication — typified by a one-time passcode texted to the user — the criminal will be thwarted unless he/she is able to intercept the person’s SMS messages.
This makes the smartphone a critical technology for hackers. In a nutshell, smartphones are the new computing platform which hackers must gain access to in order to remain relevant.
In recent years, the most common method of attack has been a fairly simple one — planting fake apps in third-party app stores and waiting for people to install the malware themselves. But that is about to change. Hackers are developing a number of clever new ways to target these devices, particularly through back-end networks and services. As the talks at Black Hat will show — this year, there are over a dozen presentations on new mobile threats — hackers are pursuing a wide range of other tactics such as attacking apps to LTE, baseband, MDM, mobile operating systems like iOS and Android, mobile point-of-sale systems, cellular networks, malware, and more.
It is far more challenging to defend against these back-end attacks, and this means businesses and individuals will be compromised without even knowing it.
The Internet of (vulnerable) Things
Most of the time, when we hear about the hacking threats to smart/connected devices in the home, we immediately revert to fears of invasive spying inside our private lives — i.e., a hacked baby monitor. But in actuality, the most likely threat to these devices comes from moneymaking malware.
For hackers, the growth of IoT devices in the home and office is a wonderful revenue opportunity for certain types of malware (one of the first comprehensive studies of IoT malware will be presented at Black Hat). There are a few reasons for this: IoT devices often roll off the assembly line with weak (if any) built-in security. Security updates are sporadic if they happen at all. (While large brands like Google may be better at doing this, smaller manufacturers aren’t. Also, if the user is responsible for running the update, it likely won’t be done.) These devices also exist at the periphery of the network, which means people and businesses often overlook them.
Recent campaigns like Mirai have taken advantage of this to spread botnet malware to IoT devices. But a much more profitable scheme is to infect them with crypto-mining malware (also known as “crypto-jacking”). By hijacking the devices’ processing power, cybercriminals can basically use them to print their own money. Many view crypto-mining malware as a nuisance, rather than a real threat. After all, it isn’t trying to steal information, it just “junks up” the devices, and slows them down, degrading their performance over time. But this is the wrong POV to take.
Malware that implants itself in a networked device can be used as a backdoor to launch other attacks down the road. In fact, many professionally designed malware kits and exploit kits today come with adaptable features that allow for buyers to add in new payloads later on, which changes the very nature and performance of the malware. So what is today a simple crypto-mining implant could months later deploy ransomware or wiper code (see how a malvertising campaign reverted to ransomware), or even be used to spread info-stealing worms across the broader computer network.
Audio hacking is now a thing
Another big change coming to the hacker world is the rise of voice-based attacks.
Voice biometrics are currently used by many financial institutions (ex: HSBC’s Voice ID) to verify customers. Additionally, voice-based authentication and control are used by an increasing number of devices and services from mobile phones to IoT products. Even some computer operating systems provide voice biometrics as an option for user access. At the same time, smart speakers are growing in popularity and are now widely found in homes and workplaces. As these devices are connected to the user’s larger network, they offer a convenient beachhead for an attacker.
For cybercriminals, the rise of voice-based services offers an enticing target. If the attacker can clone or spoof the victim’s voice, he/she can gain access to financial accounts or technology services. If the attacker can launch secretive voice commands to a smart speaker, he/she can take over that speaker and possibly spread to other devices connected to the same network.
Security professionals will be sharing new research at Black Hat on this topic, including a Cortana exploit and voice spoofing. However, this is a trend that is already in the works. Recently, we’ve seen researchers demonstrate proof-of-concept attacks on smart speakers by lacing YouTube videos with audio commands which broadcast outside the normal human hearing range.
It’s easy to see how this could become a bigger problem, as popular videos could be corrupted with these types of commands, or phishing emails could send specific videos to individual targets. At the same time, there are numerous technologies emerging in the open market which are able to “clone” a person’s voice by using a small sample of their speech patterns. Technologies like Deep Voice, Adobe MAX and Lyrebird, are just a few. But custom “morphing engines” are also possible.
Just as technology is constantly evolving, so too are the tactics used by hackers. Over the next few years, we can expect to see more sophisticated attacks targeting smartphones, IoT devices, and voice-based systems. These will be harder to defend against, so it is important for businesses and consumers to be aware of the risks they are facing.
Jason Glassberg is a co-founder of Casaba Security, a cybersecurity and ethical hacking firm that advises cryptocurrency businesses, traditional financial institutions, technology companies and Fortune 500s. He is a former cybersecurity executive for Ernst & Young and Lehman Brothers.