“The internet brought new risks, but the benefits were bigger. So far, so good,” he said. “The internet has brought more good than bad. And I would like to think that the same will apply to the internet of things.”
But Hypponen warned that the benefits of the IoT will not necessarily outweigh the risks. “It will not happen by itself. It requires work, and there is a lot of work to be done in IoT security,” he said.
“We are lucky to be alive in these defining years for mankind as we go through these changes. It is very exciting, but also scary because change is scary.”
This is underlined by examples of pushback against technology that appears to be threatening people’s livelihoods and way of life, he said.
For this reason, in the light of the expected third technological revolution that will see an explosion of AI, Hypponen predicts a human uprising against the robots.
“I am not talking about The Terminator, and I am very serious about this because we are already seeing signs that it could happen,” he said.
Hypponen cited as an example a pilot project using IoT sensors to report the location of rubbish bins in a city and how full they are, so that only full bins will be visited and emptied by rubbish collection trucks.
“However, the sensors seemed to be breaking shortly after being deployed,” he said. “Only when they reviewed security camera footage did they realise that the sensors were being vandalised by the drivers of the rubbish collection trucks.
“Before the sensors were deployed, the trucks were going around the city to every bin once a week, but after they were deployed, their services were required only once a month, so the drivers hated the sensors because they were taking away their bread and butter.”
According to Hypponen, there is a real risk of a repeat of the human uprisings against machines that were seen 300 years ago during the industrial revolution, when machines replaced most manual labourers.
“And the revolution of IoT, sensors, robots and machine learning is also likely to make a lot of jobs redundant, such as truck drivers,” he said.
Hypponen predicted that every truck driving job will disappear within the next 10 to 25 years as self-driving trucks become the norm.
“It is going to be a revolution,” he said. “Some of those truck drivers are not going to be happy about it, and some of them will fight back in some way.
“We are living in the middle of tech revolutions. The internet revolution has already happened, the IoT revolution is happening right now, and we should all live to see the machine learning and AI revolution.”
Hypponen said F-Secure is already using machine learning in its labs to run automated sample collection and analysis, with systems designed to teach themselves to tell the difference between a good program and a malicious one.
Although the internet has brought benefits, Hypponen said it must be recognised that in most countries, crime is going online and there is now a greater likelihood of being a victim of crime online or internet-enabled crime than of being a victim of traditional crime.
“Despite this change, most people are still not reporting online crimes or internet-enabled crimes,” he said. “This is a regular complaint I hear from law enforcement organisations around the world.
“They wish that more businesses and individuals would report crimes, because without cyber crime reporting, the cyber crime statistics are incorrect and, as a result, cyber crime does not get allocated the resources it requires in law enforcement budgets.”
Unable to gather intelligence
The other problem with under-reporting, which was highlighted recently by the UK’s cyber policing authorities, is that law enforcement is unable to gather the intelligence it needs about cyber crime to understand the true nature of the threat and to pursue cyber criminals and bring them to justice.
Hypponen also highlighted some emerging trends in cyber threats that organisations should be aware of and take steps to block or mitigate.
From the WannaCry and NotPetya attacks, he said, organisations should have learned to examine the security of their supply chains, to keep user privileges to a bare minimum, and to be aware that legitimate tools can be abused for malicious activity.
“NotPetya was a supply chain attack in which attackers do not hit targets directly, but something that the target is using,” he said. “In the case of NotPetya, it was the Ukrainian accounting software MeDoc. The automatic updating mechanism was hijacked to inject the malware.
“This meant that every company running the MeDoc software was infected, and the way that NotPetya replicates is that it takes Windows authentication tokens from the memory of the computer and uses those rights to run itself on other computers on the same network.
“So if the user of the infected computer has rights to run programs on other computers, NotePetya is able to replicate, and this becomes especially bad when it hits a computer whose user has admin privileges or domain admin privileges because then every computer can be infected.
“NotPetya did not replicate on most networks using a vulnerability – it was replicating using a ‘feature’ of the Windows operating system.”
According to a growing number of cyber security researchers, including those at F-Secure, file-less cyber attacks or attacks that abuse legitimate software features and administration tools are on the rise, which is why organisations should ensure their security defences include some kind of behavioural analysis capability to spot malicious activity hidden in legitimate processes.