Ondrej Vlcek: There’s also something called spear-phishing. Spear-phishing is targeted phishing that is sent to a specific individual with a handcrafted individual which includes details from the personal life of the person or some kind of project or product that person is working on. It could also be something that makes the entire message much more credible.
At the end of the day, the odds of the victim clicking is higher. The problem with spear-phishing is that it has been difficult and expensive to conduct. You would have to do some kind of research and study. You have to craft the message so that it comes across as genuine.
With AI, the bad guys are scraping all sorts of data sources on the internet to create profiles of thousands, and even millions, of people and then crafting messages that look much more credible than the generic phishing message. Imagine getting a message from the tennis club that your daughter is going to that says, “The invoice from last week’s lesson was not paid.”
All these things match with your real life, the credibility of such a message is higher than that of a generic message. This is what we are seeing. They’re using machine learning to generate these kinds of messages. That would be one trend.
The second trend is IoT. So many people these days talk about all these new cool gadgets that are connected to the internet either through Bluetooth, WiFi, or 5G. Connectivity is becoming a huge megatrend. The number of devices connected to the internet is skyrocketing. It’s growing exponentially.
There are very many of those devices already there. I’m not talking about computers or mobile phones; I’m talking about all these other devices. That’s one reality. The second reality is, for the most part, the security of those devices is pretty bad.
I can tell you that finding vulnerabilities in these devices is incomparably easier than it is finding vulnerabilities in computers or mobile phones. I’m talking about things like unencrypted communication protocols, default passwords, and binary level vulnerabilities that are easily exploited.
It’s terrifying. The quantity and the poor quality really create a situation ripe for a huge problem that people are now just about starting to realize.
Sramana Mitra: Both of those are terrifying trends. This whole-home security business, I’m not sure if that is security or vulnerability.
Ondrej Vlcek: I agree. The worse thing is that it only takes one of those devices to take over the entire network. What typically happens is security of networks today is pretty good around the perimeter.
It’s pretty difficult to attack individual devices on the network from the outside. Once you get into at least one of those devices, the access to any other device in the network is very easy. Devices are trusting in the home network.
When you connect your PC to a new network, the first question you get asked is if it’s a home network. If you answer that it’s a home network, then pretty much all the files become accessible. Everything becomes open. That is the default configuration these days.
Once you have an attacker sitting on any of these devices, that attacker will have an almost unlimited amount of time to attack all these other devices. That creates a huge problem.
Sramana Mitra: What strategies are you, from the Avast point of view and the industry in general, using to address these consumer security vulnerabilities?
Ondrej Vlcek: We spend a lot of time and effort addressing these issues. I don’t think that some of these problems can be solved by just a single party. They will ultimately require some concerted effort from multiple parties.
The IoT problem, to start with, is unsolvable by just the security industry. Device vendors should also be in this as well. They’re not taking sufficient action. There will be a role for the government to force these device manufacturers to get their acts together.
Otherwise, there won’t be enough financial or other incentives to invest in securing these devices.