The following is an excerpt from the Threat Lens 2018 Annual Forecast. This forecast does not focus on every global security trend expected in 2018. Instead, it concentrates on Threat Lens' core interest areas and examines the trends we expect to see shaping that space next year. The full version is available to Threat Lens subscribers.
Criminal Activity: Smart Speakers
One of Threat Lens' standing assessments is that cyberthreats will increasingly encroach on physical world. The proliferation of ransomware has been one of the most visible manifestations of this trend in cybersecurity. This trend is also true in reverse: Security lapses in the physical world have been one of the biggest vectors for cyberattacks. We have no reason to believe that this will change in 2018 and, in fact, as technical security features proliferate, human error will increasingly play a role in high-profile instances of suspicious network activity.
With regard to new threats coming into play in 2018, the smart speaker home assistant will be an increasingly attractive target. This is not necessarily the result of any groundbreaking technological changes, but from the mere fact that smart speakers and voice-activated home assistants are rapidly gaining market share. In 2017, eMarketer estimated that just over 55 million Americans used voice-activated assistant devices, a figure it expects to grow 13 percent going into 2018, topping 60 million. Manufacturers of household appliances are likewise increasing the number of products compatible with home assistant platforms like Amazon's Alexa or Google's Home.
These numbers show the sector is becoming a ripe target indeed for hostile actors. In many cases, the tools needed to hack into and manipulate these services already exist. Several security researchers have already highlighted methods of manipulating hardware or Bluetooth connectivity to hijack smart speaker devices. Google Home, which accounts for nearly a quarter of the smart speaker market, runs on Android, an operating system well known to hackers. And while Amazon Alexa runs on a unique operating system, with 70 percent of the market share, hacks have plenty of incentive to probe it for exploits.
And the potential exploits on voice-activated home assistants are many. While turning smart speakers into "listening devices" may be the most obvious exploit, the real power behind these devices is their centrality to a whole ecosystem of household smart devices that collectively comprise the "internet of things." Access to a smart speaker or, more important, the home assistant platform that powers it, could also give hackers access to the thermostats, dishwashers, light bulbs and hundreds of other devices that connect into these home assistants. The more devices home assistants support, the more attractive a target the home assistant becomes.
As we saw in the high-profile distributed denial of service attack against Dyn in late 2016, the internet of things provides hackers with millions of typically poorly secured connected devices that they can use to construct botnets used to in DDoS attacks to disrupt internet services. Bringing on even more internet of things devices and routing them through smart speaker home assistant devices makes products like Amazon Alexa very attractive to botnet operators.
Ransomware targeting smart speakers and the devices they support could be another avenue of exploitation for hackers to pursue; one can imagine hackers demanding bitcoin payments in exchange for turning air conditioners back on during the summer, among many other potential hacks. The dramatic rise in value of digital currencies also increases the attractiveness to hackers of hijacking processing power from internet of things devices to quietly mine currencies, an increasingly common cybercrime. The creativity of criminal hackers will likely lead to other novel forms of exploitation in 2018.
Guarding against exploitation will mean using household smart devices responsibly. This involves always change the password on these devices from the factory default, since many manufacturers use the same password for all new devices. Users should also monitor the media for newly discovered vulnerabilities, updating software patches on household devices when they become available. In short, if your dishwasher can communicate with Alexa or another device, you have to now treat your dishwasher like you would your smartphone: as a device connecting you and your home to the rest of the world that increases convenience, but also vulnerabilities.
Terrorism and Insurgency: Drones
The long-term devolution of terrorist attacks down to the grassroots level will continue in 2018. Ongoing military pressure on deteriorating bases of terrorist activity in Iraq and Syria and law enforcement pressure on terrorist groups in the West are making it harder and harder for groups like the Islamic State and al Qaeda to deploy seasoned militants to conduct directed attacks like we saw in November 2015 in Paris.
Instead, grassroots militants have become the most likely threat actor in the West. While they can still be deadly, their tradecraft is severely lacking. But terrorists are proving that attacks do not necessarily have to produce a high body count to be called a success. Two attacks in New York during the fourth quarter proved that attackers do not have to kill many — or even any — people for an attack to be of propaganda value to the transnational network of aspirational jihadists. The bar for militant success has been lowered to "creating a scene," something very difficult for law enforcement to prevent.
While conventional weapons such as firearms, blades and motor vehicles will continue to be the weapon of choice for jihadists trying to attack the West, there is an incentive to try new weapons in an effort to cause more alarm and panic. One new tactic we expect to see during 2018 is the use of drones in a terrorist attack outside of the battlefield. At the beginning of 2017, the Islamic State featured a series of videos showing small munitions dropped from small, commercially available drones on Iraqi and Kurdish forces. The videos demonstrated that the application of drones in the theater of terrorism provides more a propaganda than tactical combat advantage. Even in an active combat theater where the Islamic State held territory it could use to train, modify and launch drones and where it enjoyed access to military-grade munitions small enough to fit onto them, the tactical effectiveness of such weapons proved marginal at best. Commercially available drones are far more effective as a means of surveillance than mode of attack.
Nevertheless, several signs have emerged that militant and criminal groups are experimenting with drones as attack-delivery systems. Since the release of the Islamic State propaganda videos, we have seen instances of Kurdish militants using drones to target Turkish forces with grenades, Mexican criminal groups experimenting with remote-detonated drone-based IEDs and drone components among weapons seizures in the United States. Meanwhile, the Israel Defense Forces admitted in November that it is not adequately prepared for the possibility of a militant drone attack.
It seems that the world is ripe for an attempted drone attack against a civilian target and, as demonstrated by the variety of actors highlighted above, such an attack will not necessarily come from a jihadist. Just like the vehicular attack tactic was popularized by Hamas and the Islamic State and adopted by others, the idea of using drones in a terrorist attack has been widely distributed. Now, it is just up to a radical or unstable individual to carry it out.
But therein lies a major limitation to a drone-based attack in a peacetime, civilian environment. As demonstrated in the Dec. 11 attack in Manhattan, grassroots terrorists are not competent bombmakers. Only rarely can a self-taught bombmaker carry out a successful attack using rudimentary pipe bombs or triacetone triperoxide devices. Making a device small enough to fit onto a drone and then figuring out the detonation sequence so the device hits its target adds even more challenges, further reducing the chances of success. So while we expect to see an attempted attack on a civilian target in 2018, we are skeptical that a drone-based IED attack will manage to kill or injure more people than the typical firearm, knife or vehicular attack does.
But as noted, high body counts are not necessarily the best metric for gauging an attack's success. Now, merely causing a scene, especially in sensitive places like New York, Washington or other major urban areas, suffices to spread terror and generate propaganda. Any attempted drone attack — even one that fails to kill anyone — would provide jihadists (or other militants) with a fresh angle of attack that would collect attention, even if it does not collect bodies.