F-Secure’s Hyppönen: careless people are still the greatest threat to information security

The Internet of Things (IoT) is creating a lot of opportunities, but also threats. Do you ensure the information security of your toaster? Are the passwords you use secure?

When household appliances from doorbells to washing machines are connected to the Internet, we have to rethink information security as well. We already saw an example of this, when the largest single DoS attack in the history of the Internet was carried out using 120,000 household appliances.


Video recorders, surveillance cameras and heat pumps generated so much traffic on the network that some of the largest websites in the world, such as Twitter, Netflix, Reddit and CNN, crashed.

Information security is not a selling point for household appliances

The attack did not surprise Mikko Hyppönen, Chief Research Officer at F-Secure, and perhaps Finland's most well-known information security expert. Currently, IoT devices are poorly protected.

“We can promise you that we will never release F-Secure Antivirus for Toasters. The information security of toasters must be ensured in some other way than the traditional model,” Hyppönen says.

According to Hyppönen, the IoT should be protected either by integrating the protection into the devices or by developing a network that protects the devices. It is likely that the information security of a washing machine connected to the Internet will never become a selling point. Instead, people will continue to buy washing machines according to their capacity and warranty. It is also unrealistic to expect a lot of emphasis on the information security of household appliances.

Old industrial control systems are vulnerable

Companies are facing the risks of the IoT as well: the increasing number of devices connected to the Internet provides hackers more opportunities to penetrate weak spots. In industry, the source of the problem is control systems: Industrial automation systems have been computerised since the 1950s. Production facilities have numerous small Linux terminals that control conveyor belts, furnaces and pumps. Traditionally, they have been protected by keeping them offline.

“Now when we at F-Secure scan the Internet twice a week, we find all kinds of control interfaces for industrial systems. This means actual websites where you can push buttons, adjust pumps and let molten iron flow from one machine to another,” Hyppönen explains.

According to Hyppönen, no one has exposed these devices to the Internet on purpose – it happens by accident. The company has installed a new router or integrated network, and no one has noticed that an old automation system that was configured a decade ago has gained access to the Internet.

Hacktivism and ransomware

Accidentally opened information security holes and the fact that cybercrime that is becoming increasingly professional are creating an entirely new calibre of threat. When Hyppönen started working with information security in the last millennium, his usual adversary was a teenage boy who developed viruses for fun.

Now malware is developed by, for example, hacktivists who want to protest or have a certain political agenda. From there, intelligence operations and attacks carried out by governments are just a step away.

“Professional criminal organisations are the largest group at the moment. Before the Internet, Finnish companies did not have to worry about a criminal group in Argentina, because they operated on the other side of the Earth. The Internet allows criminals to steal Finnish credit card numbers or lock Finnish computers from anywhere in the world,” Hyppönen says about the globalisation of information security issues.

According to Hyppönen, the biggest problem for companies at the moment is ransomware. Malware can enter a company’s network from a single user’s infected laptop. When this happens, a cybercriminal can encrypt terabytes of data in the company's network and demand a ransom to unlock it. The best way to prevent this is to make backups that allow companies to restore their data without transferring Bitcoins.

Information security begins with the right kind of corporate culture

According to Hyppönen, the most important step towards good information security is to ensure that the company’s personnel are aware of the threats and correct practices. However, this is challenging, because people are not interested in lectures on information security, and the instructions are often too complicated.

“Everyone knows that their passwords should be long and difficult and that they should use different passwords in different places. In practice, people still use the same simple passwords,” Hyppönen says about the oldest problem in information security.