The security evolution that could kill antivirus

We've become accustomed to relying on antivirus, but the Internet of Things is set to hasten its demise - or at least help it lighten up

30 Jun 2016
Advertisement

The future of security could be PCs without antivirus software – try not to celebrate too much – and it’s all due to the insecurity of the Internet of Things (IoT). 

The connection between an insecure smart doorbell and the nagging software that pops up with annoying frequency from the corner of your screen may not be obvious, but experts believe efforts to secure the former may negate the need for the latter.

The IoT means more devices will be connected, but they’ll be harder to secure. Much of the IoT hardware already on the market – maybe a smart appliance or a crowdfunded gadget – doesn’t have security built in by design. “The trend we’re seeing is that many vendors are coming out with new devices, but they don’t take security seriously because they don’t understand that it’s important, or they just don’t care,” said Cesar Cerrudo, CTO of security firm IOActive.

That leaves devices at risk throughout their lifetime, as IoT gadgets are often difficult to update. “The Internet of Things is an interesting area because these devices are usually small, autonomous, and you can’t install any additional security software on top of that,” Andrey Nikishin, future technologies projects director at Kaspersky, told Alphr at the company’s annual Security Analyst Summit. “If it’s insecure, it stays insecure forever. You can’t fix it – it would be expensive, more expensive than the device itself.”

While experts routinely suggest IoT makers build security in “by design”, another way to secure the connected devices in our homes may be to shift security to the network or router – and what works for your smart fridge could work for your PC.

READ NEXT: How submarine drones spell doom for the UK's Trident nuclear deterrent

Protecting the IoT with an operating system

There are different ways of tackling this problem, but Kaspersky is building KasperskyOS as its solution. KasperskyOS has been in the works for years, with the company unveiling it in 2012 as a secure operating system for industrial control systems. But it has since been suggested that the tiny microkernel design could help secure everything from smart cars to the IoT.

“At the moment, all of the pieces are one big mess, and they all communicate with each other,” explained Nikishin. “If you have a vulnerability [in one spot], you can get control of the whole system. How it works in our system... all communications go through the microkernel, and all of the communications go past the security system there.

“Only documented communication is allowed. If one part is vulnerable, only that part is vulnerable, and hackers can’t get anywhere else in the system,” said Nikishin. “The operating system gives the chance to run unsecured software, securely. We don’t trust third-party software by default, but we create an environment where you can trust untrusted software.”

If hackers target your smart light bulbs, they may be able to hop over your Wi-Fi to your PC, for example. Using this system, they’d be blocked.

When asked if this could apply to your PC and remove the need for antivirus, Nikishin said it could, essentially giving the OS sandbox-style protection similar to modern browsers. However, he stressed such a solution would be at least a decade in the future, as further development work needs to be completed before it could be widely adopted.

Whether or not KasperskyOS rids the world of burdensome antivirus, PCs do need to be made more secure: “We’ve reached the moment when we understand we have to do something, redesign everything in a secure way,” added Nikishin.

Routing around the issue

There’s also a growing trend to shift security to the perimeter of the home network. Cerrudo said the router is a sensible place for security to live, since it’s “the easiest place to add protection”. Google is keen on the idea, with its OnHub router offering easy-to-understand management and security, while F-Secure’s Sense (€199 for pre-order; see boxout below) aims to offer security across your home, covering smart appliances to smartphones, tablets and PCs, scanning web traffic before it gets to your devices, as well as acting as a VPN, firewall, and more.

“Whereas companies have IT admins to monitor the network and make sure everything is secure, your home with IoT is becoming more and more of a network onto itself,” said F-Secure security advisor Sean Sullivan. “This moves security to a device on the network, either the router or another specialised device, that kind of sits there in partnership with the router.”

And if your network’s already being scanned for viruses and other malware, can we uninstall antivirus from our PCs? “Yes, exactly,” Sullivan said, explaining security must shift that way, as “you’re never going to use antivirus on your refrigerator”.

To the cloud

This, Sullivan claims, is where the cloud comes in. “We’ll still have a bunch of [security] software for the near future,” he said, saying F-Secure already tends towards calling it endpoint security rather than antivirus. “I think the goal will be to make it lighter, so it’s almost all cloud-based.”

“I think we’ll move beyond needing antivirus on our computers."

He explained that devices will have a client that can query the cloud security provider, asking about the reputation of a binary or whether an IP address is safe or a known problem. That can work for smaller devices as well as for PCs, he added.

“I think we’ll move beyond needing antivirus on our computers so that the computer doesn’t get turned into a bot,” Sullivan said. “But there are other attacks.” A cloud-based security system can specialise, turning into a DDoS blocker, ransomware prevention, or whatever else is needed, when it’s needed.

This is helped by the shift in software to the cloud – if your productivity suite is cloud-based, the developer can more easily keep it up-to-date, Sullivan noted – but also improvements at the operating system level, making it harder for malicious code to run. “The OS is getting more secure, so I think at some point it will become difficult to run untrusted code on an operating system,” Cerrudo added. “So that will make antivirus less useful in the traditional way we use it right now.”

What’s next?

While viruses and malware must still be battled, Sullivan suggested security will shift in a new direction, away from detecting threats to “keeping everything healthy and up to date”.

Of course, security companies won’t simply sit back and hope “healthy” systems can withstand the onslaught, and not everyone agrees that antivirus is on the way out. “Properly configured and updated antivirus is an efficient security control, and will remain so even into the future,” argued Ilia Kolochenko, founder of web app security firm High-Tech Bridge – and his firm doesn’t even make antivirus.

New technologies such as AI-based automation could help boost security firms’ arsenals. “Currently, we are talking a lot about autonomous machine learning, however I’m not sure its effect will be bigger than heuristic analysis was in the antivirus industry years ago: that was predicted to totally eliminate all viruses in a couple of years,” said Kolochenko.

“Instead I believe in ‘cyborgisation’ of technologies – when human and machines will be working together, complementing one another and completing each other’s weaknesses.”

And just like the IoT, the arrival of new technologies such as virtual reality and augmented reality could also have security implications. “One wonders if there will be virtual spaces in the future to secure,” Sullivan pondered. “There’s a lot of unpredictable future ahead of us.”

The future of Wi-Fi routers

F-Secure Sense

The Sense router analyses all traffic going in and out of your home, protecting any connected device – be it a PC or fridge. Controlled by an app, it’s easier to understand and personalise settings than most routers’ admin systems. Scanning is bolstered by F-Secure’s Security Cloud, which uses artificial intelligence to look for odd behaviour that may signal an attack. It includes a firewall, tracking blocker and VPN. However, don’t think such hardware means the end of security subscriptions: you’ll need to shell out €8 monthly for a subscription to F-Secure’s cloud system. The hardware costs €199, including one year of service, and ships this summer.

Google OnHub

Although Google’s name is emblazoned on the OnHub, its design has actually been delegated to router makers: Asus and TP-Link are the companies behind it, and their routers are already on sale in the US (for $220 and $200, respectively). Managed by a simple app, it makes it easier to share your Wi-Fi with a guest , as well as add and administrate devices. The hardware is designed to look attractive, meaning users won’t hamper the signal by hiding it away, and features a ring of antenna to further improve reliability. It comes with automatic security updates and a built-in firewall, but doesn’t have the network scanning offered by F-Secure Sense.

Read more about: