The "internet of things" will provide cyber criminals with new ways to exploit faults in personal security systems Photo: AFP/File

Boom in demand for friendly hackers as 5G approaches


As the number of online devices surges and superfast 5G connections roll out, record numbers of companies are offering handsome rewards to ethical hackers who successfully attack their cybersecurity systems.

The fast-expanding field of internet-connected devices, known as the "internet of things" (IoT) which includes smart televisions and home appliances, are set to become more widespread once 5G becomes more available -- posing one of the most serious threats to digital security in future.

At a conference hosted by Nokia last week, "friendly hacker" Keren Elazari said that co-opting hackers -- many of whom are amateurs -- to hunt for vulnerabilities "was looked at as a trendy Silicon Valley thing six to eight years ago".

But "bug bounty programs" are now offered by organizations ranging from the Pentagon and banks such as Goldman Sachs to airlines, tech giants and thousands of smaller businesses.

The largest bug-bounty platform, HackerOne, has 800,000 hackers on its books and said its organizations paid out a record $44 million (38.2 million euros) in cash rewards this year, up 87 percent on the previous 12 months.

"Employing just one full-time security engineer in London might cost a company 80,000 pounds (89,000 euros, $106,000) a year, whereas we open companies up to this global community of hundreds of thousands of hackers with a huge diversity in skills," Prash Somaiya, security solutions architect at HackerOne, told AFP.

"We're starting to see an uptick in IoT providers taking hacking power seriously," Somaiya said, adding that HackerOne now regularly ships internet-connected toys, thermostats, scooters and cars out to its hackers for them to try to breach.

"We already know from what has happened in the past five years that the criminals find very clever ways to utilize digital devices," Elazari told AFP.

A sobering example was the 2016 "Mirai" cyberattack, during which attackers took control of 300,000 unsecured devices, including printers, webcams and TV recorders, and directed them to flood and disable websites of media, companies and governments around the world.

"In the future of 5G we're talking about every possible device having high-bandwidth connections, it's not just your computer or your phone," Elazari warned.

In October Nokia announced it had detected a 100 percent increase in malware infections on IoT devices in the previous year, noting in its threat report that each new application of 5G offers criminals "more opportunities for inflicting damage and extracting ransom".

The rewards for hackers can be high: 200 of HackerOne's bug-hunters have now claimed more than $100,000 in prizes, while nine have breached the million-dollar earnings mark.

Apple, which advertises its own bug bounty program, increased its maximum reward to more than $1 million at the end of last year, for a hacker able to demonstrate "zero click" weaknesses that would allow someone to access a device without any action by the user.

"A big driver is of course the financial incentive, but there's this element of a breaker mindset, to figure out how something is built so you can break it and tear it apart," Somaiya said. "Being one individual who's able to hack multibillion-dollar companies is a real thrill, there's a buzz to it."

The rush of companies shifting to remote working during the pandemic has also led to "a surge in hacktivity", HackerOne said, with a 59 percent increase in hackers signing up and a one-third increase in rewards paid out.

The French and UK governments are among those to have opened up coronavirus tracing apps to friendly hackers, Somaiya added.

While 5G internet systems will have new security features built into the network infrastructure -- something absent before -- the new technology is vastly more complex than its predecessors, leaving more potential for human error.

"I see a lot of risk for misconfiguration and improper access control, these glitches are one of the main risks," Silke Holtmanns, head of 5G security research for cybersecurity firm AdaptiveMobile, told AFP.

But companies are being motivated to act as security moves up the agenda, Holtmanns believes.

The EU, along with governments around the world, has begun tightening cybersecurity demands on organizations, and fines for data breaches have been increasing.

"Before now it's been hard for companies to justify higher investment in security," Holtmanns, who sits on the EU cybersecurity advisory group Enisa, said.

But she added, "If they can say: 'With that security level we can attract a higher level of customer, or lower insurance premiums,' people start thinking in this direction, which is a good thing."

© 2020 AFP

©2020 GPlusMedia Inc.

Login to comment


Actually there are friendly hackers Sven. The strategy to hire them to test and resolve security issues is important. I wish more companies in Japan would hire these types of "consultants". Most of the people I know that have the skill level are doing it for fun and the challenge. Did you hear that Twitter hired a hacker to enhance security?

3 ( +3 / -0 )

There are no friendly hackers. That is a fiction.

It's always interesting how often a poster on JT talks with complete confidence, while saying something that shows it's clearly unjustified confidence due to what they're saying being entirely wrong.

"Friendly hackers", known as white-hat hackers (as compared to nefarious hackers, known as black-hat) are hackers employed by companies/agencies to try to hack their systems to find security holes, before a black-hat hacker finds it. It's an industry that does exist, and in fact, pays a LOT of money:

3 ( +3 / -0 )

There are no friendly hackers. That is a fiction.

I guess that depends. Governments employ highly screened staff who's day job is to hack adversary government's IT systems and discover their secrets. Governments and many major corporations also hire similarly highly screened experts to find and exploit weaknesses in their own IT systems, sort of a cyber Red Flag exercise. Weaknesses are thus identified and fixed before an adversary government or criminal organization can exploit the weakness. For the government or corporation who employs them they are indeed white hats. To an adversary they are black hats. The FBI team that broke into Pirates Bay and figured out who was running it are indeed white hats.

3 ( +3 / -0 )

There are no friendly hackers. That is a fiction. As hackers they use the errors or forgotten safety features of software and IT equipment for their purposes , in this case a high income without really bringing merits, as equally intense as the other, the so-called black or bad hackers, who directly cash in from those errors. It is like taking the purse out of a woman’s handbag in the train or elevator etc. and then saying, no I didn’t want the money but I took it just only to show that woman that it is unsafe to carry the purse open on top of the things in the bag. Just only don’t touch the other one’s purse, damned, neither for theft nor for showing how unsafe that purse showing would be. The same for all kind of IT hacking, ‘good’ or ‘bad’ , just don’t touch or intrude into other’s IT structures and equipment!

-2 ( +0 / -2 )

Login to leave a comment

Facebook users

Use your Facebook account to login or register with JapanToday. By doing so, you will also receive an email inviting you to receive our news alerts.

Facebook Connect

Login with your JapanToday account

User registration

Articles, Offers & Useful Resources

A mix of what's trending on our other sites