Many security threats are over-hyped: Trend Micro’s Raimund Genes

Security researchers have shown how a car can be hacked or how household items such as a refrigerator and toaster connected to internet can be hacked, often highlighting the need to secure such items.

However, IT security vendor Trend Micro says such so-called threats are just diverting the focus from the real issues and are over-hyped.

“What is totally over-hyped is end-user IoT,” Raimund Genes, Chief Technology Officer, Trend Micro, told BusinessLine .

“Will we really see ransomware on IoT devices? Would somebody really put ransomware on your fridge? Would you pay if your fridge gets hijacked? Will you pay when your car gets a ransomware? If somebody got into the control system on your car, it will lose road certification. That’s why I don’t think a lot of people would pay. So the bad guys think what is the return on investment,” Genes said.

He said a lot of sales are generated in the US for security products purely based on marketing push rather than the actual need for a security software.

“States do industrial espionage. But do they do industrial espionage at a next door flower shop? No. FireEye was promoting APT even to smaller customer and started making money by creating the hype. That somehow made all of us (security vendors) come out with sandboxes as a solution for APT,” Genes said.

Genes acknowledged that Trend Micro itself has highlighted security risks in various consumer items but it was done as a means of showcasing the possibility rather than create fear and uncertainty.

“When we did drone hacking, it sounded cool but the hacker will always ask how much money is there in drone hacking. At CeBIT last year, we hacked sex toys because even they are connected (to the internet). Will the bad guys use it? Unlikely. It is the security researchers highlighting a possibility,” Genes said.

He also blamed Microsoft Windows and Google’s Android OS as being one of the worst software from an IT security perspective.

“If it were up to me, I would ban all Android devices in an organisation and all Windows PC. PC was the best invention for the mankind but in terms of IT security it was the worst,” he said.

“If you compare iOS and Android, iOS is way more difficult to crack than Android. When Google says there is no security problem with Android, when you look at statistics with Google Play, you’ll not see any problem. But what they never say at conferences is that there’s no Google Play in China and users have an option to deactivate security ecosystem and download from other places.

“Guess why we have millions of malware for Android and less than a thousand for iOS, it is because there are certain markets where there is no security ecosystem. Google did this on purpose,” Genes said.

He said using Windows in critical systems such as ATM machines, nuclear power plants or Point of Sales terminals can be disastrous unless it is used in a lock down mode, wherein no new applications are allowed to be installed by anyone into the system.

He added that vendors often push selling anti-virus software for such systems, whereas if you just lock down the systems from installing new applications, you don’t need any anti-virus at all.

Genes also targeted US security companies saying they are hard to trust considering the possibility of a backdoor in each one of them.

“If an enterprise asks a US software vendor that will you sign a guarantee that there is no backdoor in your software for the government, they’ll never sign because under the US law the government can force them to build some backdoor. Indian security companies have a big opportunity there because they can easily sign such a document. Even we can because we are Japanese,” Genes said.