UAE Cyber Security Council Report: Unraveling Smart Device Vulnerabilities and AI-Driven Cyber Threats
In an exclusive interview with Arabian Reseller, Pierre Lamy, Principal Threat Intelligence Researcher at Anomali, deep-dives into the UAE Cyber Security Council’s September report, exposing the ongoing vulnerabilities in smart home devices and the growing role of AI in cyberattacks.
Why are most smart home devices still vulnerable despite basic security measures?
The unfortunate truth is that most smart home devices remain vulnerable because there are hardly any meaningful security measures in place. Many IT security practitioners would rather not have “smart” IoT devices at all. As a telling example, there’s even a long-running professional listserv for IoT security discussions called Dumpsterfire.
While some devices may follow reasonable security practices at launch, they quickly fall behind. A product may ship with an up-to-date operating system and libraries, but these devices typically outlast phones and laptops by years. Over time, they require updates that rarely come. Vendors may provide support for a few years, but with little financial incentive to patch already-sold devices, updates stop—and vulnerabilities pile up.
The risks grow as more “smart” features are built in. Every new function introduces new attack surfaces, and some design choices can have unintended consequences. For example, certain cars connect headlights directly into the CAN bus, enabling criminals to exploit the headlight interface to hack vehicles. Regulators and agencies have tried to set best practices for IoT manufacturers, such as Australia’s “Secure by Design” guidance.
Even devices not directly exposed to the internet still “phone home,” either for updates or telemetry. Both pathways can be exploited—through compromised vendor updates or domain hijacks after a vendor folds. A recent Microsoft report on Volt Typhoon highlighted the abuse of “residential proxies” created from compromised routers.
Many common brands allow remote management interfaces to be exposed to the internet, which attackers can exploit. Ultimately, it comes down to usability, price, and security. Vendors can optimize for any two, but in the consumer market, price and usability almost always win. Until consumers are willing to pay for security, it will remain the trade-off that loses.
How are cybercriminals using AI to launch advanced attacks and how can AI fight back?
Right now, the idea of cybercriminals using AI is more hype than reality. The main way threat actors leverage AI is to make phishing campaigns more convincing, since the attacker’s native language often isn’t the same as the victim’s. The success of criminal threat actors can be attributed more to a lack of basic security measures than any level of sophistication.
Simple tactics like calling a helpdesk and impersonating an administrator who “lost their password” are often enough to gain access. The recent Marks & Spencer attack in the UK is a good example: attackers posed as an employee, called the outsourced service desk, and got a password reset.
Most cybercriminal use of AI falls into two buckets: social engineering (e.g., better phishing emails) and faster code development (i.e., quicker exploits after a vulnerability is found). These aren’t groundbreaking techniques, but they can reduce the time and skill needed to launch attacks.
On the defensive side, “friendly AI” can help flip the script. It can detect AI-generated social engineering attempts that slip past humans, and it can rapidly identify and mitigate vulnerabilities before criminals exploit them. In short, attackers use AI to lower the barrier to entry, but defenders can use it to raise the bar and respond faster.
What advanced steps can households and businesses take beyond passwords and updates?
Changing default credentials and regularly applying patches is critical and should not be minimized. Households should also adopt multi-factor authentication, encrypted Wi-Fi, and device segmentation (keeping smart TVs or cameras off the same network as banking apps). Businesses need to integrate threat intelligence platforms that monitor IoT traffic, detect anomalies, and respond at machine speed. Proactive visibility and context-rich intelligence are the only ways to stay ahead of attacks that bypass basic hygiene.
A slightly more advanced approach is to create a guest Wi-Fi network and connect all IoT devices there instead of the main link. Strong passwords, supported by a password manager, also reduce risk. Still, no matter what safeguards are in place, the manufacturer ultimately makes the design choices that impact security so choosing vendors wisely is essential.
The reality is that most consumers will never put their IoT devices on a guest network. Many don’t know how, and others find it inconvenient since it complicates smartphone access. That makes vendor choice even more important: opt for manufacturers that prioritize stronger security, even if the devices come at a higher price.
What cybersecurity strategy needs to be adopted to counter AI-driven threats?
On the consumer side, the rule is simple: don’t trust any unexpected text, email, phone call, or video call. AI makes it easy to spoof messages so they appear to come from anyone. Use a challenge/password system to confirm identities (e.g., agree in advance on a code word like “rhinoceros–umbrella”). And when it comes to devices, choose vendors who actively address security threats—even if it means paying more.
For businesses, the path forward is moving away from manual, siloed defenses and adopting automated, intelligence-led operations. This requires combining data lakes, automation, and AI-driven analytics to detect and respond faster than adversaries. At Anomali, we help organizations predict, detect, and respond at machine speed giving defenders the edge in a world where cybercriminals are increasingly weaponizing AI.
How can manufacturers, providers, and regulators work together to secure smart devices?
The guidance from the Australian government is a good example of progress. The only way to make a meaningful impact on IoT security is through regulations and laws that are prescriptive and clear. California has also moved in this direction with SB-327, which requires IoT device manufacturers to equip their products with reasonable security features.
While compliance increases costs and production times, it also encourages companies to invest in stronger design, implementation, and testing. Manufacturers that go beyond the minimum requirements can set themselves apart as security becomes a priority for customers who are increasingly aware of cyber risks.
In the United States, Underwriters Laboratories (UL) is leading a parallel effort with initiatives such as the FCC Cyber Trust Mark and the UL Cybersecurity Assurance Program, both of which assess the security of vendors and products in the IoT market. Educating consumers to prioritize certified products will help drive demand for more secure devices and reward manufacturers who treat security as a competitive advantage.
What risks do insecure smart devices pose to critical infrastructure and public safety?
Smart home devices may seem harmless, but they can serve as entry points into larger networks. Compromised IoT devices are often weaponized for botnets, denial-of-service attacks, or lateral movement into corporate and critical infrastructure systems. At scale, this creates risks not just for individuals but also for energy grids, healthcare systems, and public safety. This is why aligning smart device security with national resilience strategies is urgent: a compromised camera today could be tomorrow’s entry point into critical infrastructure.
As highlighted in Microsoft’s report on Volt Typhoon, state-backed actors targeting critical infrastructure use these devices to mask their activity while infiltrating their targets. Criminal groups also exploit them to launch massive distributed denial-of-service attacks, as detailed in Wired’s account of the Mirai botnet.
The larger challenge is that very few organizations maintain accurate inventories of all devices on their networks, let alone secure them. This problem is magnified in IoT and even more so in operational technology environments that underpin critical infrastructure. The result is an enormous and often invisible attack surface leaving countless doors open for threat actors to get into pretty much most environments that have IoT devices. This means they can (and have) infiltrated an unknowable number of critical infrastructure and other systems that societies depend on every day.
How can consumer awareness be improved to reduce smart device vulnerabilities?
Consumer awareness must evolve beyond “update your password” campaigns to practical, relatable actions. This includes changing device defaults, segmenting devices onto separate networks, and recognizing the risks of data leakage from connected devices. Awareness, however, only works when it is grounded in real intelligence.
The average consumer also depends on governments to mandate basic security measures on IoT devices. Raising this issue with government representatives is a good first step, and trade associations can amplify the cause by advocating for stronger protections for their members and clients. Recent examples highlight why this matters: attackers have exploited vehicles through “CAN injection” attacks, as detailed in VicOne’s report, and state-backed actors have hijacked home and small-office routers to infiltrate U.S. critical infrastructure, as uncovered in Microsoft’s Volt Typhoon report.
Governments and NGOs must spread awareness in a deliberate, structured way. Countries in the Gulf Cooperation Council, such as the UAE, are particularly well positioned to do this because of the way their governmental institutions coordinate with the private sector. These partnerships can drive broader education and accountability, ensuring that awareness translates into meaningful security improvements.
