HKCERT Unveils "Hong Kong Cyber Security Outlook 2025" Phishing Hits Five-year High Vulnerabilities in Supply Chain and AI Content Hijacking Emerge as Key Risks Over Half of Enterprises Fear Cyber Attacks on IoT Digital Signages

(Hong Kong, 20 January 2025) The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) held a media briefing today to present the "Hong Kong Cyber Security Outlook 2025 cum IoT Security Study Report on Digital Signage". The briefing summarised Hong Kong's cyber security landscape in 2024 and released security forecast for 2025, highlighting supply chain security and AI content hijacking will become the primary cyber security risks in Hong Kong. HKCERT simultaneously released the research findings on digital signages, revealing these devices could become targets of attacks. This emerging security vulnerability poses a threat to both corporate and personal safety. The situation warrants attention. All sectors should take adequate security measures to prevent potential threats.

In 2024, HKCERT handled 12,536 security incidents, with phishing accounting for over half of all cases (7,811 cases, 62%), marking a 108% increase from 2023, with the number rising by four digits (an increase of 4,059 cases). The situation is the most severe in five years. The number of links related to phishing exceeded 48,000, representing a 150% year-over-year increase. Phishing primarily targeted the banking, finance and e-payment sectors, followed by social media, instant messaging, e-commerce, tech enterprises and public services respectively. Malware incidents also rose significantly in 2024, increasing 4.8-fold year-over-year, with most cases involving trojans targeting smart devices disguised as legitimate applications.

Ir Alex Chan, General Manager of the Digital Transformation Division of Hong Kong Productivity Council (HKPC) and spokesperson for HKCERT, stated: "Hackers prefer the path of least resistance, shifting their focus to breaching through third parties such as suppliers, contractors or service providers. Critical infrastructure including energy, land-sea-air transportation, banking and healthcare services are potential targets. Both low-altitude economy drones and IoT devices, like digital signages, are at risk of attack, which could have serious consequences. Organisations and individuals must prepare by implementing appropriate cyber incident response measures, deploying suitable cyber security measures, conducting regular security audits and penetration testing, and understanding and preventing relevant risks."

Five Key Cyber Security Risks for 2025:
HKCERT conducted research and analysis based on its own data and threat intelligence, inviting cyber security experts from various industries and positions, both local and overseas, to participate in a survey. From this, five key cyber security risks to watch out for in 2025 were identified.

1. Rising Risks from Third-Party : Risks from suppliers, contractors, or service providers can lead to serious consequences including legal proceedings and compensation claims. Security vulnerabilities in third-party software, applications and open-source code may result in cyber attacks and data breaches. Third-party risks can also lead to supply chain attacks, where hackers gain access to targeted enterprise systems through collaborating partners.
2. Risks of Leakage and Data Poisoning in LLMs: Large language models face data leakage and poisoning attacks: Prompt Hacking involves designing and manipulating input prompts to mislead models into outputting restricted information; Adversarial Attacks involve manipulating
3. AI-Driven Cyber Attacks and Scams: Hackers actively discuss methods to jailbreak generative AI like ChatGPT to produce restricted content including generating malwares and phishing messages. GPTs designed for crimes reflect “weaponisation of AI” remains a security risk.
4. Increasing Cyber Attacks on Critical Infrastructure: Global critical infrastructure continues to face significant risks from cyber attacks. In 2024, there was a notable increase in attacks on critical infrastructure worldwide, including a ransomware attack on a Hong Kong hospital.
5. Cyber Security Challenges of IoT: IoT devices have already permeated various aspects of our daily lives such as digital signages, drones and smart home devices. However, if cyber security measures are inadequate, these devices can be easily compromised by hackers. HKCERT has found that digital signages available on the market possess common security vulnerabilities, making them susceptible to IoT attacks by hackers.

Digital Signages Everywhere
Almost 40% of Surveyed Organisations did not Conduct Risk Assessments in advance
In response to the five key cyber security risks, HKCERT conducted the Cyber Security Awareness Survey on IoT Digital Signage from July to September last year. The survey involved telephone interviews with 624 companies across various industries, including retail and tourism, information and communication technology, public relations, financial services, professional services, non-profit organisations and schools. The aim was to understand and analyse the cyber security awareness of organisations regarding the use of digital signages and IoT. On the same day, the “IoT Security Study Report on Digital Signage” was released, along with security recommendations, to raise users’ awareness of security.

Currently, digital signages are not only installed in shopping malls, stations, and lifts but are also increasingly used for customer interactions through digital advertising and electronic menus. As the use of these devices grows, so do the potential risks associated with them. The survey found that although most respondents are quite concerned about the security of digital signages, 39% of surveyed organisations still do not conduct cyber security risk assessments for their signages in advance. HKCERT emphasises the importance of reminding digital signage users about potential security risks and provides security recommendations for the use of related IoT devices. This guidance aims to help users operate these devices safely and protect against hacker attacks.

Survey Reveals At Least 10 High-Risk Critical Vulnerabilities
To identify potential risks in common digital signages and provide security recommendations, HKCERT researched eight different digital signage brands last year. The study identified 20 vulnerabilities, including 10 high-risk vulnerabilities requiring urgent remediation. HKCERT live demonstrated common IoT attacks, showing how control could be gained in as little as three seconds.

“Digital signages are numerous and influential, with applications across various industries and aspects of daily life. A cyber attack could have catastrophic consequences. Before attacks become systematic and routine, we must warn the public about these risks and enhance security awareness and defense capabilities. Therefore, HKCERT has developed six recommendations to help protect digital signages against cyber attacks”, stated Chan.

HKCERT's Six Security Recommendations:

1. System and Software Security: Disable unnecessary software and services, ensure software library updates, implement strong password hashing, and update systems and software regularly
2. Network Security: Use security protocols (e.g. HTTPS) and enable system firewalls
3. Physical Security: Disable USB auto-run and auto-play features, restrict physical access interface
4. Data Protection Strategy: Implement regular data backups
5. Secure Content Management: Implement review procedures and monitor content integrity
6. Secure Account Management: Implement strong passwords and multi-factor authentication, adopt the principle of least privilege

- Ends -

Ir Alex Chan, General Manager of Digital Transformation Division, HKPC and HKCERT spokesperson, stated at the "Hong Kong Security Outlook 2025 cum IoT Security Study Report on Digital Signage" media briefing that hackers are shifting their focus to breaching through third parties such as suppliers, contractors, or service providers. Organizations and individuals must be prepared by implementing appropriate cyber incident response measures, deploying suitable cybersecurity measures, conducting regular security audits and penetration testing, and understanding and preventing relevant risks.

Ir Alex Chan, General Manager of Digital Transformation Division, HKPC and HKCERT spokesperson, demonstrates digital signage attack methods and presents security recommendations.