Attack of the refrigerators? The cyber-threats lurking in your home.
-
Mark Clayton Staff writer
It鈥檚 been called the 鈥淚nternet of Things鈥 鈥 a network of web-connected consumer appliances 鈥 and, just as the Internet you already know has opened up myriad opportunities for criminals, so too will this Internet of Things.
According to cyber-security experts, everything from web-connected home thermostats to smart meters to media centers may soon be co-opted by bad guys and forced to do very un-appliance-like things, like sending out spam e-mail or giving up credit card and other personal information to criminals.
But has that future already arrived?
Apparently it has. Late last week Proofpoint, a Sunnyvale, Calif., cyber-security firm, became the first to report a global spam attack by a 鈥渢hingbot鈥 made up of 100,000 Internet-connected consumer gadgets that included home-networking routers, web-connected multi-media centers, televisions 鈥 and at least one refrigerator.
Just as personal computers can be compromised to form robot-like "botnets" to launch massive cyber-attacks, Proofpoint says cyber-criminals now are infiltrating smart appliances and other Internet of Things (IoT) items found in the modern home and turning them into thingbots for use in criminal activity.
The spam attack occurred between Dec. 23, 2013, and Jan. 6, 2014, and featured 鈥渨aves of malicious e-mail, typically sent in bursts of 100,000, three times per day鈥 targeting businesses and individuals around the world, Proofpoint says.
What stands out about the spam attack is that more than 25 percent of it was sent by Internet-connected things, not just the typical laptop or desktop computers or mobile devices, the firm said, but consumer appliances like media centers, televisions 鈥 and that lonely refrigerator.
鈥淏otnets are already a major security concern, and the emergence of thingbots may make the situation much worse," David Knight, general manager of Proofpoint's information security division, said in a statement. "Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come on-line and attackers find additional ways to exploit them."
Today the IoT already includes home-automation devices like smart thermostats, security cameras, refrigerators, microwaves, as well as home entertainment devices like TVs and gaming consoles.
But the IoT is set to expand enormously to more than 200 billion things connected via the Internet by 2020, predicts market researcher International Data Corporation. That expansion was highlighted recently by Internet giant Google鈥檚 acquisition of NEST, a firm that sells a popular system for connecting home thermostats and other home appliances so they can be controlled via the Internet.
Now add to that IoT list self-parking cars, drones, smart appliances in the home talking to smart meters communicating with utility companies, or HVAC systems in commercial buildings. There are even wireless-enabled medical devices, some with embedded software that can鈥檛 be upgraded with security 鈥減atches,鈥 yet are connected to the Internet wirelessly around the clock, Proofpoint notes.
It鈥檚 all part of a trend for consumer manufacturers to build-in Internet connectivity into household devices for convenience 鈥 from baby monitors to refrigerators, John Gartner, a director at the Sans Institute, a cyber-security training organization, says in an interview.
It reminds him, he says, of spammers back in the 1990s who took advantage of e-mail servers that were not locked down 鈥 followed by a decade of relative inaction 鈥 before Microsoft and others began trying in earnest to secure personal computers. Now it鈥檚 refrigerators.
鈥淲hen you think about a fridge you say, gee, so what if somebody hacks the fridge,鈥 he says. 鈥淲ell maybe it鈥檚 not a big deal if the fridge is sending out spam 鈥 but what if denial of service makes all my food melt? Or what if criminals sniffing around the fridge discover they can access your home network and steal credit card information?鈥
It鈥檚 a problem even at the industrial level where major Internet-connected industrial equipment used on the power grid is subject to a host of vulnerabilities in security protocols, switches, and devices, researchers demonstrated at the S4 conference in Miami last week.
But one thing is becoming clear: Internet connected 鈥渢hings鈥 are not the same as PCs and traditional computing devices, he and others say. Security is often nonexistent and, even where it exists, is vulnerable. And if strong security is not forthcoming soon 鈥 consumers may reject the new generation of equipment, they say.
鈥淭he consumer devices coming are very different from traditional PCs and servers,鈥 concluded a 2013 鈥淚nternet of Things鈥 survey of cyber-security experts by the Sans Institute. 鈥淏asic critical security controls, such as hardware and software inventory, vulnerability assessment and configuration management, will face new barriers to success if manufacturers don鈥檛 increase their level of attention to security and if enterprise security processes and controls don鈥檛 evolve.鈥
Much depends not only on how quickly device manufacturers step up security, but whether Congress and the federal government step in to mandate consumer protections, Sans鈥 Mr. Gartner says.
The Federal Trade Commission in November held hearings into privacy concerns relating to the IoT. Meanwhile, the Department of Homeland Security and the National Security Telecommunications Advisory Council, which includes the chief executives of major telecommunications companies, network service providers, and others who advise President Obama on national security and emergency preparedness, also are taking interest in the IoT security question.
History shows spammers came first, then malicious software that caused denial of service attacks on personal computers, then, finally, criminals arrived to steal personal information, Gartner notes.
鈥淭oday you have a lot of consumer-grade stuff showing up with Internet connections 鈥 and just like 20 years ago with personal computers, they just weren鈥檛 locked down,鈥 he says.
Internet-connected light bulbs can now be linked to a program that tells them to blink whenever someone posts a picture of the homeowner on Facebook. But researchers at a security conference demonstrated that the same lights could also be made to switch off each time instead.
Smart-grid meters used by power companies to adjust thermostats automatically 鈥 or used by homeowners to pay the power company automatically by credit card 鈥 could be subject to attacks, he notes.
鈥淲e鈥檙e hoping we can secure the Internet of Things early on and not repeat the same mistake we made before by waiting too long on person computer security,鈥 Mr. Gartner says. 鈥淚鈥檓 glad government is getting involved. But the Proofpoint finding is a signal that we are already making these mistakes on security all over again.鈥
