It’s been called the “Internet of Things” – a network of web-connected consumer appliances – and, just as the Internet you already know has opened up myriad opportunities for criminals, so too will this Internet of Things.
According to cyber-security experts, everything from web-connected home thermostats to smart meters to media centers may soon be co-opted by bad guys and forced to do very un-appliance-like things, like sending out spam e-mail or giving up credit card and other personal information to criminals.
But has that future already arrived?
Apparently it has. Late last week Proofpoint, a Sunnyvale, Calif., cyber-security firm, became the first to report a global spam attack by a “thingbot” made up of 100,000 Internet-connected consumer gadgets that included home-networking routers, web-connected multi-media centers, televisions – and at least one refrigerator.
Just as personal computers can be compromised to form robot-like "botnets" to launch massive cyber-attacks, Proofpoint says cyber-criminals now are infiltrating smart appliances and other Internet of Things (IoT) items found in the modern home and turning them into thingbots for use in criminal activity.
The spam attack occurred between Dec. 23, 2013, and Jan. 6, 2014, and featured “waves of malicious e-mail, typically sent in bursts of 100,000, three times per day” targeting businesses and individuals around the world, Proofpoint says.
What stands out about the spam attack is that more than 25 percent of it was sent by Internet-connected things, not just the typical laptop or desktop computers or mobile devices, the firm said, but consumer appliances like media centers, televisions – and that lonely refrigerator.
“Botnets are already a major security concern, and the emergence of thingbots may make the situation much worse," David Knight, general manager of Proofpoint's information security division, said in a statement. "Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come on-line and attackers find additional ways to exploit them."
Today the IoT already includes home-automation devices like smart thermostats, security cameras, refrigerators, microwaves, as well as home entertainment devices like TVs and gaming consoles.
But the IoT is set to expand enormously to more than 200 billion things connected via the Internet by 2020, predicts market researcher International Data Corporation. That expansion was highlighted recently by Internet giant Google’s acquisition of NEST, a firm that sells a popular system for connecting home thermostats and other home appliances so they can be controlled via the Internet.
Now add to that IoT list self-parking cars, drones, smart appliances in the home talking to smart meters communicating with utility companies, or HVAC systems in commercial buildings. There are even wireless-enabled medical devices, some with embedded software that can’t be upgraded with security “patches,” yet are connected to the Internet wirelessly around the clock, Proofpoint notes.
It’s all part of a trend for consumer manufacturers to build-in Internet connectivity into household devices for convenience – from baby monitors to refrigerators, John Gartner, a director at the Sans Institute, a cyber-security training organization, says in an interview.
It reminds him, he says, of spammers back in the 1990s who took advantage of e-mail servers that were not locked down – followed by a decade of relative inaction – before Microsoft and others began trying in earnest to secure personal computers. Now it’s refrigerators.
“When you think about a fridge you say, gee, so what if somebody hacks the fridge,” he says. “Well maybe it’s not a big deal if the fridge is sending out spam – but what if denial of service makes all my food melt? Or what if criminals sniffing around the fridge discover they can access your home network and steal credit card information?”
It’s a problem even at the industrial level where major Internet-connected industrial equipment used on the power grid is subject to a host of vulnerabilities in security protocols, switches, and devices, researchers demonstrated at the S4 conference in Miami last week.
But one thing is becoming clear: Internet connected “things” are not the same as PCs and traditional computing devices, he and others say. Security is often nonexistent and, even where it exists, is vulnerable. And if strong security is not forthcoming soon – consumers may reject the new generation of equipment, they say.
“The consumer devices coming are very different from traditional PCs and servers,” concluded a 2013 “Internet of Things” survey of cyber-security experts by the Sans Institute. “Basic critical security controls, such as hardware and software inventory, vulnerability assessment and configuration management, will face new barriers to success if manufacturers don’t increase their level of attention to security and if enterprise security processes and controls don’t evolve.”
Much depends not only on how quickly device manufacturers step up security, but whether Congress and the federal government step in to mandate consumer protections, Sans’ Mr. Gartner says.
The Federal Trade Commission in November held hearings into privacy concerns relating to the IoT. Meanwhile, the Department of Homeland Security and the National Security Telecommunications Advisory Council, which includes the chief executives of major telecommunications companies, network service providers, and others who advise President Obama on national security and emergency preparedness, also are taking interest in the IoT security question.
History shows spammers came first, then malicious software that caused denial of service attacks on personal computers, then, finally, criminals arrived to steal personal information, Gartner notes.
“Today you have a lot of consumer-grade stuff showing up with Internet connections – and just like 20 years ago with personal computers, they just weren’t locked down,” he says.
Internet-connected light bulbs can now be linked to a program that tells them to blink whenever someone posts a picture of the homeowner on Facebook. But researchers at a security conference demonstrated that the same lights could also be made to switch off each time instead.
Smart-grid meters used by power companies to adjust thermostats automatically – or used by homeowners to pay the power company automatically by credit card – could be subject to attacks, he notes.
“We’re hoping we can secure the Internet of Things early on and not repeat the same mistake we made before by waiting too long on person computer security,” Mr. Gartner says. “I’m glad government is getting involved. But the Proofpoint finding is a signal that we are already making these mistakes on security all over again.”