Updated 4-24-14: Added hotlinks
By Alan Grau, Icon Labs
Internet of Things Devices –including appliances–gets hacked and starts spamming your friends.
As the Internet of Things takes off and an increasing array of devices are connected to the Internet, malware, viruses and hackers will inevitably follow. Smart appliances are arriving in our homes and with them, so has the first confirmed cyber-attack against a home appliance. As reported by metering.com (www.metering.com/smart-home-appliances-used-in-first-iot-cyberattack), a botnet spam attack infected a number of TVs and at least one refrigerator. This report raised several questions in my mind. Is this an anomaly or is this just the beginning? Should we care? After all, this is just a refrigerator. And if we do care, what should we do about it?
[A botnet is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet, or perform other operations as directed by the hacker that controls them. Any such computer is referred to as a zombie - in effect, a computer "robot" or "bot" that serves the wishes of some master spam or virus originator.]
Is this an anomaly, or just the beginning?
If we let history be our guide, the answer is clearly that this is just the beginning. When hackers first began developing viruses and other malware, many exports dismissed these as fads that would be short lived. It was commonly believed that as operating systems and application software became more advanced with time, they would become less vulnerable to threats of all kinds. Similarly, when spam first showed up in the email world, it was commonly dismissed as a weak threat that would be eliminated by future, more advanced email platforms. Anyone using email or a PC today can attest to the fact that just because a system is more “advanced” it is not necessarily more secure.
Should you care?
There are an estimated 6 million to 24 million computers that have been infected with botnets, depending upon who you ask. Given the prevalence of botnet infected computers, should we care if a few Internet connected Smart home devices are infected with malware and conscripted into the services of a hacker? There are several reasons why we need to care.
1. Discovering that an IoT device has been compromised is more difficult than discovering that a laptop or desktop computer is comprised. The user of a Smart TV or Internet connected refrigerator probably won’t notice that performance has bogged down or if tasks are failing and then be able to infer that something is wrong. Even if they did, they can’t fix the problem – they cannot run anti-virus or anti-malware software to help diagnose the problem. With an IoT device, the user really has no means to determine that a machine has become infected.
2. IoT devices are not built with a method to recover from malware infections. PC systems have built in capability to tolerate, mitigate and recover from security breaches. Backup systems exist. Anti-malware tools are ubiquitous. And if all else fails, you can reinstall the software. However, if your fridge is taken over by malware, you have no way of reinstalling the OS and application software.
3. If an IoT device can be taken over by botnet software, it is also susceptible to attacks that could cause the device to fail. If this happens to your PC, you can reinstall software and recover. Most IoT devices are not designed to allow end users to reinstall software or recover from system failures. Device failures, no matter the cause, are extremely damaging to consumer loyalty, brand reputation and ultimately, corporate profits for the device manufacturer selling the device.
4. IoT devices interact with the world in concrete ways that could be exploited by hackers. A hijacked high performance TV, with its built video camera, microphone and motion sensor, could be used to spy on family activities.
Smart Home Technology is becoming pervasive
How do we respond?
The main lesson is that we need to hold IoT and embedded devices to a higher standard of security and reliability than we hold PCs to. IoT technology adds communication capability to existing devices (and in some cases enables the creation of new types of devices). Adding communication, cloud enabled services and other IoT capabilities must not result in sacrificing the performance, safety, reliability or security of the origin device or the market will not accept the updated devices. While consumers we have learned to accept a certain amount of performance impact, data loss and other impact of security breaches on PCs, consumers are unlikely to accept this on IoT devices. Technology exists to block, mitigate and recover from these breaches on PCs, but recovering from security breaches will not be as easy, or even possible with IoT devices.
In many cases, IoT devices will perform critical functions where security breaches can have serious impacts. If the device were a robotic manufacturing device or medical device, the impact of a security breach could impact factory production or the well-being of patients.
If a business lunchroom’s refrigerator was discovered to be the source of damaging computer virus attacks or even just tons of malicious spam, aside from the bad publicity, there possibly could be legal and business repercussions.
The assumption that future IoT devices and systems will be more advanced and therefore immune to security threats is naïve. Future IoT devices and systems will certainly be more advanced and it is possible they will be highly secure. But this will only happen if there is a dramatic change in the approach to security by everyone involved in the development and deployment of IoT devices. Engineers, managers and executives need to take security seriously. Security needs to be designed in from the early stages of the engineering process and must include multiple levels of security. Only then can we avoid spamming refrigerators or hijacked Smart TVs and ensure that our IoT devices are secure.
Alan Grau is President and co-founder of Icon Labs, a leading provider of security software for embedded devices. He is the architect of Icon Labs’ award winning Floodgate Firewall. Alan has 20 years of embedded software experience. Prior to founding Icon Labs he worked for AT&T Bell Labs and Motorola. Alan has an MS in computer science from Northwestern University. You can reach him at firstname.lastname@example.org