Internet of Things: vulnerability and security

February 13, 2014

The Internet of Things is the latest term used to define all kinds of consumer electronics connected to the Internet – from refrigerators and washing machines to irons. Just like at the end of the last century, almost all computers in the world are connected to networks. Naturally, devices need to get smarter and become better equipped with their own computers so, for example, when a refrigerator detects a shortage of fresh greens or milk, it can send the relevant information by email to the nearest grocery store. Unfortunately, the presence of smart modules and network connections implies a very low probability that cybercriminals will not use these devices with the intent to cause harm.

Actually, they have already tried, and quite successfully.

Application refrigerator has encountered a problem and needs to close…

Many people will recognize the above subtitle text; a play on the late 1990s and early 2000s Windows messages that appeared during application errors. It’s easy to imagine then what would have happened to a smart kitchen device running Windows 95, for instance.

All joking aside; as recently as January 2014, a smart refrigerator was found spamming.

More specifically, in the middle of the month, the security firm Proofpoint Inc. reported it had uncovered a spam campaign by a botnet, which consisted of not computers, but compromised routers, multimedia centers, smart TVs and at least one refrigerator.router

Spamming was observed from Dec 23-Jan 6. Email messages were sent in groupings of 100,000, three times a day. At the same time each specific IP address did not send more than 10 messages in total, which further complicated the job of blocking the botnet.

Attackers didn’t have to make any special effort. In most cases, compromised appliances were badly connected to the network. Many default login and password pairs (admin/password) were used. It was a real piece of cake.

It was the first proven Internet of Things cyberattack. Experts had long warned that sooner or later, attackers would try to abuse the increasing intelligence of consumer electronics, and as you can see, they were right. Now these “ThingBots” can send spam. Next time you may even expect them to launch a DDoS attack. I don’t speak about chances here either, it is almost guaranteed. Just wait and see.

There is a grimmer outlook with the growing number of so-called “physical” attacks as well.

Real forces

By “physical” attacks I am implying that they cause obvious material damage, and sometimes, colossal damage. They are still rare, but with the proliferation of the Internet of Things we have to expect the number of such attacks will grow.

The most notorious example of late was the infamous Stuxnet, the cyberweapon virus designed to decommission uranium enrichment centrifuges (and it is well-known to have accomplished its mission).

The Stuxnet and the concept of cyberweapon have already become a part of popular culture. For example, in the hugely popular U.S. TV series “Person of Interest”, the Stuxnet is mentioned directly at least once. The subject of cyberweapons is also referred to several times.

So let’s assume that the Stuxnet is a phenomenon of complicated international relations. Thist still doesn’t mean that commercial companies will not eventually become the targets of similar attacks. Regardless of their distance from politics, defense contracts or critical infrastructure facilities, the possibility of attacks have long and rightfully concerned professionals.

It’s not hard to imagine attackers remotely disabling, for instance, the climate control system at a facility with strict temperature control rules or switching off (remotely again) the alarm system in an office building before armed men in ski masks enter.

There may also be problems with automobile computers. Last year two experts demonstrated how to disable brakes and other systems in smart cars. And although the hack required a wired connection to the car’s system, even earlier in 2010, other researchers had shown the possibility of remote code execution in a vehicle’s system via a wireless network. Thus, there is sufficient evidence that car systems can be vulnerable to external impacts and automakers are not always willing to tackle these problems.

waterAt last year’s BlackHat conference, various specialists demonstrated their ability to remotely attack the SCADA system of an oil-well pumping station, which could have had potentially catastrophic consequences. At the same conference there was also a report about Chinese cybertroops who diligently tried to hack a water plant in the U.S., specifically looking to steal documents and change the settings of pumps. However, it turned out that the plant was actually a decoy (honeypot), and all the actions of the attackers had been carefully logged. But the present security experts verified that hackers “knew what they were doing.” With this regard, the question arises whether attackers have already accessed similar systems in the U.S. and other countries, and what can stop them from inflicting a major accident when they need it.

There is another very recent example too: using a drone with a WiFi transmitter and the necessary software to take over similar devices and hijack them. We have recently written on the subject. Perhaps, this is the most eloquent example of a physical attack – a phenomenon which is likely to become commonplace quite soon.

What we missed

The trend is quite clear. As the number of smart devices used by ordinary consumers and commercial companies grow, so will the number of new threats. A spamming refrigerator, a TV participating in a DDoS attack, an infected router forwarding every request to servers of cybercriminals (like DNSChanger did) – all of these examples are unpleasant, though hardly disastrous. The use of smart devices for cyber espionage is already taking place. An electronic master key to unlock any smart locks by Onity that is used in the hotel industry is also real.

The problem is that while pursuing fashionable trends, producers of smart home appliances hastily adjusted their products to include new functionalities without taking into account the fact that new opportunities will also arise for misuse.

By and large, history is repeating itself. More than two decades ago hardware and communication equipment manufacturers as well as software developers could hardly imagine anything like the notorious Code Red and SQL Slammer, both of which led to significant traffic slowdowns on the World Wide Web in 2001 and 2003. Accordingly, until thunder had started regular rattling, the security architecture itself was paid little attention to.

While pursuing fashionable trends, producers of smart home appliances hastily adjusted their products to include new functionalities without taking into account the fact that new opportunities will also arise for misuse.

And here again it seems to be the same old story. The development of the Internet of Things is accelerating, security issues are being ignored and the opportunity to patch program shells is not always provided.

According to Kaspersky Lab’s latest survey, “The Threat Landscape in 2014”, attackers today are not interested in causing massive epidemics of malware, but rather want to target money and valuable data extraction by exploiting vulnerabilities in IT perimeters of commercial companies.

The Internet of Things, unless manufacturers of smart devices suddenly come to their senses and start taking care of security at all stages of production, is guaranteed to provide additional real life problems and not just information troubles.