Attack of the refrigerators? The cyber-threats lurking in your home.

The trend in consumer products is for built-in Internet connectivity. But most items have poor security, creating a fast-growing target for cyber-criminals. Now a 'thingbot' has attacked.

It’s been called the “Internet of Things” – a network of web-connected consumer appliances – and, just as the Internet you already know has opened up myriad opportunities for criminals, so too will this Internet of Things.

According to cyber-security experts, everything from web-connected home thermostats to smart meters to media centers may soon be co-opted by bad guys and forced to do very un-appliance-like things, like sending out spam e-mail or giving up credit card and other personal information to criminals.

But has that future already arrived?

Apparently it has. Late last week Proofpoint, a Sunnyvale, Calif., cyber-security firm, became the first to report a global spam attack by a “thingbot” made up of 100,000 Internet-connected consumer gadgets that included home-networking routers, web-connected multi-media centers, televisions – and at least one refrigerator.

Just as personal computers can be compromised to form robot-like "botnets" to launch massive cyber-attacks, Proofpoint says cyber-criminals now are infiltrating smart appliances and other Internet of Things (IoT) items found in the modern home and turning them into thingbots for use in criminal activity.

The spam attack occurred between Dec. 23, 2013, and Jan. 6, 2014, and featured “waves of malicious e-mail, typically sent in bursts of 100,000, three times per day” targeting businesses and individuals around the world, Proofpoint says.

What stands out about the spam attack is that more than 25 percent of it was sent by Internet-connected things, not just the typical laptop or desktop computers or mobile devices, the firm said, but consumer appliances like media centers, televisions – and that lonely refrigerator.

“Botnets are already a major security concern, and the emergence of thingbots may make the situation much worse," David Knight, general manager of Proofpoint's information security division, said in a statement. "Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come on-line and attackers find additional ways to exploit them."

Today the IoT already includes home-automation devices like smart thermostats, security cameras, refrigerators, microwaves, as well as home entertainment devices like TVs and gaming consoles.

But the IoT is set to expand enormously to more than 200 billion things connected via the Internet by 2020, predicts market researcher International Data Corporation. That expansion was highlighted recently by Internet giant Google’s acquisition of NEST, a firm that sells a popular system for connecting home thermostats and other home appliances so they can be controlled via the Internet.

Now add to that IoT list self-parking cars, drones, smart appliances in the home talking to smart meters communicating with utility companies, or HVAC systems in commercial buildings. There are even wireless-enabled medical devices, some with embedded software that can’t be upgraded with security “patches,” yet are connected to the Internet wirelessly around the clock, Proofpoint notes.

It’s all part of a trend for consumer manufacturers to build-in Internet connectivity into household devices for convenience – from baby monitors to refrigerators, John Gartner, a director at the Sans Institute, a cyber-security training organization, says in an interview.

It reminds him, he says, of spammers back in the 1990s who took advantage of e-mail servers that were not locked down – followed by a decade of relative inaction – before Microsoft and others began trying in earnest to secure personal computers. Now it’s refrigerators.

“When you think about a fridge you say, gee, so what if somebody hacks the fridge,” he says. “Well maybe it’s not a big deal if the fridge is sending out spam – but what if denial of service makes all my food melt? Or what if criminals sniffing around the fridge discover they can access your home network and steal credit card information?”

It’s a problem even at the industrial level where major Internet-connected industrial equipment used on the power grid is subject to a host of vulnerabilities in security protocols, switches, and devices, researchers demonstrated at the S4 conference in Miami last week.

But one thing is becoming clear: Internet connected “things” are not the same as PCs and traditional computing devices, he and others say. Security is often nonexistent and, even where it exists, is vulnerable. And if strong security is not forthcoming soon – consumers may reject the new generation of equipment, they say.

“The consumer devices coming are very different from traditional PCs and servers,” concluded a 2013 “Internet of Things” survey of cyber-security experts by the Sans Institute. “Basic critical security controls, such as hardware and software inventory, vulnerability assessment and configuration management, will face new barriers to success if manufacturers don’t increase their level of attention to security and if enterprise security processes and controls don’t evolve.”

Much depends not only on how quickly device manufacturers step up security, but whether Congress and the federal government step in to mandate consumer protections, Sans’ Mr. Gartner says.

The Federal Trade Commission in November held hearings into privacy concerns relating to the IoT. Meanwhile, the Department of Homeland Security and the National Security Telecommunications Advisory Council, which includes the chief executives of major telecommunications companies, network service providers, and others who advise President Obama on national security and emergency preparedness, also are taking interest in the IoT security question.

History shows spammers came first, then malicious software that caused denial of service attacks on personal computers, then, finally, criminals arrived to steal personal information, Gartner notes.

“Today you have a lot of consumer-grade stuff showing up with Internet connections – and just like 20 years ago with personal computers, they just weren’t locked down,” he says.

Internet-connected light bulbs can now be linked to a program that tells them to blink whenever someone posts a picture of the homeowner on Facebook. But researchers at a security conference demonstrated that the same lights could also be made to switch off each time instead.

Smart-grid meters used by power companies to adjust thermostats automatically – or used by homeowners to pay the power company automatically by credit card – could be subject to attacks, he notes.

“We’re hoping we can secure the Internet of Things early on and not repeat the same mistake we made before by waiting too long on person computer security,” Mr. Gartner says. “I’m glad government is getting involved. But the Proofpoint finding is a signal that we are already making these mistakes on security all over again.”

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Attack of the refrigerators? The cyber-threats lurking in your home.
Read this article in
https://www.csmonitor.com/USA/2014/0122/Attack-of-the-refrigerators-The-cyber-threats-lurking-in-your-home
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe