Smart Spam? Security Concerns around the Internet of Things
Your refrigerator has a message for you — and no, it’s not that you need more orange juice– it’s an ad for belly fat pills. Thanks, Refrigerator.
Recently computer security company, Proofpoint discovered a cyber attack (malware) campaign in which some 25% of compromised computers were smart devices, including home routers, webcams, home entertainment centers, burglar alarms, and yes—refrigerators. Hackers infected these appliances by sending out malicious “phishing” emails to grow the share of their botnet (i.e. a set of infected devices) and steal important information, like passwords. Spam marks an important —alas, inevitable— milestone in the evolution of smart appliances and IoT.
These devices are often full-featured computers unto themselves, meaning they are at risk of all of the horrific attacks we’ve seen before with traditional computers. But when it comes to IoT, Ross Anderson, a computer-security researcher at Cambridge University warns it’s not a great leap to imagine the proliferation of nightmarish security threats. “What happens if someone writes some malware that takes over air conditioners, and then turns them on and off remotely?” asks Dr. Anderson. “You could bring down a power grid if you wanted to.” This characterizes a new paradigm of technological risk—perhaps the most formidable risk facing IoT.
So whether it’s your smart refrigerator, your FitBit, or your Google Glass, there are a couple of issues the industry must address:
Smart Devices lack the Security Muscle of their Wired Grandparents
Wireless, connected devices are a relatively new platform type, meaning they are intrinsically less mature than their laptop, desktop, and wired network predecessors. The existing security in these devices is often low, or even null. Many of these devices also lack the basic fortitudes we’ve come to know in laptops, like anti-virus programs and manufacturer security updates. Proofpoint reported the attack targeted factory-set usernames and passwords (which many users never change).
Further vulnerability lies in the fact that, under the hood, many of these technologies are running on general operating systems like Linux meaning potential hackers already have lots of compromising attacks and tools at their fingertips—and don’t have to bother deciphering some abstruse new operating systems unique to wearables, smart thermometers, or the like. This ‘off-the-shelf’ infrastructure also means that an attack on one can spread quickly and easily to others at the same time.
Porous Responsibility leaves Devices Vulnerable
So whose problem is this anyway? Ultimately, spam infects the end user experience. But is it the consumer’s to know and fix their infected refrigerator, thermostat, or wristband? Or is it the brand’s? How about the manufacturer’s? [Are they the same or different?] Though there are more and more large brands getting more into the hardware space, many device manufacturers are still start-ups, lacking the deep pockets to program and ensure proper security or IoT-centric operating systems.
There is also a lack of legislation in place requiring standard security measures before bringing new connected products to market. Complicating this matter of responsibility further is the inherent specialization of IoT; that is, there are just about as many different interfaces for IoT as there are use cases today.
IoT has not (and may not for some time) go through the type of platform standardization we’ve seen with smartphones wherein the majority of consumers use one of two operating systems. This means a ‘secure’ IoT requires security measures are taken with each interface, both hardware and software—be it smart fitness bands, smart glasses, smart refrigerators, smart thermostats. Once “BYOD” expands to include new device types en masse, this will become an even greater enterprise headache as the risk of exposure grows exponentially. The real problem here is the answer to this question is not clear. Like with other emerging technologies, until the industry does a better job of building in hardware and software security features, the end user will continue bear the burden of vulnerable devices.
Proliferation of Smart Devices requires Smarter Security
What Proofpoint’s finding underscores is the reality that connected “things” will increasingly comprise a greater share of the population of compromised computing systems. As a result, a “smarter” ecosystem of connectivity will require smarter security standards. In a world where hack-ability is only becoming more complex and widely practiced, IoT must work to catch up. Manufacturers must prioritize security in development; brands must incorporate this risk into their IT and BYOD strategies. As for Us, the end users? Take precaution. Download available security apps, relay feedback to device manufacturers, etc. And if you must have spam in your refrigerator, stick to the edible kind.