Vulnerabilities / Threats
1/23/2014
01:06 PM
Martin Lee
Martin Lee
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Future Shock: The Internet of Compromised Things

It's doubtful that the average consumer would be aware that his or her refrigerator was participating in a DDoS attack. Even fewer would have any idea how to stop it.

If it contains software, it can be hacked. If it is connected to the Internet, it can be hacked remotely. This is the unfortunate reality of the state of computer software. It should come as no surprise that an Internet enabled smart-fridge can be subverted to send spam emails.

Writing software is tricky. The overabundance of failed software projects that clutter every organization is evidence of just how hard it is to write software that works as intended. For software to be secure, it must do what it is supposed to do and nothing else. The goal of a hacker is to find a way of tricking software into performing functions that it was not designed to do. By this route the attacker may be able to take control of the system and use it to execute the attacker’s commands.

Unfortunately, this is often all too easy. The same flaws in code are found over and over again. Inputs are not validated. Buffers can be overrun. Software runs with too many privileges. The results are that attackers are able to subvert systems to execute malicious instructions. What surprises me most is that we know how to fix these issues during the development process. We know how to write code without these potential vulnerabilities. We know how to review code to spot weaknesses. We know how to test code to catch failings before it is ever released. However, reviewing code and security testing are time consuming. Neither are their benefits immediately apparent in the product. The result is that they tend to get dropped when deadlines loom, if they were ever envisaged at all.

What’s more, even if your code has been verified and found to be secure, the same cannot be said for the third-party code with which it interacts. External libraries or the operating system may contain vulnerabilities that may affect your system, even if the code that you write is completely secure.

Patch Tuesday for your toaster?
The accepted method for remediating insecure code is to download and install updates to replace the vulnerable code. But how exactly do you update the software on your fridge or toaster? As increasing numbers of household devices are sold as Internet connected, it’s only natural to assume that the number of compromised devices is going to ramp up. The question, then, becomes: What can an attacker do with a compromised device, such as a refrigerator or a smart-TV? The information contained within these devices would hardly be worth stealing. However, spare processor and network capacity can be harnessed to become part of a botnet and participate in denial of service attacks, send spam, and even mine bitcoins.

One possible solution might be to screen Internet connections to things in order to detect and stop hacking attacks, block communication with botnet command and control servers, and bar any device that is not an email server from sending email. This would be considered usual within a corporate environment, but consumers are unlikely to have anything other than the simplest firewall on home networks. Nor are they likely to be aware that their fridges are spamming, let alone have the knowledge to remedy the situation.

On a personal level, and as a security professional, I’m not too troubled by the prospect of a spamming fridge. I can blacklist the offending IP address in the unlikely event that a corporate email server accepted an email sent from a consumer ISP IP address range. My biggest concern is what the Internet of Compromised Things represents on the cyber-security front. As cyber-criminals improve their skills in identifying and compromising embedded software in Internet-enabled devices, they will have more devices under their control. They will have greater capacities to launch denial-of-service and hacking attacks against embedded systems that control our home and working environments, such as those running heating, air-conditioning, and water pumps.

I hope that this column serves as a wake-up call for both consumers and the security industry. We need to take stock of the Internet enabled devices on our networks, and, as a minimum, start demanding that these devices are properly secured and guaranteed by manufacturers. Let’s chat about what that would mean in the comments.

Martin Lee is Technical Lead within Cisco’s TRAC team, where he researches the latest developments in cyber security and delivers expert opinion on how to mitigate emerging threats and related risks.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
SteveC227
100%
0%
SteveC227,
User Rank: Apprentice
1/23/2014 | 2:16:48 PM
Dangerous appliances
I have long suspected my toaster of plotting against me. Sometimes it fails to make the toast pop up in the hopes that I will stick a fork in the slot and get electrocuted. These days you have to work hard to keep one step ahead of your electrical appliances. I have never worried about my refrigerator, however. But now I am going to monitor it more carefully. Thank your for alerting us all to these threats.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/23/2014 | 4:30:41 PM
Re: Dangerous appliances
Sounds like an idea for a sequel to Disney's classic, The Brave Little Toaster. 

 

 
Shane M. O'Neill
50%
50%
Shane M. O'Neill,
User Rank: Apprentice
1/23/2014 | 4:54:35 PM
Re: Dangerous appliances
I don't think the Internet of Things movement will play out for consumers for awhile. Seems more of an enterprise/manufacturing/supply chain technology for the time being. But when it does eventually come to kitchens and living rooms, will we rely on Symantec, McAfee and Kaspersky to provide protection software for our refrigerators like we do for PCs? The use of third-party anti-virus software in IoT home situations didn't come up in the article so I was curious.
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
1/23/2014 | 5:27:57 PM
Hacker: Good afernoon, sir, is your house empty now?
In addition to fearing that hackers will learn my milk is out of date, I would hate for intruders to snoop on our local area network to learn, for marketing purposes or worse, what my family's habits were or when the house was empty. If all the home appliances were on a household network, a great deal of information would become available to hackers, the public utility, the appliance dealership. Martin Lee is right. We don't quite realize what we're getting into here.   
seppleyt5j01
50%
50%
seppleyt5j01,
User Rank: Apprentice
1/23/2014 | 5:47:59 PM
Compimise your services?
Let's suppose for a moment that you live in Phoenix. It's July and  109 degrees outside. As a purveyor of ransomeware, I would shut off your refrigerator and air conditioning. I would only require that you pay me $100 in order to restore their services...
MartinL923
50%
50%
MartinL923,
User Rank: Apprentice
1/24/2014 | 4:47:48 AM
Re: Dangerous appliances
Quite right! My toaster burnt my toast this morning, probably out of spite. However, my current toaster is entirely mechanical. As the price of computing power keeps dropping computers are finding their way into even the smallest device. Experience tells us that where you have software, you have bugs which can frequently be exploited. Lurking in a cupboard I have a mechanical telephone, its laughable to imagine that this device could contain malware, yet I now have a smart phone on which I can install all sorts of dubious software if I so wish, or if I don't pay attention. With the current pace of technology, I'll be willing to bet that within a few years there will be a smart-toaster in every kitchen.

Martin
MartinL923
50%
50%
MartinL923,
User Rank: Apprentice
1/24/2014 | 4:58:00 AM
Re: Compimise your services?
seppleyt5j01: Exactly, I see this as the biggest risk. We've already seen attackers seeking to distract security teams within the financial services industry by launching a denial of service attack just before attempting to compromise high value systems. Taking malicious control of environmental control systems would be a very effective mechanism of causing disruption to a security team or business.

I hadn't thought of a ransomware style attack on environmental control, but a lack of heating at this time of year, or the a/c set to full heat in the middle of summer would no doubt lead many people to reach for their credit card to pay off their attackers.
MartinL923
50%
50%
MartinL923,
User Rank: Apprentice
1/24/2014 | 5:33:39 AM
Re: Hacker: Good afernoon, sir, is your house empty now?
cbabcok: Like most things in security its a trade off. I don't doubt that there will be many advantages to the Internet of Things. Anything that can help us better manage our limited resources, allow us to do more with less, or even just make less demands on my free time has to be a good thing. Nevertheless, there will be risks. If we can prepare for those risks now and think about how we can manage them, then we can maximise our benefits while minimising any downsides.
MartinL923
100%
0%
MartinL923,
User Rank: Apprentice
1/24/2014 | 5:44:36 AM
Re: Dangerous appliances
Shane: I think a slightly different approach is needed to detect malicious code running within embedded devices. Anti-virus is very good a detecting known bad code, and allowing the vast numbers of 'good' software that you could install on a desktop device to run unimpeeded.

An embedded device should only ever run one programme and contain no other software apart from updates. So we would need to establish that only authorised software can run on the device, and that any instructions received by the processor (or any sensors or actuators) has been generated from legitimate code operating correctly.

Its a subtly different problem that requires a different approach.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 8:16:35 AM
Re: Dangerous appliances --subtly different problem that requires a different approach.
Martin, I think you hit the nail on the head when you describe the security issues related to the IoT as a "subtly different problem that requires a different approach. I suspect your use of the words "subtly different" is an understatement!   Thanks for raising the issues about the brave new world (let alone toaster) that we are entering, and also your very thoughtful comments.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.