Vulnerabilities / Threats
01:06 PM
Martin Lee
Martin Lee
Connect Directly

Future Shock: The Internet of Compromised Things

It's doubtful that the average consumer would be aware that his or her refrigerator was participating in a DDoS attack. Even fewer would have any idea how to stop it.

If it contains software, it can be hacked. If it is connected to the Internet, it can be hacked remotely. This is the unfortunate reality of the state of computer software. It should come as no surprise that an Internet enabled smart-fridge can be subverted to send spam emails.

Writing software is tricky. The overabundance of failed software projects that clutter every organization is evidence of just how hard it is to write software that works as intended. For software to be secure, it must do what it is supposed to do and nothing else. The goal of a hacker is to find a way of tricking software into performing functions that it was not designed to do. By this route the attacker may be able to take control of the system and use it to execute the attacker’s commands.

Unfortunately, this is often all too easy. The same flaws in code are found over and over again. Inputs are not validated. Buffers can be overrun. Software runs with too many privileges. The results are that attackers are able to subvert systems to execute malicious instructions. What surprises me most is that we know how to fix these issues during the development process. We know how to write code without these potential vulnerabilities. We know how to review code to spot weaknesses. We know how to test code to catch failings before it is ever released. However, reviewing code and security testing are time consuming. Neither are their benefits immediately apparent in the product. The result is that they tend to get dropped when deadlines loom, if they were ever envisaged at all.

What’s more, even if your code has been verified and found to be secure, the same cannot be said for the third-party code with which it interacts. External libraries or the operating system may contain vulnerabilities that may affect your system, even if the code that you write is completely secure.

Patch Tuesday for your toaster?
The accepted method for remediating insecure code is to download and install updates to replace the vulnerable code. But how exactly do you update the software on your fridge or toaster? As increasing numbers of household devices are sold as Internet connected, it’s only natural to assume that the number of compromised devices is going to ramp up. The question, then, becomes: What can an attacker do with a compromised device, such as a refrigerator or a smart-TV? The information contained within these devices would hardly be worth stealing. However, spare processor and network capacity can be harnessed to become part of a botnet and participate in denial of service attacks, send spam, and even mine bitcoins.

One possible solution might be to screen Internet connections to things in order to detect and stop hacking attacks, block communication with botnet command and control servers, and bar any device that is not an email server from sending email. This would be considered usual within a corporate environment, but consumers are unlikely to have anything other than the simplest firewall on home networks. Nor are they likely to be aware that their fridges are spamming, let alone have the knowledge to remedy the situation.

On a personal level, and as a security professional, I’m not too troubled by the prospect of a spamming fridge. I can blacklist the offending IP address in the unlikely event that a corporate email server accepted an email sent from a consumer ISP IP address range. My biggest concern is what the Internet of Compromised Things represents on the cyber-security front. As cyber-criminals improve their skills in identifying and compromising embedded software in Internet-enabled devices, they will have more devices under their control. They will have greater capacities to launch denial-of-service and hacking attacks against embedded systems that control our home and working environments, such as those running heating, air-conditioning, and water pumps.

I hope that this column serves as a wake-up call for both consumers and the security industry. We need to take stock of the Internet enabled devices on our networks, and, as a minimum, start demanding that these devices are properly secured and guaranteed by manufacturers. Let’s chat about what that would mean in the comments.

Martin Lee is Technical Lead within Cisco’s TRAC team, where he researches the latest developments in cyber security and delivers expert opinion on how to mitigate emerging threats and related risks.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
1/24/2014 | 4:47:48 AM
Re: Dangerous appliances
Quite right! My toaster burnt my toast this morning, probably out of spite. However, my current toaster is entirely mechanical. As the price of computing power keeps dropping computers are finding their way into even the smallest device. Experience tells us that where you have software, you have bugs which can frequently be exploited. Lurking in a cupboard I have a mechanical telephone, its laughable to imagine that this device could contain malware, yet I now have a smart phone on which I can install all sorts of dubious software if I so wish, or if I don't pay attention. With the current pace of technology, I'll be willing to bet that within a few years there will be a smart-toaster in every kitchen.

User Rank: Apprentice
1/23/2014 | 5:47:59 PM
Compimise your services?
Let's suppose for a moment that you live in Phoenix. It's July and  109 degrees outside. As a purveyor of ransomeware, I would shut off your refrigerator and air conditioning. I would only require that you pay me $100 in order to restore their services...
User Rank: Apprentice
1/23/2014 | 5:27:57 PM
Hacker: Good afernoon, sir, is your house empty now?
In addition to fearing that hackers will learn my milk is out of date, I would hate for intruders to snoop on our local area network to learn, for marketing purposes or worse, what my family's habits were or when the house was empty. If all the home appliances were on a household network, a great deal of information would become available to hackers, the public utility, the appliance dealership. Martin Lee is right. We don't quite realize what we're getting into here.   
Shane M. O'Neill
Shane M. O'Neill,
User Rank: Apprentice
1/23/2014 | 4:54:35 PM
Re: Dangerous appliances
I don't think the Internet of Things movement will play out for consumers for awhile. Seems more of an enterprise/manufacturing/supply chain technology for the time being. But when it does eventually come to kitchens and living rooms, will we rely on Symantec, McAfee and Kaspersky to provide protection software for our refrigerators like we do for PCs? The use of third-party anti-virus software in IoT home situations didn't come up in the article so I was curious.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/23/2014 | 4:30:41 PM
Re: Dangerous appliances
Sounds like an idea for a sequel to Disney's classic, The Brave Little Toaster. 


User Rank: Apprentice
1/23/2014 | 2:16:48 PM
Dangerous appliances
I have long suspected my toaster of plotting against me. Sometimes it fails to make the toast pop up in the hopes that I will stick a fork in the slot and get electrocuted. These days you have to work hard to keep one step ahead of your electrical appliances. I have never worried about my refrigerator, however. But now I am going to monitor it more carefully. Thank your for alerting us all to these threats.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio