Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/16/2014
01:50 PM
Marilyn Cohodas
Marilyn Cohodas
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

The Internet of Things: 7 Scary Security Scenarios

The IoT can be frightening when viewed from the vantage point of information security.
2 of 8

Home Office Hack of 'Doom'
It might be tempting to play Doom on your printer in the off-hours when you are not answering emails or writing reports from the comfort of a home office. But the fact is that the Internet of Things is making the convenience of home also a target for attackers. In September, at 44Con in London, researcher Mike Jordon showed off a hack of a Canon Pixma printer that let him modify the printer's firmware remotely so that its LED indicator screen could run the classic Doom video game. Jordan demoed how to update the printer with a Trojan for spying on printed documents or to install malicious software on a network. But the commonplace printer isn't the only home office device that is vulnerable. It took Kaspersky Lab researcher David Jacoby less than 20 minutes to hack into his home office DSL router and network attached storage devices, where he found 14 vulnerabilities.

It might be tempting to play Doom on your printer in the off-hours when you are not answering emails or writing reports from the comfort of a home office. But the fact is that the Internet of Things is making the convenience of home also a target for attackers. In September, at 44Con in London, researcher Mike Jordon showed off a hack of a Canon Pixma printer that let him modify the printer's firmware remotely so that its LED indicator screen could run the classic Doom video game. Jordan demoed how to update the printer with a Trojan for spying on printed documents or to install malicious software on a network. But the commonplace printer isn't the only home office device that is vulnerable. It took Kaspersky Lab researcher David Jacoby less than 20 minutes to hack into his home office DSL router and network attached storage devices, where he found 14 vulnerabilities.

2 of 8
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
11/6/2014 | 1:52:58 PM
NEST - just take it off the wall
Only a fool would pay to ransom their NEST. Just take it off the wall and call the FBI.

BTW, most thermostats have a thermal limit switch built into them which means your house would only go to 90-95 degrees F. Enough to boil your fish in the Aquarium, and dry out your houseplants, but that's about it.

This brings up a good point: a lot of the Internet of Things are Cyber-Physical systems and some are even Safety-Critical systems. You are dependent on the manufacturer to get it right, so caveat emptor applies here with the downside being your safety or life at risk. For example, Toyota with the uncommanded acceleration of their cars should have at least provided a mechanical on-off switch that physically removed power from the controller, rather than a momentary switch that was an input level that had to be read by the processor. (And don't even get me started on the lack of safety review or lack of validation around their immature and woefully inadequate safety-critical SW development practices. Again, caveat emptor ... really caveat.)
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
10/30/2014 | 10:20:31 PM
Re: This isn't an article at all
While the multiple page format does leave much to be desired, it's a bit harsh to call the piece worthless. It's an interesting collection of what ifs.
nheath920
50%
50%
nheath920,
User Rank: Apprentice
10/22/2014 | 1:20:35 PM
Re: This isn't an article at all
The ads are over the top. Very time-consuming to get to the actual article. I wouldn't think the advertisors would think this is an effective way to deliver their message, so in-your-face that their brand can be associated with annoyance and to be avoided.
moosemiester
100%
0%
moosemiester,
User Rank: Apprentice
10/22/2014 | 11:00:45 AM
This isn't an article at all
It's a wrapper around ads, pop-ups, and videos, forcing me to click over and over to get each paragraph and while I am trying to read it, pop ups block the copy.

Everything here was the result of a google search.  There is nothing new.  The whole thing is just clickbait.  Very dissapointing.  This used to be a good place to learn things.

 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/17/2014 | 12:20:45 PM
Re: The IOT risks are only as limited as creativity of the attackers
That commercial was what I was seeing in my minds' eye when I was writing this blog.... Yes, in the fantasy world of advertising, it all seems so right. But there is so much that can go wrong! Thanks for the ABI report...
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
10/17/2014 | 12:13:33 PM
Re: The IOT risks are only as limited as creativity of the attackers
Indeed, check out the ABI research report on cars:

https://www.abiresearch.com/market-research/product/1017985-connected-car-cybersecurity/

I think of the recent TV commercial with the young boy learning to drive with his dad, he spies a young girl walking on the street and is distracted, the car automatically applies the brakes to prevent an accident while the dad gives a knowing and stern look.  The commercial is about the automatic braking feature as a way to save lives.  Unless of course someone simply turns that feature off !  I can already see the lawsuits and headlines coming along with the human tragedy of the event itself.

Thanks for bringing all this up and hopefully getting the industry involved to solve this issue.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/17/2014 | 11:35:45 AM
Re: The IOT risks are only as limited as creativity of the attackers
@Marilyn You are exactly right, our major fear now should be the automotive industry.  We are seeing industries that traditionally do not operate on the internet entering cyberspace.  By the simple lack of experience in information security these companies are bound to make mistakes.  Just imagine the horrible possibilites of internet attached lawn mowers, Segways or baby swings.  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/17/2014 | 9:00:10 AM
Re: The IOT risks are only as limited as creativity of the attackers
Totaly agreed, @Ed Telders. The worst is yet to come. The auto industry, for one, hardly has a stellar safetfy record  (Think Chrysler, GM, faulty ignition switches). With design and manufacturing cycles several years out, carmakers need to be locking down the security of networking features now for the cars we will be driving in the very near future.
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
10/16/2014 | 6:01:17 PM
The IOT risks are only as limited as creativity of the attackers
Marilyn,

This is simply another new round of rapid expansion of connectivity and internet accessible "widgets".  And it seems that like all the previous rapid expansions the first group of new "widgets" are more concerned with being first to market, and first to bring a "cool" technology to the forefront, than whether these devices are secure by design.  I suspect it will take some unfortunate and spectacular incidents to once again wake them up and start taking it seriously.  Too many times we've had to learn this lesson. 

I can think of a lot of ways that this can become serious.  All the same kinds of risks can be explored with these devices and they are only limited by the creativity of the attackers.  Simple disruption, DDOS, shut-down commands, BOTs, all sorts of malware, using these to backdoor into your network, monitoring, tracking, intellectual property theft, etc. are only the beginning.  Lets just say that a smart grid has all of the electrical usage data gets set to zero for thousands of customers, what happens to the tax revenues that are supposed to be generated by that?  What if the opposite happens, all meters show extraordinarily high electrical usage, who cleans all that up?  How about the medical device that is modified to give you too much Insulin, or changes the pacemakers control of a heartbeat.

To me the most insidious risk are those that follow the tracks of the APT attacks, slow and stealthy, undetected for extended periods of time, small but meaningful impacts across a wide range of devices and services.

This is only the beginning of this round, it will become interesting and challenging, real fast. 
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22675
PUBLISHED: 2021-05-07
The affected product is vulnerable to integer overflow while parsing malformed over-the-air firmware update files, which may allow an attacker to remotely execute code on SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, C...
CVE-2021-22679
PUBLISHED: 2021-05-07
The affected product is vulnerable to an integer overflow while processing HTTP headers, which may allow an attacker to remotely execute code on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK v...
CVE-2020-14009
PUBLISHED: 2021-05-07
Proofpoint Enterprise Protection (PPS/PoD) before 8.17.0 contains a vulnerability that could allow an attacker to deliver an email message with a malicious attachment that bypasses scanning and file-blocking rules. The vulnerability exists because messages with certain crafted and malformed multipar...
CVE-2021-21984
PUBLISHED: 2021-05-07
VMware vRealize Business for Cloud 7.x prior to 7.6.0 contains a remote code execution vulnerability due to an unauthorised end point. A malicious actor with network access may exploit this issue causing unauthorised remote code execution on vRealize Business for Cloud Virtual Appliance.
CVE-2021-26122
PUBLISHED: 2021-05-07
LivingLogic XIST4C before 0.107.8 allows XSS via feedback.htm or feedback.wihtm.