Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:06 PM
Martin Lee
Martin Lee
Connect Directly

Future Shock: The Internet of Compromised Things

It's doubtful that the average consumer would be aware that his or her refrigerator was participating in a DDoS attack. Even fewer would have any idea how to stop it.

If it contains software, it can be hacked. If it is connected to the Internet, it can be hacked remotely. This is the unfortunate reality of the state of computer software. It should come as no surprise that an Internet enabled smart-fridge can be subverted to send spam emails.

Writing software is tricky. The overabundance of failed software projects that clutter every organization is evidence of just how hard it is to write software that works as intended. For software to be secure, it must do what it is supposed to do and nothing else. The goal of a hacker is to find a way of tricking software into performing functions that it was not designed to do. By this route the attacker may be able to take control of the system and use it to execute the attacker’s commands.

Unfortunately, this is often all too easy. The same flaws in code are found over and over again. Inputs are not validated. Buffers can be overrun. Software runs with too many privileges. The results are that attackers are able to subvert systems to execute malicious instructions. What surprises me most is that we know how to fix these issues during the development process. We know how to write code without these potential vulnerabilities. We know how to review code to spot weaknesses. We know how to test code to catch failings before it is ever released. However, reviewing code and security testing are time consuming. Neither are their benefits immediately apparent in the product. The result is that they tend to get dropped when deadlines loom, if they were ever envisaged at all.

What’s more, even if your code has been verified and found to be secure, the same cannot be said for the third-party code with which it interacts. External libraries or the operating system may contain vulnerabilities that may affect your system, even if the code that you write is completely secure.

Patch Tuesday for your toaster?
The accepted method for remediating insecure code is to download and install updates to replace the vulnerable code. But how exactly do you update the software on your fridge or toaster? As increasing numbers of household devices are sold as Internet connected, it’s only natural to assume that the number of compromised devices is going to ramp up. The question, then, becomes: What can an attacker do with a compromised device, such as a refrigerator or a smart-TV? The information contained within these devices would hardly be worth stealing. However, spare processor and network capacity can be harnessed to become part of a botnet and participate in denial of service attacks, send spam, and even mine bitcoins.

One possible solution might be to screen Internet connections to things in order to detect and stop hacking attacks, block communication with botnet command and control servers, and bar any device that is not an email server from sending email. This would be considered usual within a corporate environment, but consumers are unlikely to have anything other than the simplest firewall on home networks. Nor are they likely to be aware that their fridges are spamming, let alone have the knowledge to remedy the situation.

On a personal level, and as a security professional, I’m not too troubled by the prospect of a spamming fridge. I can blacklist the offending IP address in the unlikely event that a corporate email server accepted an email sent from a consumer ISP IP address range. My biggest concern is what the Internet of Compromised Things represents on the cyber-security front. As cyber-criminals improve their skills in identifying and compromising embedded software in Internet-enabled devices, they will have more devices under their control. They will have greater capacities to launch denial-of-service and hacking attacks against embedded systems that control our home and working environments, such as those running heating, air-conditioning, and water pumps.

I hope that this column serves as a wake-up call for both consumers and the security industry. We need to take stock of the Internet enabled devices on our networks, and, as a minimum, start demanding that these devices are properly secured and guaranteed by manufacturers. Let’s chat about what that would mean in the comments.

Martin Lee is Technical Lead within Cisco’s TRAC team, where he researches the latest developments in cyber security and delivers expert opinion on how to mitigate emerging threats and related risks.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
1/24/2014 | 4:47:48 AM
Re: Dangerous appliances
Quite right! My toaster burnt my toast this morning, probably out of spite. However, my current toaster is entirely mechanical. As the price of computing power keeps dropping computers are finding their way into even the smallest device. Experience tells us that where you have software, you have bugs which can frequently be exploited. Lurking in a cupboard I have a mechanical telephone, its laughable to imagine that this device could contain malware, yet I now have a smart phone on which I can install all sorts of dubious software if I so wish, or if I don't pay attention. With the current pace of technology, I'll be willing to bet that within a few years there will be a smart-toaster in every kitchen.

User Rank: Apprentice
1/23/2014 | 5:47:59 PM
Compimise your services?
Let's suppose for a moment that you live in Phoenix. It's July and  109 degrees outside. As a purveyor of ransomeware, I would shut off your refrigerator and air conditioning. I would only require that you pay me $100 in order to restore their services...
User Rank: Apprentice
1/23/2014 | 5:27:57 PM
Hacker: Good afernoon, sir, is your house empty now?
In addition to fearing that hackers will learn my milk is out of date, I would hate for intruders to snoop on our local area network to learn, for marketing purposes or worse, what my family's habits were or when the house was empty. If all the home appliances were on a household network, a great deal of information would become available to hackers, the public utility, the appliance dealership. Martin Lee is right. We don't quite realize what we're getting into here.   
Shane M. O'Neill
Shane M. O'Neill,
User Rank: Apprentice
1/23/2014 | 4:54:35 PM
Re: Dangerous appliances
I don't think the Internet of Things movement will play out for consumers for awhile. Seems more of an enterprise/manufacturing/supply chain technology for the time being. But when it does eventually come to kitchens and living rooms, will we rely on Symantec, McAfee and Kaspersky to provide protection software for our refrigerators like we do for PCs? The use of third-party anti-virus software in IoT home situations didn't come up in the article so I was curious.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/23/2014 | 4:30:41 PM
Re: Dangerous appliances
Sounds like an idea for a sequel to Disney's classic, The Brave Little Toaster. 


User Rank: Apprentice
1/23/2014 | 2:16:48 PM
Dangerous appliances
I have long suspected my toaster of plotting against me. Sometimes it fails to make the toast pop up in the hopes that I will stick a fork in the slot and get electrocuted. These days you have to work hard to keep one step ahead of your electrical appliances. I have never worried about my refrigerator, however. But now I am going to monitor it more carefully. Thank your for alerting us all to these threats.
<<   <   Page 2 / 2
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.