If it contains software, it can be hacked. If it is connected to the Internet, it can be hacked remotely. This is the unfortunate reality of the state of computer software. It should come as no surprise that an Internet enabled smart-fridge can be subverted to send spam emails.
Writing software is tricky. The overabundance of failed software projects that clutter every organization is evidence of just how hard it is to write software that works as intended. For software to be secure, it must do what it is supposed to do and nothing else. The goal of a hacker is to find a way of tricking software into performing functions that it was not designed to do. By this route the attacker may be able to take control of the system and use it to execute the attacker’s commands.
Unfortunately, this is often all too easy. The same flaws in code are found over and over again. Inputs are not validated. Buffers can be overrun. Software runs with too many privileges. The results are that attackers are able to subvert systems to execute malicious instructions. What surprises me most is that we know how to fix these issues during the development process. We know how to write code without these potential vulnerabilities. We know how to review code to spot weaknesses. We know how to test code to catch failings before it is ever released. However, reviewing code and security testing are time consuming. Neither are their benefits immediately apparent in the product. The result is that they tend to get dropped when deadlines loom, if they were ever envisaged at all.
What’s more, even if your code has been verified and found to be secure, the same cannot be said for the third-party code with which it interacts. External libraries or the operating system may contain vulnerabilities that may affect your system, even if the code that you write is completely secure.
Patch Tuesday for your toaster?
The accepted method for remediating insecure code is to download and install updates to replace the vulnerable code. But how exactly do you update the software on your fridge or toaster? As increasing numbers of household devices are sold as Internet connected, it’s only natural to assume that the number of compromised devices is going to ramp up. The question, then, becomes: What can an attacker do with a compromised device, such as a refrigerator or a smart-TV? The information contained within these devices would hardly be worth stealing. However, spare processor and network capacity can be harnessed to become part of a botnet and participate in denial of service attacks, send spam, and even mine bitcoins.
One possible solution might be to screen Internet connections to things in order to detect and stop hacking attacks, block communication with botnet command and control servers, and bar any device that is not an email server from sending email. This would be considered usual within a corporate environment, but consumers are unlikely to have anything other than the simplest firewall on home networks. Nor are they likely to be aware that their fridges are spamming, let alone have the knowledge to remedy the situation.
On a personal level, and as a security professional, I’m not too troubled by the prospect of a spamming fridge. I can blacklist the offending IP address in the unlikely event that a corporate email server accepted an email sent from a consumer ISP IP address range. My biggest concern is what the Internet of Compromised Things represents on the cyber-security front. As cyber-criminals improve their skills in identifying and compromising embedded software in Internet-enabled devices, they will have more devices under their control. They will have greater capacities to launch denial-of-service and hacking attacks against embedded systems that control our home and working environments, such as those running heating, air-conditioning, and water pumps.
I hope that this column serves as a wake-up call for both consumers and the security industry. We need to take stock of the Internet enabled devices on our networks, and, as a minimum, start demanding that these devices are properly secured and guaranteed by manufacturers. Let’s chat about what that would mean in the comments.
Martin Lee is Technical Lead within Cisco’s TRAC team, where he researches the latest developments in cyber security and delivers expert opinion on how to mitigate emerging threats and related risks.