Future Shock: The Internet of Compromised Things

It’s doubtful that the average consumer would be aware that his or her refrigerator was participating in a DDoS attack. Even fewer would have any idea how to stop it.

Martin Lee, Technical Lead of Security Research & EMEA Lead, Cisco Talos

January 23, 2014

4 Min Read

If it contains software, it can be hacked. If it is connected to the Internet, it can be hacked remotely. This is the unfortunate reality of the state of computer software. It should come as no surprise that an Internet enabled smart-fridge can be subverted to send spam emails.

Writing software is tricky. The overabundance of failed software projects that clutter every organization is evidence of just how hard it is to write software that works as intended. For software to be secure, it must do what it is supposed to do and nothing else. The goal of a hacker is to find a way of tricking software into performing functions that it was not designed to do. By this route the attacker may be able to take control of the system and use it to execute the attacker’s commands.

Unfortunately, this is often all too easy. The same flaws in code are found over and over again. Inputs are not validated. Buffers can be overrun. Software runs with too many privileges. The results are that attackers are able to subvert systems to execute malicious instructions. What surprises me most is that we know how to fix these issues during the development process. We know how to write code without these potential vulnerabilities. We know how to review code to spot weaknesses. We know how to test code to catch failings before it is ever released. However, reviewing code and security testing are time consuming. Neither are their benefits immediately apparent in the product. The result is that they tend to get dropped when deadlines loom, if they were ever envisaged at all.

What’s more, even if your code has been verified and found to be secure, the same cannot be said for the third-party code with which it interacts. External libraries or the operating system may contain vulnerabilities that may affect your system, even if the code that you write is completely secure.

Patch Tuesday for your toaster?
The accepted method for remediating insecure code is to download and install updates to replace the vulnerable code. But how exactly do you update the software on your fridge or toaster? As increasing numbers of household devices are sold as Internet connected, it’s only natural to assume that the number of compromised devices is going to ramp up. The question, then, becomes: What can an attacker do with a compromised device, such as a refrigerator or a smart-TV? The information contained within these devices would hardly be worth stealing. However, spare processor and network capacity can be harnessed to become part of a botnet and participate in denial of service attacks, send spam, and even mine bitcoins.

One possible solution might be to screen Internet connections to things in order to detect and stop hacking attacks, block communication with botnet command and control servers, and bar any device that is not an email server from sending email. This would be considered usual within a corporate environment, but consumers are unlikely to have anything other than the simplest firewall on home networks. Nor are they likely to be aware that their fridges are spamming, let alone have the knowledge to remedy the situation.

On a personal level, and as a security professional, I’m not too troubled by the prospect of a spamming fridge. I can blacklist the offending IP address in the unlikely event that a corporate email server accepted an email sent from a consumer ISP IP address range. My biggest concern is what the Internet of Compromised Things represents on the cyber-security front. As cyber-criminals improve their skills in identifying and compromising embedded software in Internet-enabled devices, they will have more devices under their control. They will have greater capacities to launch denial-of-service and hacking attacks against embedded systems that control our home and working environments, such as those running heating, air-conditioning, and water pumps.

I hope that this column serves as a wake-up call for both consumers and the security industry. We need to take stock of the Internet enabled devices on our networks, and, as a minimum, start demanding that these devices are properly secured and guaranteed by manufacturers. Let’s chat about what that would mean in the comments.

Martin Lee is Technical Lead within Cisco’s TRAC team, where he researches the latest developments in cyber security and delivers expert opinion on how to mitigate emerging threats and related risks.

About the Author(s)

Martin Lee

Technical Lead of Security Research & EMEA Lead, Cisco Talos

Martin Lee is Technical Lead of Security Research, and EMEA Lead for Talos, Cisco's threat intelligence and research organization. He seeks to improve the resilience of the Internet and awareness of current threats through researching system vulnerabilities and changes in the threat landscape. He has published widely on cyber security issues, and advises many organizations on the techniques used by criminals to subvert networked systems.

Martin started his career researching the genetics of human viruses, but soon switched paths to follow a career in IT. With 20 years of experience within the security industry, he is CISSP certified, a Chartered Engineer, and holds degrees from the universities of Bristol, Cambridge, Paris-Sud and Oxford. He lives in Oxford and when he isn’t in front of a computer is often to be found running through the countryside.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights