Just how secure are our connected devices?
While the Internet of Things (or IoT) is set to transform our lives it could provide a massive security risk too, reckons Chris Price
Though we still think of the internet as a medium allowing individuals to communicate with one another – via email, social media or instant messaging – the reality is there are now more machines connected to the internet than people.
Known as the ‘internet of things’, this phenomenon isn’t new. The internet was of course first invented to connect computers and devices together, partly to ensure communications could continue in the event of a nuclear war. But over the last few years the trend has massively accelerated as processors have got more powerful and sensors got smaller and cheaper.
According to statistics from Cisco the number of ‘things’ (as opposed to people) connected to the internet exceeded the number of people on the planet in 2008 and it’s expected to reach 25 billion items in 2015 and 50 billion in 2020!
What that means is that any device can be connected to the net, from the humble light bulb to the household boiler – even the car you drive.
You can now switch your home’s heating on using your smartphone before getting on a flight, print remotely from a network printer or control your home’s security camera while sitting in your office.
Fridges which send, not store, Spam!
Sounds great doesn’t it. But – and this is a big but – these ‘smart devices’ could unwittingly be providing a gateway into your home’s network, even allowing cyber criminals to steal your personal details, claims Neil Thacker, Information Security & Strategy Officer EMEA for security firm Websense.
“Once you connect 30 billion devices to the internet you are opening yourself up to a much bigger attack surface,” he says.
There is even now a search engine for the Internet of Things called Shodan which has made it easier for both the malicious as well as the plain curious to identify internet-machines, including connected devices that are likely have security shortcomings.
Indeed the first Internet of Things (IoT) cyber attack has already been reported. According to US security firm Proofpoint more than 750,000 phishing and Spam emails were launched last year from over 100,000 household devices, including connected televisions, home routers and even smart fridges.
The attack occurred between December 23, 2013 and January 6, 2014 and featured waves of malicious email, typically sent in bursts of 100,000 three times a day. More than 25 per cent of the volume was sent by products that were not conventional laptops, computers or mobile devices.
“Bot-nets are already a security concern and the emergence of ‘thingbots’ may make the situation much worse,” reckons David Knight, general manager of Proofpoint’s Information Security Division.
“Many of these devices are poorly protected at best and consumers have virtually no way to detect of fix infections when they do occur.”
Thingbots and Botnets
As if to illustrate the point, in 2012 an anonymous researcher deployed software to infect over 400,000 connected devices, creating a botnet called Carna. The software was designed to be non-malicious; it harvested information from infected machines to build a “census” of connected devices online. Leaving aside the ethics of the project, Carna vividly demonstrated how vulnerable many printers, webcams and other embedded devices can be.
Another security researcher, HD Moore at Rapid7, also published a report about finding over 100,000 open serial ports accessible online. Serial access can provide attackers with live, unauthenticated access to a server. And although this risk isn’t specific to connected devices, it is typically these devices which are ignored by people and businesses when it comes to implementing security measures.
Says Websense’s Neil Thacker: “Primarily devices like printers are a privot point into a corporate network. Businesses don’t worry too much about their printers. They always patch their end point machines and their servers, but printers get left behind. Once an attack has been documented all it takes is for someone to reverse engineer that code. They can then move deeper into the network and take control of other devices.”
Perhaps at greatest risk from attack are the huge Industrial Control Systems which are increasingly connected to the internet. These are typically used by businesses to control their heating and air conditioning. You can see them outlined on a map here (see illustration above)
“If someone was to change your heating and air conditioning systems by turning them off, or turning them up or down they could cause physical huge damage to the data centres,” reckons Websense’s Neil Thacker.
“Hackers don’t need to go through the traditional method of accessing the network through the firewall,” adds Thacker. “There might be something out there which is already talking to the internet and which can be accessed remotely.”
“Usually they have pretty poor security by default. There are organisations out there which have devices that are five, six, even seven years old.”
But it isn’t just businesses that need to worry about the threat of attack via poorly secured connected devices. Consumers do too. One of the growing risks, reckons Thacker, is around wearables.
“We’ve moved away from the general Fitbit with a couple of sensors. The latest devices have a huge number of sensors and can track health data,” he says.
“It’s this health data which criminals want because it can help them generate identities and obviously leads to identity theft which they can make a huge amount of money from.”
Home automation hacks
In the home there are increased risks too, particularly as more devices are connected to the internet including heating and lighting systems. Google, which bought home automation firm Nest earlier this year, is already collecting data about your energy use which it will no doubt use to make ‘recommendations’ to you further down the line.
“Google have Google Maps and Streetview so they can understand what you are doing out of the home. But they really need want to understand what’s going on within the home too,” says Neil Thacker.
However according to Tony Fadell, CEO of Nest, we shouldn’t have any cause for concern about how the data is being used. “We are being very transparent, we have a manifesto on our website telling people what we are doing with the data,” he told delegates at a Gigaom road map conference earlier this month. He also said that the organisation does everything it can to protect this data from criminals. “We do white hat hacking, we do black hat hacking. We do bug bounties. We do all those things to protect the data from nefarious elements coming in.”
But of course it isn’t just our personal data we have to worry about. Of increasing concern are our images, even videos of ourselves or our properties, being hacked and potentially broadcast to the world.
Only last month a Russian website was able to access internet-connected security cameras to broadcast scenes such as children watching television, a man making a cup of tea and an elderly woman asleep in her bed. A total of 584 vulnerable video cameras in the UK were identified and listed on the website although the site originally had access to 160,000 cameras worldwide.
Far from being an elaborate hack, it appears that the security breach was caused by the users failing to change the default password which was obviously easily exploited. Speaking to the Daily Telegraph, the anonymous hacker said his work was enabled by ‘laziness and IT ignorance’ on the part of the public.
He continued: “The important thing is to set a password on home devices. The list of devices without a password is not limited to cameras. It could include network scanners, printers, green energy systems and even coffee machines. In the near future it will be home robots, droids, quadrocopters or automobiles.”
With over 20 billion devices connected to the internet the opportunity for hackers to exploit the Internet of Things has never been greater. But if we can’t be bothered to set secure passwords then we are making their job so much easier!
How to Secure Connected Devices
If there is an upside to the risks posed by connected devices, it is that a few simple procedures will help secure them from the vast majority of attacks.
Count all the embedded devices on your network: Because their nature often lends them to be “hidden,” it is important to start by thoroughly accounting for all network-aware machines on your network.
Ask which embedded devices really need internet access: If you never access your network printer from outside the office (or outside a VPN), then block it from external access. If the printer’s own configuration doesn’t support this, any good firewall will.
Employ non-default passwords: As we’ve seen, many embedded devices are at risk simply because they are online in a default configuration mode. Choose a password with a combination of upper and lower case letters, numbers and keyboard symbols. It should contain at least eight characters – longer passwords are harder for criminals to guess.
Keep up to date on firmware updates: This is often a key weakness in connected devices.