When the internet of things misbehave!
“THE internet of things” is one of the buzziest bits of jargon around in
consumer electronics. The idea is to put computers in all kinds of
products—televisions, washing machines, thermostats, refrigerators—that have
not, traditionally, been computerised, and then connect those products to the
internet.
If you are in marketing, this is a great idea. Being able to browse the
internet from your television, switch on your washing machine from the office
or have your fridge e-mail you to say that you are running out of orange juice
is a good way to sell more televisions, washing machines and fridges. If you
are a computer-security researcher, though, it is a little worrying. For, as
owners of desktop computers are all too aware, the internet is a two-way
street. Once a device is online, people other than its owners may be able to
connect to it and persuade it to do their bidding.
On January 16th a computer-security company called Proofpoint said it
had seen exactly that happening. It reported the existence of a group of
compromised computers which was at least partly comprised of smart devices,
including home routers, burglar alarms, webcams and a refrigerator. The devices
were being used to send spam and “phishing” e-mails, which contain malware that
tries to steal useful information such as passwords.
The network is not particularly big, as these things go. It contains
around 100,000 devices and has sent about 750,000 e-mails. But it is a proof of
concept, and may be a harbinger of worse to come—for the computers in smart
devices make tempting targets for writers of malware. Security is often lax, or
non-existent. Many of the computers identified by Proofpoint seem to have been
hacked by trying the factory-set usernames and passwords that buyers are
supposed to change. (Most never bother.) The computers in smart devices are
based on a small selection of cheap off-the-shelf hardware and usually run
standard software. This means that compromising one is likely to compromise
many others at the same time. And smart devices lack many of the protections
available to desktop computers, which can run antivirus programs and which
receive regular security updates from software-makers.
Ross Anderson, a computer-security researcher at Cambridge University,
has been worrying about the risks of smart devices for years. Spam e-mails are
bad enough, but worse is possible. Smart devices are full-fledged computers.
That means there is no reason why they could not do everything a compromised
desktop can be persuaded to do—host child pornography, say, or hold websites
hostage by flooding them with useless data. And it is possible to dream up even
more serious security threats. “What happens if someone writes some malware
that takes over air conditioners, and then turns them on and off remotely?”
says Dr Anderson. “You could bring down a power grid if you wanted to.”
That may sound paranoid, but in computer security today’s paranoia is
often tomorrow’s reality. For now, says Dr Anderson, the economics of the
smart-device business mean that few sellers are taking security seriously.
Proper security costs money, after all, and makes it harder to get products
promptly to market. He would like legislation compelling sellers to ensure that
any device which can be connected to the internet is secure. That would place
liability for hacks squarely on the sellers’ shoulders. For now, he has had no
luck. But Proofpoint’s discovery seems unlikely to be a one-off.
Good people, lets have your opinion(s).
0 comments → Spam in the fridge
Post a Comment