In this day and age of connected everything, the rise of the Internet of Things might result in vulnerabilities across the different connected devices in our homes, cars and workplaces.
Computers, tablets and smartphones are not the only household devices that can connect to the Internet. In the advent of the so-called Internet of Things, various household and industrial items are already communicating with each other in an attempt to make things more efficient.
This does have privacy implications, of course. Consider how a connected device that can keep track of our whereabouts and conversations can be used by a corporate entity or government agency to spy on us. Even worse, these could be manipulated by malicious hackers, who can get our devices to do their bidding, such as carrying out DDoS attacks, steal personal information or even mine Bitcoins (given enough computing power).
Cloud security provider Proofpoint has recently shared some statistics on malware attacks on connected devices, saying that from December 23, 2013 to January 6, 2014 alone, there were at least 750,000 malicious email communications coming from 100,000 connected consumer devices. These include broadband routers, multimedia centers, televisions and even a refrigerator.
David Knight, general maanger of Proofpoint’s information security division says these connected devices have been hacked into and converted into botnets, which are called “thingbots” due to the nature of the devices. “Bot-nets are already a major security concern and the emergence of thingbots may make the situation much worse,” he said, adding that “many of these devices are poorly protected.”
During the holiday season, the firm noticed a spike in traffic from unknown IP addresses, and had been concerned with how the sources of vulnerability turned out to be household appliances and consumer electronics. “Embedded operating systems deployed in firmware tend to be old, not patched very frequently, and there are known vulnerabilities to virtually all of them.”
IDC predicts that there will be 212 billion connected “things” by 2020, but most of these are not protected by the usual safeguards that consumers and enterprises implement on their devices, such as anti-malware, anti-phishing and anti-spam applications. Moreover, “consumers have little incentive to make them more secure … few vendors are taking steps to protect against this threat,” says Osterman Research principal analyst Michael Osterman.
In some cases, vulnerabilities arise from back-doors that manufacturers have put in place to make remote management or troubleshooting easier. Unfortunately, these usually come with unchangeable default passwords. Likewise, firmware may not be easily patched, due to unavailability of source codes. And in case a patch is released at all, consumers are not likely to bother updating their devices.
Security researcher Bruce Schneier has proposed several ways through which the risk can be addressed in a recent Wired article: (1) better system designs; (2) use of open-source driver software instead of binary blobs so that third parties can also implement fixes and patches; and (3) automatic update mechanisms.
For consumers, meanwhile, Proofpoint’s Knight has a simple suggestion. “Don’t plug it in if you don’t plan to use it,” he said. If you do use it and get it to connect to the Internet, make sure it’s secured behind your personal router and firewall.