The thing about the Internet of Things, which describes the near future in which all our devices and appliances are connected to the Internet — and one another — is that suddenly they’re vulnerable to the dark side of constant connectivity, too. Cybersecurity folks point out it “opens a Pandora’s Box of security and privacy risks that cannot be ignored,” writes Christophe Fabre, CEO of software services vendor Axway.
Just on the heels of Google joining the smart appliances frontier, the security firm Proofpoint Inc. reports it has uncovered one of the first Internet of Things cyberattacks. (The firm gets hired to, among other things, monitor the email gateways for hundreds of companies, scan them and analyze them for nefariousness.)
Included in the attack were smart TVs, wireless speakers and at least one refrigerator. It turns out refrigerators can send out emails, so just as your email can be hacked, your fridge can, too.
“People should be concerned because unlike PCs and laptops where there are tools and user interfaces where you can tell if something is wrong, there’s not a lot to help you tell if your fridge or home audio system has been compromised,” says David Knight, general manager of information security for Proofpoint.
Here’s how the company says it worked: Sometime between Dec. 23 and Jan. 6, hackers commandeered home routers and the like and used them to send out malicious emails to grow their botnet, or, army of infected devices. Botnets — and now, “ThingBots” — can be used by hackers to perform large-scale cyberattacks against websites by drowning them with traffic.
So as consumers are beginning to buy Internet-connected appliances, Knight says consider the security of those devices, too. And that companies haven’t done enough to protect appliances from hacks.
“Many of these devices, without picking on manufacturers, are running old software with known vulnerabilities. They’ve got very insecure default passwords like [username] admin [password] admin,” Knight says. The net effect for consumers, he says — other than degraded machine performance because of compromised software — is that their machines will be busy sending malicious messages “instead of playing music or doing whatever they’re supposed to be doing,” he says. “They also might cease to function or not be reachable for their intended purpose.”
When we learned that a fridge was hacked, my editor wanted to know what was in the fridge, since Proofpoint could easily log into it. But the firm said it didn’t peek.
“We chose not to pry into the privacy of this person’s refrigerator,” Knight says.