Is your toaster a silent recruit in a 'thingbot' army?
- 17 February 2015
- From the section Business
Our electronic devices are getting smarter - many can now "talk" to each other and connect to the web.
All kinds of gadgets, from toasters to sprinklers, fridges to domestic heating systems, are now boasting sensors, actuators and low-powered embedded chips.
Whirlpool, Samsung, and LG all have all announced wi-fi enabled washing machines in the last month.
Nest's smart thermostats can communicate with your GPS-enabled phone or tablet and activate your heater when you're on your way home.
There's even a clever egg tray that sends you a remote warning when you're running low on eggs or when they're getting old.
This is the so-called "internet of things" (IoT).
But while it seems to offer some advantages, it is also giving hackers more ways to infiltrate our networks and steal our data.
The number of networked things exceeded the number of humans in 2008, according to some estimates, and is expected to rise to 50 billion by 2020.
The problem is that we don't view such everyday objects as worthy of the same security protection as our computers and smartphones.
Businesses are pretty lax when it comes to installing software patches for accessories such as printers. But by beginning there and then by reverse engineering code, a hacker can move deeper into the network and take control of servers.
Many home wi-fi routers "never get patched, have many vulnerabilities, and are running five year-old versions of the software," says Dr Nicholas Weaver at the University of California in Berkeley's International Computer Science Institute.
The result is a potential cybersecurity disaster area.
The 'thingbots' are coming
Hackers can already dragoon thousands of infected computers into "botnet" armies capable of carrying out distributed denial of services (DDoS) attacks on an organisation's servers.
The botnet basically bombards the servers with millions of messages until it can't cope with the volume and crashes. Hackers often then demand a ransom in return for stopping the attack.
Security blogger Brian Krebs was subject to 21 DDoS attacks in December, he says.
There is a cottage industry of "DDoS-for-hire" services, which is why the number of attacks has skyrocketed in the past two years, he says.
"But a lot of these attacks serve no purpose at all," he point outs. "They're not extortionist, they're not one company trying to take another out of business for competitive reasons - they're just because they can."
Now experts are warning about "thingbots" - the same concept but involving armies of infected household and office gadgets.
For example, security firm Proofpoint says in 2014 over 750,000 phishing and spam messages were sent from more than 100,000 household devices - televisions, wi-fi routers, and fridges.
A more recent example was the Lizard Squad's Christmas Day DDoS attacks on the Xbox and PlayStation networks. They mounted the attack using hacked home wi-fi routers.
As more IoT systems come online, such attacks are likely to increase, experts warn.
Spies in your home?
In November, a Russian website compiled a list of compromised security cameras connected to the internet, including 584 in the UK.
It broadcast scenes of children watching telly, a man making tea, and an elderly woman asleep in her bed.
In most cases, the owners simply hadn't changed the default passwords that came with the systems. The site has now closed down.
If devices connect with each other locally, but never get updated, it leaves them vulnerable to hacking. But if they connect to a central web server and are updated automatically, they could potentially intrude on our privacy, argues Mr Weaver.
"Nest is connected to Google, and it knows when you're home, it knows your habits. A power meter can often figure out what television channel you're watching."
"So we have this bind: we either have devices that are horribly insecure, or we have devices that are capable, and often designed to spy on the user," he says.
Samsung recently warned customers about the privacy threat posed by its voice-controlled "listening" TVs.
Last year, Daniel Miesler, security practice principal at Hewlett-Packard, tested the top 10 IoT devices and found an average of twenty vulnerabilities per device.
Home security systems are similarly vulnerable, he has found.
"Attackers can log on via the internet, basically as you... and know when you're at home, when you're away, and watch video of you from anywhere in the world," he says.
Pushing software updates to devices over an unencrypted network was stopped well over a decade ago for most major operating systems, but is still happening in the thing-world.
"One particular system... allowed live access to the download server, which means we could basically put a malicious version of the software there, have unsuspecting people from all over the world download it, and no one would know the difference," he said.
"We didn't do this, obviously," he adds.
Too much security?
Technology writer Glenn Fleishman says much of this weak security is because the IoT market is still very young.
For online banking and other services requiring high levels of security, we're now used to two-factor authentication, whereby a password is supplemented by another form of identification, such as randomly generated security code.
"As a standard practice, you're not going to find that in most home automation apps - companies don't want to restrict the customer base," he says.
In other words, making home gadgets too secure can stop people buying them.
"Anything that introduces friction at first reduces market share, but as things mature, security is something everyone expects," he says.
Shankar Somasundaram of security giant Symantec, agrees, saying: "There is a mad rush to market, and a misconception that putting in security will slow them down."
He believes that as the market matures, better designed, more secure products will dominate, but that older, less secure devices will still give us a security headache.
Thankfully, many of the most common vulnerabilities are straightforward to remedy, so there is still time to shore up our defences against the gathering thingbot armies.