From GIZMODO
How Creeps
Will Use the Internet to Break into Your Home
Darren Orf
Your refrigerator is sending spam. Your front door is
running buggy firmware that tells you the deadbolt is locked (when
it's not). And the kid next door is pirating music over your wifi network,
thanks to a backdoor in your thermostat app. All the internet-enabled
things that make your home "smart" are also turning it into a
security nightmare.
Smart homes are just one part of a larger movement in the
tech industry to build an "internet of things" — an interconnected web of stuff that
includes everything from phones and tablets, to washing machines and desk
lamps. Megacorps like Google are trying to cash in on this new internet age
with products like Nest, a system to control your smart home from the cloud.
Other companies, like Samsung, have pledged that 90 percent of their products will be part of the
internet of things by 2017.
The problem is that this new internet has all the security
problems of the old one. Except they are worse, because software
vulnerabilities won't just allow people to break into your network — they'll be
breaking into your house. We spoke with chipmakers, product designers, white
hat hackers, and security specialists, and they all made one thing is
abundantly clear: the smart home is not acceptably secure, not even close.
A Bigger Attack Surface
We already know that smart homes are just
unforgivably glitchy to the point where switching off the lights
becomes a painful debugging process.
But these bugs aren't just annoyances. Many smart devices
are rushed out the door, usually with manufacturers intending to secure them
once they're in the wild (and successful) — or maybe just with no intent to do
it at all. Because so little attention is given to security in the first place,
every smart device you bring into your home network only increases the target
on your back. In computer security, this is called your "attack
surface."
Experts say that a smart refrigerator has the potential to
be far more vulnerable than other internet-enabled devices. "Your computer
that has a firewall [when it's awake] has a much smaller attack surface than
your cell phone that's constantly on the internet," says Mike Ryan, a
Bluetooth expert and embedded security researcher. "The internet of things
represents a general broadening of the attack surface. Every single device is
connected now, and every single device could be a potential point of weakness.
Whereas before your refrigerator plugged into the wall, and that's it."
A nefarious smart refrigerator may seem like a stupid
example, and it would be—if it hadn't already been hacked before. Smart
refrigerators were among a network devices sending malicious emails in January last year. Here's how the
hack went down, according to an NPR report:
Sometime
between Dec. 23 and Jan. 6, hackers commandeered home routers and the like and
used them to send out malicious emails to grow their botnet, or, army of
infected devices. Botnets — and now, "ThingBots" — can be used by
hackers to perform large-scale cyberattacks against websites by drowning them
with traffic.
But "commandeering" routers, and smart washers,
and thermostats, and door locks, and face-recognizing cameras is pretty hard to
do, right? Yeah...no. Last April, a family from Cincinnati, Ohio, says they woke up during the night
to a man screaming at their 10-month old daughter through a Foscam baby
monitor. He had discovered their camera on the internet, took it over, and used
it to scare their child. The three-year-old baby monitor didn't have the latest
security updates, so the family was an easy target.
Even more terrifying is the prospect that a baby cam could
just be the first step in a more general takeover. A smart home invader might
begin by discovering a vulnerable device, but then use that to jump onto your
wifi network — before long, the attacker could be reading your email and
grabbing private information from your phones.
"It's remarkably easy to find out what kind of devices
people have in their homes," Ryan tells us. "If [a device] has a
vulnerability and you gain control it, then you have a foothold directly on
someone's home wifi network, and you can do direct attacks against their
laptops or their router. You can change the settings so all their web traffic
goes through you."
And its not only the devices that are vulnerable, but the
wireless Bluetooth tech we used to tie everything together. Ryan says every
Bluetooth implementation he's ever tested has turned up at least one
vulnerability. When he reported these security problems to vendors, only one
ever responded.
Of course, some devices have better security than others.
Companies like Microsoft and Google offer bug bounties, inviting hackers to
attack their systems to find weak points, and rewarding successful hacks with
cash. There is a similar program at Qualcomm, a chip manufacturer responsible
for a lot of the computing brains in your smart wearables, cars, and even lightbulbs. But Asaf Ashkenazi, director of product
management for Qualcomm, says bug bounties are not nearly enough.
Which is putting it lightly. A study last fall, conducted by
HP, found that 70 percent of commonly used devices in our homes were security
risks with almost 25 vulnerabilities per device.
"Although we're providing all the foundations, we
cannot solve the problem alone. It's vendors. It's software providers,"
Ashkenazi tells us. "It needs to be an across industry effort."
A Vulnerable Network
Nothing is 100 percent secure. It would take a massive
restructuring of the internet, built from the ground up, and applying all the
security lessons we've learned over through the decades, to even come close.
Although DARPA is investigating that idea, we're stuck with what we've
got—a patched and bandaged framework vulnerable to criminals and trolls of all
types.
The internet of things is just the next evolution in how
we'll interact with the internet, and it will experience similar security growing
pains. The sheer number of devices, whether smart TVs, coffee pots, bluetooth
speakers, or baby cams, is what makes a smart home such a challenge to secure.
These aren't smartphones or laptops that you replace every two to five years or
so. If you're buying a smart washing machine, you may not buy another one for
10 or 15 years. That means the hardware needs to have security designed into it
from the beginning and with room to grow, so it can be patched through its
entire lifecycle.
"It's this massive lack of understanding of the
technologies everyone is going to use and then selling them," product
designer and white hat hacker Joe Grand tells us, currently in London teaching a hardware
hacking course. "A lot of engineers aren't trained in security. You don't
see a lot of cross-pollination in people making products and breaking
products...there needs to be more mix. It's really, really frustrating."
In other words, the people who make things don't know how to
break things and vice versa so it's like two groups just shouting at each
other. Hardware makers need a bigger presence at the big hacker conferences
like Black Hat and Def Con, and more hackers need to be involved in the
gadget-making process.
And for the meantime, Grand's frustrations will most likely
continue because the Federal Trade Commission, tasked with overseeing the
internet of things, won't be stepping in to sort out the mess—at least not yet.
In late January, the commission published non-binding guidelines for companies to follow. Here
are a few highlights:
-Build security into devices at the
outset, rather than as an afterthought in the design process
-Train employees on the importance
of security
-Monitor
connected devices throughout their expected lifecycle
These are all great ideas, filled with some
lets-all-work-together optimism, but they don't go far enough, according to
Shankar Somasundaram, director of IoT security for Symantec. "It's good
but it's not going to tip it over. You need a little bit more than that."
Somasundaram says. "Put in a clause that says if you don't follow basic
guidelines in this country, you'll be fined. That extra level creates an actual
incentive."
Grand agrees that the most lasting changes won't come from
companies, but from some form of government regulation. He says big, scary
hacks won't make things safer, just more illegal—which can be a benefit to our
smart home security but also a detriment to internet freedom, by trying to
push terrible CISPA legislation in a time of "crisis."
Preparing for
Smart Home Darwinism
The shame of all of this is there are some great smart
products out there that pay attention to security and do make sense in your
home. Nest's Smart Thermostat is a smart home champion, offering tangible and
money-saving convenience. Belkin WeMo is working on Echo Technology devices
that can monitor your entire home's water and energy intake, so you can get
bill estimates and even detect
leaks down the exact pipe or outlet. These are fantastic ideas.
But right now, the smart home is just that: a fantastic idea
without much reality. The internet of things is a bunch of random gadgets,
often trying to fix some invented problem that you don't have by connecting it
to the cloud and controlling it from your smartphone. Why do we need smart
refrigerators and creepy smart
beds, anyway?
The answer is that we don't.
"Dependence is the wellspring of risk, the more you
take on technology, the more risk you take on that technology will negatively
impact your life," Ryan says. "You've got to evaluate everything as a
risk/benefit tradeoff. It's easy to say I want the hottest, newest
everything...that attitude is going to lead to a lot of the security
issues."
A smart thermostat that can analyze energy trends can be a
huge benefit. A bed that can tell you if your kids are sleeping, or a smart
fridge that can tell you when your milk goes bad? Maybe not so much.
The internet of things is inevitable. The problem is that
its architects aren't thinking ahead to the ways that people will use it in
their homes and personal lives. Smart homes need to be less about the dream,
and more grounded in reality. There are a lot of security risks we're willing
to take on the internet because it seems disconnected from our real lives. But
when the internet starts living inside every object in our homes, those risks
become as real as a person breaking in through your windows.
=====================================================
**Important note** - contact our company for very powerful solutions for IP management (DNS, IPv4 and IPv6), security, firewall, log management, DLP, IDS, IPS and APT solutions:
www.tabularosa.net
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” will be published soon follow by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
=================================================
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio Additionally, I provide content for an online newsletter via paper.li. I have also established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. Further, I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and have been a contributor to numerous blogs and publications.
Lastly, I
am the founder and president of Tabula
Rosa Systems, a company that provides “best of breed” products for network,
security and system management and services. Tabula Rosa has a new blog and Twitter site which offers great IT
product information for virtually anyone.
==============================================
No comments:
Post a Comment