The media was abuzz recently over the announcement that a refrigerator had fallen victim to a cyber attack. The revelation that seemingly ordinary household appliances could be preyed upon by the dark side of the internet surprised some people, but for those who have been following the emergence of internet-connected devices, commonly called the Internet of Things (IoT), the surprise was only that it had taken this long to happen. This hacked refrigerator is a forbearer of the dark side of the IoT, and its attack should serve as a warning for anyone designing any type of embedded system, even a seemingly mundane kitchen appliance.
The security company Proofpoint uncovered a massive email spam campaign in early January of this year (http://www.proofpoint.com/about-us/press-releases/01162014.php). Spam campaigns typically consist of a “botnet,” which is a network of ordinary computer systems that have been compromised, usually unbeknownst to their users, and turned into malicious robot slaves called “bots”. These bots are then used in large groups by an attacker to send out spam messages. Rather than being limited to just the few computer systems that the attacker might own, a botnet amplifies the attacker’s ability to produce messages by providing an army of zombie systems ready to produce massive amounts of spam from all over the world on the attacker’s command.
Botnets and spam campaigns are hardly new, but the interesting thing about this one is the type of systems that were compromised. More than a quarter of the bots in the botnet were not traditional laptop, desktop or mobile device systems; instead, they were household appliances. Most of them were routers, multi-media devices and smart televisions, but Proofpoint confirmed that at least one of the devices was an internet-connected refrigerator. This may very well be the first botnet spam campaign to utilize such a high percentage of IoT devices. Additionally, the announcement from Proofpoint makes the point that the type of attack used to compromise the systems and build the botnet was not particularly sophisticated; rather, most of these devices still had unchanged, default administrator passwords or were running outdated software containing well-known vulnerabilities. In other words, somebody left the door unlocked and wide open.
Other than the addition of more spam email on the internet, there is no immediate security threat from this particular spam campaign. However, since it may be the first confirmed IoT cyber attack, it does raise some serious concerns for the future. For one, as we all purchase more and more internet-connected devices, the number of internet-capable systems will multiply rapidly. From a security standpoint, that’s a whole lot more systems that can potentially fall victim to cyber attacks. Another concern, accurately addressed in much of the news coverage, is that IoT devices typically do not have a traditional user interface like that of a desktop or laptop. As such, typical users will have no way to know if their devices are doing something unwanted like sending out spam. Perhaps a bigger concern than these, though, is that not all future attacks on IoT devices will be simple spam botnets. The possibilities are wide and varied here, but they could be as different as a compromised refrigerator being told to run too warm so that food spoils to a compromised smart television giving up your video streaming service account information to a cyber thief to a compromised home router sharing all of your internet activity with a malicious third party. Spam is a problem, but the IoT presents cyber attackers with a whole new avenue of possibilities unavailable to them today.
Security is not just something for academics and designers of military systems to worry about anymore. The case of the fridge and TV botnet underlines the critical need for all computer system developers to design with security in mind, regardless of how seemingly mundane the end product will be. The challenge of securing the IoT is bigger than any one appliance or device, but it is imperative that all of us who develop systems are securing them. The chill of the zombie fridge reminds us yet again that we must make sure that we lock the door.