When people talk about M2M and the Internet Of Things, they usually don’t talk much about the related security issues.
But they’re talking about them now.
A couple of weeks ago, computer-security company Proofpoint issued a press release claiming it had uncovered “what may be the first proven Internet of Things (IoT)-based cyberattack involving conventional household ‘smart’ appliances.”
From the release:
Just as personal computers can be unknowingly compromised to form robot-like "botnets" that can be used to launch large-scale cyberattacks, Proofpoint's findings reveal that cyber criminals have begun to commandeer home routers, smart appliances and other components of the Internet of Things and transform them into "thingbots" to carry out the same type of malicious activity.
Proofpoint says the attack it observed involved “more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator that had been compromised and used as a platform to launch attacks”.
The story made the rounds on tech blogs and mainstream news sites (most of them with refrigerator jokes in the headlines, and the occasional Skynet reference), spurring discussion over just how safe the Internet Of Things is going to be – as if this had never occurred to them before.
Which is surprising to me – surely 20-odd years after the Internet went commercial, most of us have worked out that if you can connect something to the internet, it can be hacked? We already know that malware exists for smartphones – why wouldn’t it exist for cars, smart TVs and Wi-Fi enabled coffee makers?
Anyway, as it turns out, not everyone is all that convinced of Proofpoint’s findings. As Dan Goodin at Ars Technica has pointed out, it’s not that the described attack is implausible, but that Proofpoint’s methodology doesn’t really hold up if you look closely enough, particularly when it comes to determining the exact size of the botnet:
Experienced botnet researchers know that estimating the number of infected machines is a vexingly imprecise endeavor. No technique is perfect, but the scanning of public IP addresses is particularly problematic. Among other things, the intricacies of network address translation mean that the IP address footprint of a home router will be the same as the PC, smart TV, and thermostat connected to the same network.
It's also hard to understand why someone would go to all the trouble of infecting a smart device and then use it to send just 10 spam messages. Traditional spam botnets will push infected PCs to send as many messages as its resources allow. The botnet reported by Proofpoint requires too much effort and not enough reward.
In any case, while Proofpoint’s claims don’t provide much in the way of a smoking gun that such a botnet exists, most security experts don’t doubt that it could exist. And if stories like this get people thinking seriously about M2M/IoT security and doing something about it, that’s probably a good thing.
Because it is a problem – a big one. To get an idea of how big it is, check out this essay from security expert Bruce Schneier posted earlier this month on the hundreds of millions of embedded systems connected to the internet with gaping security flaws that haven’t been patched in the last decade – and hackers are starting to notice:
All it will take is some easy-to-use hacker tools for the script kiddies to get into the game.
And the Internet of Things will only make this problem worse, as the Internet—as well as our homes and bodies—becomes flooded with new embedded devices that will be equally poorly maintained and unpatchable.
See also: this article on NetworkWorld Asia listing five top IoT device categories at risk in the coming year, including in-car Wi-Fi, mobile medical devices and – of course – Google Glass.