David Knight, information security manager at Proofpoint, says the attackers had essentially established a botnet-style Internet of Things—something we're more familiar with seeing on computers, where devices are unknowingly hijacked to do things like send spam or host illicit pornography. He expects to see many more of what he refers to as "thingbots" as connected devices are scattered throughout the home, especially since the security of many of these devices consists of little more than a simple web interface that prompts you to set up a username and password.
"Whatever the security was, it was inadequate," says Knight, who suspects the devices were compromised simply by exploiting known Linux vulnerabilities.
Hackers have wreaked havoc on computers via the internet, leading to data breaches and system crashes. Now that the trend is to add connectivity to everything from cooking pots to light bulbs, the risks are even greater and more personal. Antivirus software has helped PCs, but you can't simply install a desktop software package on a smart toaster, and as a result, connected home devices typically rely on the user being online and creating a username and password for protection.
A number of high-tech companies and industry groups say that "smart" devices are arriving in stores with little security protection. Security experts blame a number of factors for the problem: startups may put security on the back burner in their rush to get products to your doorstep, and established companies that have traditionally operated without connectivity, such as manufacturers of audio equipment or televisions, may simply not realize the need for protection against threats when it comes to internet-connected devices.
"They're not stupid," says Marc Rogers, lead security researcher at Lookout, a mobile security company. "They've just never dealt with it before.".
Thus, while companies are rolling out everything from "smart" lights and smartphone-controlled door locks to connected toilets and blood pressure monitors, a movement is also underway to make these products as safe as possible.
For Rogers at Lookout, this means hacking into and sometimes physically dismantling internet-connected devices to find their security flaws. Last summer, Rogers and his team discovered a vulnerability in Google's headset computer, Google Glass. More recently, Rogers has been identifying and comparing security measures in internet-enabled cameras and entertainment systems.
"Basically, I'm breaking things, then I work on it: What's being done right? What's being done wrong? What are the lessons to be learned here?" he says.
Like many other technology companies, Lookout recognizes the growing influence of internet-connected devices—a space so hot that Google announced last week it will pay $3.2 billion to acquire Nest Labs, the maker of smart thermostats and smoke alarms. Last year, there were more than 10 billion connected devices, and that number is projected to reach as high as 50 billion by 2020, according to an estimate by networking equipment manufacturer Cisco.
Hoping to minimize the security risks posed by all this growth, Rogers is developing a set of security standards that companies can follow when developing connected products. He declines to be specific about what Internet of Things standards might include, but says he leans toward relying on "the most mature standards for the Internet" and is using the Open Web Application Security Project's "Top 10" list of security risks as a guide, since it details many types of risks that could affect all kinds of Internet-connected devices.
"Right now, I think everyone is kind of doing their own thing, but there's a growing voice saying, 'Let's all come together, let's try to synchronize on this,'" he says.
The AllSeen Alliance, an Internet of Things industry group formed in December to promote interoperability between connected devices, regardless of their manufacturer, thinks that open-source software that is under development could also help.
The group's software will be based on AllJoyn, Qualcomm's open-source Internet of Things software, which is made by the smartphone chipmaker (and is a member of the group). Liat Ben-Zur, president of the AllJoyn Alliance and head of Qualcomm's AllJoyn unit, says that AllJoyn allows app developers to decide what level of security to build into their apps—for example, whether or not to encrypt data transferred from a smart toothbrush to a corresponding smartphone app. AllJoyn also offers more nuanced security options, he says, such as allowing a visiting friend to control your home's air conditioner, but only within a certain temperature range, and only for the two days they are in town.
Methods for granting temporary access are already appearing in some smart locks not yet on the market—among the few connected devices trying to market their security—such as Goji, which lets you set times when friends can enter your home using their phones. So far, however, this is not the norm.
A similar idea to the one Ben-Zur describes is being explored at Mocana, a mobile security and Internet of Things company. Mocana is working on a kind of digital matrix of codenames called AtoM (for "application to machine") that Chief Technology Officer James Blaisdell says will allow different users to manage and control security devices at scale, with varying levels of authority.
The company expects to roll it out later this year. Initially, it will be geared toward industrial applications, says Blaisdell, such as allowing a wind turbine manufacturer to monitor its maintenance while letting an electric utility see how much energy it's generating. It's also likely to be used for other things, like household appliances.
"It's the same kind of question: how do you connect all these devices securely and make them able to interact with each other securely?" he asks.
Even if something like a smart stereo or coffee maker has been hacked, it can be more difficult to tell than in the case of a laptop or smartphone. These devices often lack visual representation, and if they are involved in an attack similar to the one seen on Proofpoint, they might not show any signs of trouble.
In some cases, then, the simplest solution may simply be to limit the number of devices that can connect to the internet. One thing AllJoyn software from the AllSeen Alliance can do is enable smart devices to communicate only with other devices in the home—a group of light bulbs, for example, or a door lock—and prevent them from connecting to the internet beyond that. For some connectivity addicts, this might sound restrictive, but Ben-Zur sees it as a way to keep devices more secure and private.
"I don't necessarily want a cloud service that knows every time I walk in and out of my door," says Ben-Zur.
Source: Rachel Metz, MIT.
