Earlier this year, a security firm discovered a global phishing and spam campaign being launched by innocent seeming household appliances. [1] Over the course of two weeks during the Christmas/New Years holiday period, hackers compromised more than 100,000 everyday consumer items, such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator. These were then used as a giant botnet to send more than 750,000 malicious emails.
While I’d written about the dangers of the ubiquitous printer back in July of 2013, this hack illustrates the growth and vulnerability of the Internet of Things (IoT). Appliances used to be electro-mechanical and relied on analog controls like fuses and thermistors to regulate a device’s operating condition. As microelectronics gave birth to the embedded system, “smart” appliances were developed that could sense, predict, and communicate their conditions. Remote controlled and programmable became what the consumer expected. As the technology progressed, these devices were given IP addresses and the ability to communicate with a network. The IoT was born.
You might be wondering how many household gadgets talk to the IoT. Some are easy to spot – game controllers, cable TV set top boxes – but others may be harder to find. Refrigerators, washing machines, dishwashers, even coffee machines all contain IP addressable embedded systems. A standard American washing machine, for instance, use embedded processors to control spin speed, water temperature, and heat. There are even IP addressable light bulbs. [2]
Being part of the IoT brings the advantage of allowing accessibility and efficiency. It’s the feature that brews your coffee before you wake up or senses the dampness in your laundry and gives the cycle a few extra minutes. The light bulbs will even tell you when they are burning out.
But as with many new capabilities, the IoT is largely without security. You may not care if a hacker compromises your coffee machine, but what if someone was able to take over your car?
Look at your car. OK, look at a newer car. Its RFID key fob can start it. Its bluetooth dashboard lets you connect your phone or your iPod. GPS tells you where you are and cameras help you park. It even comes with its own array of sensors and controllers for the throttle, brakes, heaters, and seats; all embedded systems and communications points for a hacker to gain access and compromise the system. We already know that your car is spying on you [3], but now it can be hacked from afar.
Car hacking has been popular at Defcon for a couple of years, but (in my humble opinion) is making a giant leap forward as cars become more like rolling entertainment centers. Previously, hackers needed physical access to the car to connect their laptop to the car’s sensor bus, called a OBD-II port. [4] Now they can use wireless techniques to gain access.
As far back as 2011, hackers demonstrated how they could control a car by taking over its cellular phone system. [5] The car’s bluetooth network is similarly vulnerable. Other avenues of attack include infected MP3 files played in the stereo or malware apps loaded into the console. [6]
As the attack vectors increase, car manufacturers are beginning to design security into their vehicles. “Sandboxing”, the technique of confining an application or device to its own memory space, is used to constrain vulnerable devices from communicating with important or safety critical systems. Other manufacturers are limiting or screening the apps made available to their vehicles through proxies and digital signatures. [6]
The rest of the consumer electronics industry has been slower to respond to the vulnerability of the IoT. After all, when was the last time someone was killed by their washing machine? I expect this attitude might change quickly if the blood bank’s refrigerator at your local hospital stopped doing what it was supposed to. Only time will tell.