As you might have read, the security research firm Proof Point claims to have found a botnet of 100,000 hacked “smart” appliances, including smart fridges, that have been hacked and are being used to send spam.
It claims that, in a wave of attacks that occurred between December 23, 2013 and January 6, 2014, around 750,000 malicious emails came from hacked smart appliances.
As you can imagine, the tale of the mutant hacked fridges has gained the largely uncritical attention of news websites around the world.
Now, as Ars Technica points out, there were a few problems with the methodology used by ProofPoint, the worst being that they were not able to produce any example of the malware used or find a command and control server for the attacks.
That being said, while the methodology used to collect the information might be flawed, the risk it points to – the risk of poorly secured “smart” appliances being hacked – is a very real one.
In the coming year, millions of smart appliances will potentially be connected to the internet worldwide. LG estimates that, by the end of the year, 65% of the TVs it sells worldwide will be smart TVs using its webOS platform. Google certainly wouldn’t have spent $US3.2 billion buying smart smoke alarm maker Nest if it didn’t see a big future for the smart appliance sector.
For consumers, there will potentially be many advantages to owning such smart appliances. Using an app to tell your air conditioner to switch on before you get home is likely to be very convenient. Even more convenient than not having to hook up anything else to your TV in order to watch a movie or play a game.
However, it is critical to remember that each of these smart appliances is as much a computer as your desktop, laptop, smartphone or tablet. Often, these smart appliances include web or email servers as key parts of their software.
And they will need to be kept secure when they’re connected to the internet, just like any other computer.
The things that should not be on the internet
Of course at this point, the damage a hacker could do by planting malware on a smart fridge is limited. They might spread nasty emails, spy on you when you open your fridge door or perhaps learn you’re planning to buy more milk.
But the same cannot be said for some of the other “things” increasingly being connected to the internet.
A recent news article suggests there are around 60,000 industrial control computer systems (known as “supervisory control and data acquisition” or “SCADA” systems) connected to the open internet right now.
These systems are used to control vital infrastructure, including nuclear power plants, water supplies and pumps, sewerage treatment plants, factories, oil refineries, coal or gas fired power plants and public transport systems. Vital systems that could cause large-scale disruption or death were they ever to go offline for a significant period of time.
Many of these systems have documented vulnerabilities that remain unpatched.
A competent manager of a SCADA system would realise the risks involved in connecting such a vital system to the internet, even with best security, far outweigh any convenience that could be gained by administering it remotely.
In practice, far too many have already been connected to the internet without a full risk assessment. The convenience of remote administration far outweighs the massive risks involved.
Time to think through this issue carefully
Up until recently, most of the computers hooked up to the internet have either been end-user computing devices (including desktops, laptops, tablets and smartphones) or servers.
With the internet of things, there’s a growing temptation to connect all sorts of other computer-controlled “things” – from fridges and thermostats to TVs and nuclear power plants – to the internet.
There’s no point in being modern-day luddites about this change – there will be many benefits to consumers. However, it is just as important to be mindful of the security risks involved.
And, more importantly, it’s important to be aware that some things should not be connected to the internet.