In late 2011, it emerged that Chinese hackers had thoroughly compromised the United States Chamber of Commerce, perforating the lobbying-group’s networks with a devastating chain of backdoors. Chamber officials admitted that hackers had gained unfettered access to their systems, stealing everything from email spools to international trade-policy documents to notes from corporate meetings. All-in-all, the Chamber of Commerce had been the victim of a completely conventional APT-style attack. The only reason I even remember this attack – among a seemingly unceasing array similar ones – is because during the post-hack-clean-up process, investigators found a thermostat in a building on Capitol Hill communicating with an IP address somewhere in China.
If you’re reading this, it is overwhelmingly likely that you own an Internet connected thing that only five years ago would not have been made to access the Internet. This is the essence of the “Internet of things.” The Internet was once a hub connecting computers and servers. At this point, the Internet of things has expanded so aggressively that I’m not even sure what counts as a computer anymore. Nearly everything has an IP address and an Internet connection: cars, home appliances, medical devices, phones, video game consoles, Google developed a pair of Internet ready glasses, and I’ve even heard rumors about a tweeting beer tap.
Think of network security as a labyrinth: the more exits and entrances the labyrinth has, the easier it is to escape. Similarly, the more devices there are connected to a network, the more opportunities an attacker has to compromise that network. Simply put: every device represents a possible path into the network and, by extension, onto its machines.
This is the nightmare that systems administrators and IT teams face as more and more companies are forced to adopt bring-your-own-device (BYOD) policies. The prospect of letting hordes of employees – with their disparate understandings of modern technology – connect a myriad of different devices to the corporate network is terrifying, I am sure, but this is something of an intangible threat to those of us that don’t toil away at the help desk.
On the Internet of things there are far more palpable threats. The guys that design operating systems and software at Apple and Google and Microsoft and all the other computer giants are thinking about security. Sure, they get a lot of flak for all the vulnerabilities and exploits that pop up, but at least they are thinking about security.
The guy that designed the industrial control box that regulates chemicals at the neighborhood swimming pool, on the other hand; I am not so certain that he was thinking about security when he made that device connect to the Internet so that the pool operator could regulate chemicals remotely. This same logic can be applied to an ever-expanding list of hackable machines: there are published exploit-concepts demonstrating wireless attacks targeting things as small as embedded medical devices, like pacemakers and insulin pumps, or as big as commercial airplanes. Everything from televisions to new-age smart meters are potentially vulnerable and nobody is designing security products for them. A strong internet security product is often the only thing standing between my computer and a crippling malware infection. No such barrier exists for many of these newly Internet capable gadgets.
If you think we’re blowing smoke here, then read about the Carna Botnet, which is also known as the Internet Census of 2012. An unidentified researcher managed to upload benign code onto some 420,000 embedded devices that were accessible online with default credentials. He could have easily uploaded malicious code onto them.
The reality with this panoply of Internet connected things is that there are just too many players designing too many incompatible systems getting paid too much money to push operable but not necessarily secure products out the door. The only way we could ever secure these things, here in the U.S. that is, would be to pass some sort of national regulatory law. Unfortunately, such a law would be nearly impossible to draft, given its broad impact on profitable companies, and absolutely impossible to pass, because the word “regulate” is not a popular one among the reluctant legislators in Washington D.C.
The U.S. Food and Drug administration and the Department of Homeland Security’s Industrial Control System Computer Emergency Response Team (ISC-CERT) have been working together in an attempt to get medical device manufacturers to take security more seriously. This partnership addresses a definite need, especially considering a recent ISC-CERT advisory regarding some 400 medical devices with default login credentials giving access to critical device settings. Recommendations and guidelines and other toothless warnings are unlikely solutions to this problem. For the time being we really just have to live with the insecurity. The best you can do is be aware and be cautious.on