In late December, a researcher at enterprise security company Proofpoint noticed something strange: a security gateway was logging hundreds of thousands of malicious e-mails that were clearly being sent out by over 100,000 Linux-running devices, but they weren’t PCs. Rather, they were Internet-connected consumer gadgets including routers, TVs, multimedia centers, and even a fridge.
David Knight, general manager of Proofpoint’s information security unit, says the attackers had basically set up an Internet of things-style botnet—something we’re more familiar with seeing on PCs—where the devices are unknowingly hijacked in order to do things like send out spam or host illicit pornography. He expects to see a lot more of what he refers to as “thingbots” as connected devices spread throughout the home, especially since the security in place on so many of these gadgets is just a simple Web interface that asks you to set up a username and password.
“Whatever security was there was inadequate,” says Knight, who suspects the devices were compromised by simply exploiting known Linux vulnerabilities.
Hackers have long wreaked havoc on PCs via the Internet, leading to data breaches and computer crashes. Now that the rush is on to add connectivity to everything from crockpots to light bulbs, the stakes get even higher—and more personal (see “More Connected Homes, More Problems”). Antivirus software helped PCs, but you can’t simply install a software suite developed for your desktop on a smart toaster; as a result, connected home devices typically rely on the user going online and setting up a username and password for protection.
A number of tech companies and industry groups say that “smart” devices are hitting store shelves with little in the way of security protection. Security experts blame a number of factors for the problem: startups may put security in the backseat in their haste to get products out the door, and established companies that have traditionally operated offline—like stereo or TV manufacturers—could simply fail to realize that they need to protect against threats when it comes to Internet-connected gadgets.
“They’re not being stupid,” says Marc Rogers, lead security researcher at mobile security company Lookout. “It’s just not something they’ve had to deal with.”
So while companies roll out everything from “smart” lights and door locks that you can control with a smartphone to connected toilets and blood-pressure monitors, a movement is also afoot to make these products as secure as possible.
For Rogers at Lookout, this means hacking into and sometimes physically dismantling Internet-connected devices to figure out where their security flaws lie. Last summer, Rogers and his team uncovered a weakness within Google’s head-worn computer, Google Glass (see “Researchers Find Security Cracks in Google Glass”). More recently, Rogers has been identifying and comparing the security measures in Internet-capable cameras and entertainment systems.
“I’m basically breaking things, then working out: What’s being done well? What’s being done badly? What are the lessons here?” he says.
Like many other tech companies, Lookout recognizes the rising influence of Internet-connectable devices—a space so hot that Google said last week that it will shell out $3.2 billion to buy smart thermostat and smoke alarm maker Nest. Last year, there were over 10 billion connected devices, and this number will climb as high as 50 billion by 2020, according to an estimate by networking equipment maker Cisco.
In the hopes of minimizing security risks posed by all this growth, Rogers is developing a set of security standards that companies can follow when developing connected products. He declines to get specific about what the Internet of things standards could include, but says he is leaning toward relying on “the more mature standards for the Internet” and is using the Open Web Application Security Project’s “Top 10” security risks list as a guide, since it details many types of risks that could affect all kinds of Internet-connected devices.
“Right now, I think everyone is kind of doing their own thing, but there is a growing voice to say, ‘Let’s get everyone together, let’s try and get synchronized on this,’ ” he says.
The AllSeen Alliance, an Internet of things industry group formed in December to encourage interoperability among connected devices regardless of their manufacturer, thinks the open-source software it’s developing could help, too.
The group’s software will be based on AllJoyn, which is smartphone chip maker (and group member) Qualcomm’s open-source Internet of things software. Liat Ben-Zur, the AllSeen Alliance’s chairperson and head of Qualcomm’s AllJoyn unit, says AllJoyn allows app developers to decide what level of security to build into it—such as whether or not to encrypt data transferred from a smart toothbrush to a corresponding smartphone app. AllJoyn also offers more nuanced security settings, she says, like allowing a visiting friend to control your connected home air conditioner, but only within a certain temperature range and only for the two days he’s in town.
Methods of allowing temporary access are already showing up in some yet-to-be-released smart door locks—among the only connected devices that tout their security—such as Goji, which lets you set times during which friends can enter your house by using their phones. So far, though, this isn’t typical.
A similar idea to what Ben-Zur describes is in the works at Mocana, a mobile and Internet-of-things security company. Mocana is working on a sort of digital matrix product code-named AtoM (for “app to machine”) that chief technology officer James Blaisdell says will allow different users to manage and control devices securely at scale, with different levels of authority.
The company expects to roll it out late this year. Initially it will be geared toward industrial applications, Blaisdell says, like allowing the manufacturer of a wind turbine to see how it is being maintained while letting an electric utility see how much power it is generating. He can imagine it being used for other things as well, such as home gadgets.
“It’s the same sorts of issues: how do you connect all these devices securely and have them be able to interact with each other securely?” he says.
Even if something like a smart stereo or coffee maker has been hacked into, it can be trickier to tell than with a laptop or a smartphone. These devices often have no visual display, and if they’re participating in an attack similar to the one Proofpoint observed, they might not show any signs of trouble.
In some cases, then, the simplest solution may be to simply limit the number of devices that can connect to the Internet. One thing the AllSeen Alliance’s AllJoyn software can do is enable smart devices to communicate just with other devices in the home—a group of light bulbs, for instance, or a door lock—and not connect to the Internet beyond. To some connection junkies, it might sound limiting, but Ben-Zur sees it as a way to keep your devices safer and more private, too.
“I don’t necessarily want a cloud service to know every single time I walk in and out of my front door,” Ben-Zur says.