Frankenmeat may not be the only spam in your refrigerator. A month or so ago, a smart refrigerator was identified as a source of malicious emails. That's just one example of the future we face as we connect millions of insecure devices to the Internet. Eric Vyncke, a distinguished engineer with Cisco, described the risks and proposed some solutions in a presentation at the RSA Security Conference in San Francisco last week.
The Internet of Things (IoT) is a blanket term used to describe our increasingly connected world. Refrigerators, thermostats, cars, smoke detectors, watches, glasses, and just about every other appliance you can think of is being connected to the Internet to provide remote access or to monitor and collected data. IoT has tremendous potential to enhance our standard of living, but it also introduces substantial risk for devices that were previously immune from such threats.
Vyncke explained that worms, trojans, and botnets that were once limited to PCs and mobile devices can now infect a television or home security system. A new generation of “script kiddie” has been born—hackers without a specific goal or malicious intent who access things just because they can. These opportunists watch you on your insecure webcam or home security monitoring system, steal content, adjust your thermostat, or even turn off your lights. Even things that don’t have an IP address of their own—like a Nike FuelBand fitness device, for example—still pose some risk because they collect potentially sensitive information about you and sync that information to the Internet where it could be hacked and compromised.
As annoying as that may be, the real concern is organized crime and cyber terrorism. IoT gives professional hackers and malware developers access to intellectual property and an ability to spy on or sabotage manufacturing facilities and critical infrastructure systems like the power grid, oil pipelines, nuclear power plants, and railway systems. On a more personal level, a criminal who can hack your smart metering utility system can identify when usage drops and assume that means nobody is home.
Vyncke suggested that the Internet of Things is far too broad for security analysis to be performed against all use cases and risk scenarios. He told the audience that developers need to focus on generic properties of that are common across its different technologies. If we cut the problem into smaller, more manageable pieces, we can at least begin to take steps in the right direction.