Hacking The Internet Of Things, Or Superenigmatix: When Your Home Appliances Turn Against You

--

This is an alert to a new phenomenon of hacking: Botting your home appliances, aka "The Internet of Things." This revelation is both hilarious AND scary.

Before I jump into the articles: 
What is 'The Internet of Things?' (IoT) 
This article at Wikipedia will get you started:

https://en.wikipedia.org/wiki/Internet_of_Things

Here are a couple prescient articles about the inherent security problems of 'The Internet of Things'. The first is from the Tips4Tech Blog from May 28, 2013:

Internet of Things? More Like the Internet of Attack Vectors

…And so now, we add the “Internet of Things” to the equation which will also be using Internet protocols. Companies and organizations that never had to deal with security issues will now have to think about ways to keep inbound and outbound data safe for all devices. Those of us who are security professionals have the tools and know the rules to keep most of the bad stuff out. But what happens when there is no oversight? Anybody will be able to get into the game of the “Internet of Things.” Most network devices have the ability to be secured, but who says that the vendors of this new world will know what to do?

The second was written for the MIT Technology Review last August:

More Connected Homes, More Problems
They might offer convenience or potential cost savings, but Internet-connected home appliances may also create security risks.
- By Rachel Metz on August 13, 2013

…As we connect more and more devices to the Internet, everything from the thermostat to the toilet to the front door itself may create a potential new opening for electronic intruders. As with computers, there are ways to protect these devices from outsiders, but Crowley and Bryan’s experiences indicate that, for now at least, this isn’t always a primary concern for companies in a rush to sell this equipment. Making devices more secure can add time to product development....

Security researchers fear that the risks presented by these new types of gadgets are especially concerning. If hackers can exploit a weakness in a single type of Internet-connected home appliance or system—such as an Internet-connected door lock—they may be able to harm thousands of people at once. “It might be some effort to get this kind of scenario, but if breaking into one server means you get to ransack 100, 1,000, 10,000 people’s homes, that’s definitely worth it, and that’s where the real danger lies,” Crowley says. 

Then 2014 hits, and the freaky fun news begins! 

Your home has been botted.

Smart refrigerators and TVs hacked to send out spam, according to a new report

- Julianne Pepitone NBC News

Security firm Proofpoint has uncovered a cyberattack that involved the hacking of “smart” home appliances connected to the Internet. Hackers broke into more than 100,000 gadgets -- including TVs, multimedia centers, routers, and at least one fridge – and used the appliances to send out more than 750,000 malicious emails between December 23 and January 6....

Perhaps worse: In “many cases,” the smart devices weren’t difficult to hack, according to Proofpoint. Instead, the appliances either were not set up correctly, or they used default passwords that were easy to find on public networks.

Incorrectly setup home devices? That's nothing new! I believe I've written here previously about my hacking into a neighbor's router to change their radio band setting to my leaching benefit! Once, I even had an IT professional argue with me that password encryption protecting of his home router was 'not important'. He learned otherwise.

Proofpoint Uncovers Internet of Things (IoT) Cyberattack
More than 750,000 Phishing and SPAM emails Launched from "Thingbots" Including Televisions, Fridge 

As the number of such connected devices is expected to grow to more than four times the number of connected computers in the next few years according to media reports, proof of an IoT-based attack has significant security implications for device owners and Enterprise targets....

What astounds me is that the operating systems, memory and CPUs on these devices are powerful enough to even BE botted! Is this embedded system OVERKILL? I think so.

Cyber criminals intent on stealing individual identities and infiltrating enterprise IT systems have found a target-rich environment in these poorly protected internet connected devices that may be more attractive and easier to infect and control than PC, laptops, or tablets.

This is SERIOUS 'Version 1.0 Syndrome'. Oh dear!

The attack that Proofpoint observed and profiled occurred between December 23, 2013 and January 6, 2014, and featured waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting Enterprises and individuals worldwide. More than 25 percent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices; instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and at least one refrigerator....

"Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come on-line and attackers find additional ways to exploit them." . . . .

"The 'Internet of Things' holds great promise for enabling control of all of the gadgets that we use on a daily basis. It also holds great promise for cybercriminals who can use our homes' routers, televisions, refrigerators and other Internet-connected devices to launch large and distributed attacks", said Michael Osterman, principal analyst at Osterman Research. "Internet-enabled devices represent an enormous threat because they are easy to penetrate, consumers have little incentive to make them more secure, the rapidly growing number of devices can send malicious content almost undetected, few vendors are taking steps to protect against this threat, and the existing security model simply won't work to solve the problem."

Oh great! No user incentive to make their 'Internet of Things' more secure. Bot wranglers must be in ecstasy!

My first question when a friend (Hi Nick!) pointed out this news was 'What manufacturers make these insecure refrigerators?!' 

I have yet to find a decent list of  'smart' (or perhaps 'stupid' is more descriptive) appliance manufacturers. But it turns out that companies involved in the technology end of 'The Internet of Things' are vast! Here is one ongoing list:

Internet of Things – Big List of Companies, Products, Devices and Software by Sector

Obviously, this is going to be an enormous subject in 2014, if not for years. Keep an eye out as the botnet of 'The Internet of Things' develops.

~ ~ ~

This PWNed home appliance phenomenon reminds me of two things. The first is a philosophy and the second is a song:

The Philosophy

Ludditism

n.
1. Any of a group of British workers who between 1811 and 1816 rioted and destroyed laborsaving textile machinery in the belief that such machinery would diminish employment.
2. One who opposes technical or technological change.

I know there is some argument about the actual facts of the Luddite movement and its meaning. But 'Luddite' has nonetheless become the single most popular term for anyone motivated to turn their back on technological progress. I also know that using this term is a great way to raise the hair of any tyrannical technologist.

There are a number of sci-fi books using the theme of Ludditism. One I recently read was 'The Difference Engine' by none other than William Gibson and Bruce Sterling.

With the catastrophe of one's router, oven, refrigerator, door lock, home entertainment, lighting and alarm systems all conspiring against you, can you imagine the lash-back from certain users who'd rather just go back to 'the old ways'? I certainly can!

The Song

From back when I was a kid, one of my favorite music mavens is Bill Nelson, formerly of the group 'BeBop Deluxe'. In 1978 he wrote the first of his hyperactive future-paranoia albums entitled 'Drastic Plastic'. My favorite song from the album, the one that best summarized his artistic theme at the time, was 'Superenigmatix (Lethal Appliances for the Home with Everything)'. Here, for your reading pleasure, are the lyrics. Note their significance to the current plight of 'The Internet of Things':

Superenigmatix, there's one hiding in the attic,
And it's getting all ecstatic cause it goes on automatic,
When the lights go out.

There's one in the TV and it's waiting there to please me,
And I've got to take it easy cause I know that it can see me,
When the lights go out.

Inside, outside, watching me both night and day.
Sometimes I wish I could make it go away.

Sometimes when I'm dreaming, I awake to find I'm screaming,
Cause they've taken all the meaning from the book that I was reading,
When the lights went out.

I know it seems outspoken but I'd love to see them broken,
No more orders, no more slogans, no more keeping my eyes open,
When the lights go out.

Inside, outside, watching me both night and day.
Sometimes I wish I could make them go away.

Superenigmatix, always amateur dramatic,
And they're trying to get me at it,
But I think I'm going to kick them in!

Here is a link to the song itself, as uploaded to YouTube. I can't guaranteed that such things are allowed to last at YouTube. But for the moment:

http://www.youtube.com/watch?v=kXHGPbRb7NU

Enjoy (!) And Share,

:-Derek

--

ADDENDUM

Here is Dan Goodin's take on hacking The Internet of Things:

Is your refrigerator really part of a massive spam-sending botnet?

Ars unravels the report that hackers have commandeered 100,000 smart devices.

by Dan Goodin - Jan 17 2014, 3:25pm EST

No doubt, there's a lot more about hacking The Internet of Things yet to come.

--