Big Data // Big Data Analytics
News
4/30/2014
01:25 PM
Connect Directly
Google+
RSS
E-Mail
50%
50%

Internet of Thingbots: The New Security Worry

Phishing and spam attacks involving Internet of Things devices are coming -- and app developers and device makers must be ready, says a CA Technologies exec.

8 Gadgets For The High-Tech Home
8 Gadgets For The High-Tech Home
(Click image for larger view and slideshow.)

Builders of consumer appliances over the years haven't devoted a lot of time and energy to matters of security. This made sense when refrigerators, home thermostats, and light bulbs didn't share data or tie into a global network of apps and devices.

Along comes the Internet of Things (IoT), and suddenly security matters. The IoT consisted of 20 billion devices in 2013 and will have 32 billion by 2020, according to the research firm IDC. The boom in IoT-enabled gadgets and sensors is a boon for hackers, whose device-focused attacks are starting to make headlines.

In January, the security provider Proofpoint announced it had uncovered an IoT-based cyberattack in which bursts of spam email were sent three times a day. What made the attack unique was that 25% of the volume was sent by compromised consumer devices such as home routers, televisions, and even a refrigerator.

And in March, the security researcher Nitesh Dhanjani took an in-depth look at the potential security threats facing owners of the IoT-connected Tesla electric car.

[Microsoft wants to be a player in Ithe oT. Here's what you should know about its cloud-based management service. Microsoft Azure Intelligent Systems: 4 Facts.]

The Proofpoint-uncovered phishing and spam attack involving household "thingbots" may be the first of many wakeup calls for IoT developers and manufacturers, Scott Morrison, senior vice president and distinguished engineer at CA Technologies, said in a phone interview with InformationWeek. "Hackers are always looking for yet another place to launch huge outflows of spam email messages. And if you can do it with refrigerators, who would've thought of that before? So it was a very clever attack against an Internet of Things device."

Morrison knows a great deal about application programming interfaces (APIs). A year ago, CA Technologies acquired Layer 7 Technologies, where Morrison was chief technical officer.

"One of the reasons CA bought Layer 7 was to gain Layer 7's expertise in API security management," he said. "APIs -- another of those buzzwords that are out there -- are the technology we're using to tie together applications and allow them to share information."

Two consumer-friendly features -- low cost and simplicity -- may present a problem in the quest for a bulletproof Internet of Things. Embedding connected technology in low-margin consumer gadget tends to be a formula for creating a device with potential vulnerabilities, Morrison said. "You're building Internet [connectivity] more as a feature of a regular consumer device, rather than an end to itself. And that tends to take the emphasis off good, solid security practices that we put in when building a website or something."

The race to push connected devices out the door isn't helping, either. "The big problem we're seeing these days is, in so many cases, people are rushing to get products out, and they're not putting the time and effort into really securing these devices up front," Morrison said. "It's not like we don't know how to do it; it's just that we're not doing it."

The recent uproar over the Heartbleed security bug in the open-source OpenSSL cryptography library may help shine a spotlight on IoT security. But more work is needed, according to Morrison.

"What's interesting about Heartbleed is that we've been hearing a lot about large websites where people are quickly patching the code and sending out notices [saying], 'We're now patched and compliant,'" he said. "But we haven't been hearing a lot about some of the embedded devices that could potentially be affected. Of course, OpenSSL is widely deployed across all sorts of different devices -- everything from wireless routers and administration consoles to printers and things like that."

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls (free registration required).

Jeff Bertolucci is a technology journalist in Los Angeles who writes mostly for Kiplinger's Personal Finance, The Saturday Evening Post, and InformationWeek. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mnamboodiri
50%
50%
mnamboodiri,
User Rank: Apprentice
5/1/2014 | 1:08:14 PM
Scale and cost will be key
Very interesting article. I think the nature and scale of M2M and IoT brings unique cyber security challenges including trust (untrusted devices, networks), cost (cannot be expensive considering the large number of devices), privacy (who owns data and how to securely share it), access (static access controls cannot adjust to dynamic nature of IoT), performance (low power devices can't spare many cycles for security), interoperability, integration into existing security paradigms etc. Not to mention cryptography - how do we seed with good randum numbers in order to get good crypto?

Interesting times indeed!
Shane M. O'Neill
50%
50%
Shane M. O'Neill,
User Rank: Author
4/30/2014 | 5:16:22 PM
Re: Avoiding pitfalls of Internet of People
Hey, I do floss every night.

My high-level observation here is that after witnessing the Target breach and Heartbleed, we're not ready yet for the Internet of things. Security isn't resilient enough and people aren't prudent enough. But here come the vendors pushing out products as fast as they can. I like the idea of connected home appliances that I can control from a smartphone -- it's innovative and useful and there's definitely a cool factor. But I'm going to wait out the hacks and growing pains. See you in 2016.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
4/30/2014 | 3:30:43 PM
Re: Avoiding pitfalls of Internet of People
Sure, and we should all floss every night too. Let's face it, hardly anyone really understands IPv6, developers whip out APIs with little regard for security, and a fair number of consumers are going to enable their fridges to communicate for no other reason than because it's whiz-bang and cool. We're doomed.
anon9676070838
50%
50%
anon9676070838,
User Rank: Apprentice
4/30/2014 | 3:04:00 PM
Avoiding pitfalls of Internet of People
Is there any reason for refrigirator or TV set to send emails?? Just because it can be done does not mean it should be done. I have been appaled for many years at the level of "amateurism", for the lack of better word, that current Internet of people operates. It feels like one temporary solution slapped on the other, without ever taking a pause and redisigning it with security in mind. Domains are not "entrusted", emails can be send in a deceiving way, pretending to be from somewhere or someone else, etc. We should really make sure that Internet of things does not go the same way. Each IP address should be registered and entrusted, "things" should have limited, but strictly defined functionality and strong encription protocols should be used in communicating with them.
Laurianne
50%
50%
Laurianne,
User Rank: Author
4/30/2014 | 2:21:22 PM
Re: Compromised IoT, a cheaper way to SPAM?
I agree, we should not be surprised to see new types of device hacks. Take this week's news around a baby monitor being hacked. Anything with a camera deserves special scrutiny.
techsplyce
50%
50%
techsplyce,
User Rank: Apprentice
4/30/2014 | 2:11:24 PM
Security and the Internet of Things
Security will be the number one concern when the Internet of things is being introduced into the general public. No one would be willing to trade security for convenience on this level.  That means that the companies that stand to make billions off the industry need to have universal security protocols.  This protects the industry and the consumer.  Everybody wins

 

http://techsplyce.wordpress.com/2014/04/29/security-and-the-internet-of-things/
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
4/30/2014 | 2:07:31 PM
Compromised IoT, a cheaper way to SPAM?
It makes perfect sense that malicious traffic is going to look for a new way to be transmitted, and with the increased awareness of users when it comes to computers, laptops, tablets and smartphones, it isn't a surprise that the path of least resistance when it comes to infecting data-creating devices will be to leverage these smart or connected endpoints to be the new sources to push out the traffic.  Until proper security can be built into the devices themselves, we can expect to see a steady increase in malicious traffic as the adoption rate of IoT increases as well.
6 Tools to Protect Big Data
6 Tools to Protect Big Data
Most IT teams have their conventional databases covered in terms of security and business continuity. But as we enter the era of big data, Hadoop, and NoSQL, protection schemes need to evolve. In fact, big data could drive the next big security strategy shift.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.