Internet of Thingbots: The New Security Worry - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Data Management // Big Data Analytics

Internet of Thingbots: The New Security Worry

Phishing and spam attacks involving Internet of Things devices are coming -- and app developers and device makers must be ready, says a CA Technologies exec.

8 Gadgets For The High-Tech Home
8 Gadgets For The High-Tech Home
(Click image for larger view and slideshow.)

Builders of consumer appliances over the years haven't devoted a lot of time and energy to matters of security. This made sense when refrigerators, home thermostats, and light bulbs didn't share data or tie into a global network of apps and devices.

Along comes the Internet of Things (IoT), and suddenly security matters. The IoT consisted of 20 billion devices in 2013 and will have 32 billion by 2020, according to the research firm IDC. The boom in IoT-enabled gadgets and sensors is a boon for hackers, whose device-focused attacks are starting to make headlines.

In January, the security provider Proofpoint announced it had uncovered an IoT-based cyberattack in which bursts of spam email were sent three times a day. What made the attack unique was that 25% of the volume was sent by compromised consumer devices such as home routers, televisions, and even a refrigerator.

And in March, the security researcher Nitesh Dhanjani took an in-depth look at the potential security threats facing owners of the IoT-connected Tesla electric car.

[Microsoft wants to be a player in Ithe oT. Here's what you should know about its cloud-based management service. Microsoft Azure Intelligent Systems: 4 Facts.]

The Proofpoint-uncovered phishing and spam attack involving household "thingbots" may be the first of many wakeup calls for IoT developers and manufacturers, Scott Morrison, senior vice president and distinguished engineer at CA Technologies, said in a phone interview with InformationWeek. "Hackers are always looking for yet another place to launch huge outflows of spam email messages. And if you can do it with refrigerators, who would've thought of that before? So it was a very clever attack against an Internet of Things device."

Morrison knows a great deal about application programming interfaces (APIs). A year ago, CA Technologies acquired Layer 7 Technologies, where Morrison was chief technical officer.

"One of the reasons CA bought Layer 7 was to gain Layer 7's expertise in API security management," he said. "APIs -- another of those buzzwords that are out there -- are the technology we're using to tie together applications and allow them to share information."

Two consumer-friendly features -- low cost and simplicity -- may present a problem in the quest for a bulletproof Internet of Things. Embedding connected technology in low-margin consumer gadget tends to be a formula for creating a device with potential vulnerabilities, Morrison said. "You're building Internet [connectivity] more as a feature of a regular consumer device, rather than an end to itself. And that tends to take the emphasis off good, solid security practices that we put in when building a website or something."

The race to push connected devices out the door isn't helping, either. "The big problem we're seeing these days is, in so many cases, people are rushing to get products out, and they're not putting the time and effort into really securing these devices up front," Morrison said. "It's not like we don't know how to do it; it's just that we're not doing it."

The recent uproar over the Heartbleed security bug in the open-source OpenSSL cryptography library may help shine a spotlight on IoT security. But more work is needed, according to Morrison.

"What's interesting about Heartbleed is that we've been hearing a lot about large websites where people are quickly patching the code and sending out notices [saying], 'We're now patched and compliant,'" he said. "But we haven't been hearing a lot about some of the embedded devices that could potentially be affected. Of course, OpenSSL is widely deployed across all sorts of different devices -- everything from wireless routers and administration consoles to printers and things like that."

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls (free registration required).

Jeff Bertolucci is a technology journalist in Los Angeles who writes mostly for Kiplinger's Personal Finance, The Saturday Evening Post, and InformationWeek. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Shane M. O'Neill
Shane M. O'Neill,
User Rank: Author
4/30/2014 | 5:16:22 PM
Re: Avoiding pitfalls of Internet of People
Hey, I do floss every night.

My high-level observation here is that after witnessing the Target breach and Heartbleed, we're not ready yet for the Internet of things. Security isn't resilient enough and people aren't prudent enough. But here come the vendors pushing out products as fast as they can. I like the idea of connected home appliances that I can control from a smartphone -- it's innovative and useful and there's definitely a cool factor. But I'm going to wait out the hacks and growing pains. See you in 2016.
Lorna Garey
Lorna Garey,
User Rank: Author
4/30/2014 | 3:30:43 PM
Re: Avoiding pitfalls of Internet of People
Sure, and we should all floss every night too. Let's face it, hardly anyone really understands IPv6, developers whip out APIs with little regard for security, and a fair number of consumers are going to enable their fridges to communicate for no other reason than because it's whiz-bang and cool. We're doomed.
User Rank: Author
4/30/2014 | 2:21:22 PM
Re: Compromised IoT, a cheaper way to SPAM?
I agree, we should not be surprised to see new types of device hacks. Take this week's news around a baby monitor being hacked. Anything with a camera deserves special scrutiny.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Mary E. Shacklett,  4/13/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll