Fridges behaving badly

Lance Harris
By Lance Harris, freelancer
Johannesburg, 07 Oct 2014

With the IT industry racing to connect everything to the Internet - from fridges, baby monitors and cars to plant machinery, IP surveillance cameras and building management systems - enterprises and IT vendors face a range of complex new information security and privacy risks.

Early this year, hackers reportedly hijacked Internet-connected fridges and smart TVs to use them in a botnet that delivered more than 750 000 malicious e-mails. Also this year, security researchers compromised an un-patched building management system at a Google office in Sydney, Australia.

The researchers reported the vulnerability to Google, rather than trying to exploit the security flaw as a real hacker might have done. Google downplayed the incident, saying the system only controlled heating and air-conditioning in the building.

Such incidents seem set to become more common as hackers look to exploit new attack surfaces with criminal intention, be it launching a botnet or trying to find a route into a corporate network.

In the past, cyber criminals ignored Internet-connected 'things', figuring the difficulty of connecting to the devices and hacking them wasn't worth the effort. After all, a building management system often runs on a separate dedicated line to enterprise IT systems and usually hosts little in the way of juicy information.

But that picture is changing because Internet-connected machines, appliances and sensors increasingly gather and transmit valuable, sensitive data. According to a study of popular IOT devices, conducted by HP Security Research, 90% of the devices the researcher evaluated collected some form of personal information such as name, address, date of birth, health information and even credit card numbers.

Security concerns

The HP study analysed devices such as TVs, Webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers. It found that most devices suffered from a high number of vulnerabilities per device, ranging from Heartbleed to denial of service to weak passwords to cross-site scripting.

What's more, the majority of devices included some form of cloud service and mobile applications that can be used to access or control the devices remotely. "As the number of connected IOT devices constantly increases, security concerns are also exponentially multiplied," writes the author of the report. "A couple of security concerns on a single device such as a mobile phone can quickly turn to 50 or 60 concerns when considering multiple devices in an interconnected home or business."

Unsurprisingly, regulators around the world - including the US Federal Trade Commission and the European Commission - have the IOT high on their agendas. Apart from security concerns, they are also worried about how marketers, insurance companies and government agencies might use personal data collected through connected devices.