The beauty of working for a technology company is that every once in a while, your nerdy world transcends across into the real world – with a new discovery, or some other piece of breaking news. This week I had the good fortune to have a bit of both, whereby Proofpoint seemed to discover proof of a theory that has been doing the rounds in Information Security and Technology circles for some time – namely that internet enabled, always connected devices could be used for nefarious purposes. These devices come together under what is called “The Internet of Things” (IoT), whereby they can communicate and inter-operate in order to help improve everyday life. For the general public, this can include domestic products that can call out for service repair, heating systems that come on ahead of the timer cycle if there is a cold snap, alarm systems that call the homeowner and display live streaming from a surveillance camera – the list goes on….
So back to the story – the researchers figured out that during a recent email attack, in addition to being orchestrated from “conventional” machines (i.e. typically laptops and PCs – aka a BotNet) approximately 25% of the attack was coming from “unconventional” ones. Machines such as home media centre’s, games consoles, and other domestic appliances. This made for great headlines, hitting all of the usual online news channels (BBC, Register, Guardian, Independent) – but as a first we also made the printed media, including treating UK commuters to this new world as front page news in The Metro
Aside from the great press for Proofpoint and the brief prodding of the public’s consciousness, those of us in the security world ought to see this as a wake-up call. Rather like the early days of networking and internet, with poor passwords and flaky firewall rules (if you even had a firewall!), this highlights how laziness and lack of planning has led to devices running a stripped down Linux kernel that is unprotected, an SMTP server unsecured, and a web server that is perhaps running some archaic version of Apache. Of course, manufacturers can run updates – even have an auto-update feature – but as we all know this rarely happens well. Furthermore, having architected these devices to be low cost, you can be certain that security was at the bottom of the list of considerations when set against convenience and ease of use (i.e. zero user configuration required – given the target audience)
Of course, you could say “Who cares?” – after all, what harm could come from a bit of internet “noise”? Personally, I’d be concerned that once compromised, one of these devices could be then used to compromise the home router from the inside – then it’s open season. Every bit of household traffic (online banking, etc.) would be in complete view – much easier to compromise than constantly trying to craft clever spear phishing to snare the user. And that’s just one example – how about a brand new “thingbot” army to carry out DDoS attacks? What about a compromise on Android (or iOS)? The list goes on….
Twenty years ago, we might have laughed at the recent headlines – and some may be laughing now. Let’s hope the nerds don’t have the last laugh.