Internet of Thingbots: The New Security Worry - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Data Management // Big Data Analytics

Internet of Thingbots: The New Security Worry

Phishing and spam attacks involving Internet of Things devices are coming -- and app developers and device makers must be ready, says a CA Technologies exec.

8 Gadgets For The High-Tech Home
8 Gadgets For The High-Tech Home
(Click image for larger view and slideshow.)

Builders of consumer appliances over the years haven't devoted a lot of time and energy to matters of security. This made sense when refrigerators, home thermostats, and light bulbs didn't share data or tie into a global network of apps and devices.

Along comes the Internet of Things (IoT), and suddenly security matters. The IoT consisted of 20 billion devices in 2013 and will have 32 billion by 2020, according to the research firm IDC. The boom in IoT-enabled gadgets and sensors is a boon for hackers, whose device-focused attacks are starting to make headlines.

In January, the security provider Proofpoint announced it had uncovered an IoT-based cyberattack in which bursts of spam email were sent three times a day. What made the attack unique was that 25% of the volume was sent by compromised consumer devices such as home routers, televisions, and even a refrigerator.

And in March, the security researcher Nitesh Dhanjani took an in-depth look at the potential security threats facing owners of the IoT-connected Tesla electric car.

[Microsoft wants to be a player in Ithe oT. Here's what you should know about its cloud-based management service. Microsoft Azure Intelligent Systems: 4 Facts.]

The Proofpoint-uncovered phishing and spam attack involving household "thingbots" may be the first of many wakeup calls for IoT developers and manufacturers, Scott Morrison, senior vice president and distinguished engineer at CA Technologies, said in a phone interview with InformationWeek. "Hackers are always looking for yet another place to launch huge outflows of spam email messages. And if you can do it with refrigerators, who would've thought of that before? So it was a very clever attack against an Internet of Things device."

Morrison knows a great deal about application programming interfaces (APIs). A year ago, CA Technologies acquired Layer 7 Technologies, where Morrison was chief technical officer.

"One of the reasons CA bought Layer 7 was to gain Layer 7's expertise in API security management," he said. "APIs -- another of those buzzwords that are out there -- are the technology we're using to tie together applications and allow them to share information."

Two consumer-friendly features -- low cost and simplicity -- may present a problem in the quest for a bulletproof Internet of Things. Embedding connected technology in low-margin consumer gadget tends to be a formula for creating a device with potential vulnerabilities, Morrison said. "You're building Internet [connectivity] more as a feature of a regular consumer device, rather than an end to itself. And that tends to take the emphasis off good, solid security practices that we put in when building a website or something."

The race to push connected devices out the door isn't helping, either. "The big problem we're seeing these days is, in so many cases, people are rushing to get products out, and they're not putting the time and effort into really securing these devices up front," Morrison said. "It's not like we don't know how to do it; it's just that we're not doing it."

The recent uproar over the Heartbleed security bug in the open-source OpenSSL cryptography library may help shine a spotlight on IoT security. But more work is needed, according to Morrison.

"What's interesting about Heartbleed is that we've been hearing a lot about large websites where people are quickly patching the code and sending out notices [saying], 'We're now patched and compliant,'" he said. "But we haven't been hearing a lot about some of the embedded devices that could potentially be affected. Of course, OpenSSL is widely deployed across all sorts of different devices -- everything from wireless routers and administration consoles to printers and things like that."

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls (free registration required).

Jeff Bertolucci is a technology journalist in Los Angeles who writes mostly for Kiplinger's Personal Finance, The Saturday Evening Post, and InformationWeek. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/1/2014 | 1:08:14 PM
Scale and cost will be key
Very interesting article. I think the nature and scale of M2M and IoT brings unique cyber security challenges including trust (untrusted devices, networks), cost (cannot be expensive considering the large number of devices), privacy (who owns data and how to securely share it), access (static access controls cannot adjust to dynamic nature of IoT), performance (low power devices can't spare many cycles for security), interoperability, integration into existing security paradigms etc. Not to mention cryptography - how do we seed with good randum numbers in order to get good crypto?

Interesting times indeed!
Shane M. O'Neill
Shane M. O'Neill,
User Rank: Author
4/30/2014 | 5:16:22 PM
Re: Avoiding pitfalls of Internet of People
Hey, I do floss every night.

My high-level observation here is that after witnessing the Target breach and Heartbleed, we're not ready yet for the Internet of things. Security isn't resilient enough and people aren't prudent enough. But here come the vendors pushing out products as fast as they can. I like the idea of connected home appliances that I can control from a smartphone -- it's innovative and useful and there's definitely a cool factor. But I'm going to wait out the hacks and growing pains. See you in 2016.
Lorna Garey
Lorna Garey,
User Rank: Author
4/30/2014 | 3:30:43 PM
Re: Avoiding pitfalls of Internet of People
Sure, and we should all floss every night too. Let's face it, hardly anyone really understands IPv6, developers whip out APIs with little regard for security, and a fair number of consumers are going to enable their fridges to communicate for no other reason than because it's whiz-bang and cool. We're doomed.
User Rank: Apprentice
4/30/2014 | 3:04:00 PM
Avoiding pitfalls of Internet of People
Is there any reason for refrigirator or TV set to send emails?? Just because it can be done does not mean it should be done. I have been appaled for many years at the level of "amateurism", for the lack of better word, that current Internet of people operates. It feels like one temporary solution slapped on the other, without ever taking a pause and redisigning it with security in mind. Domains are not "entrusted", emails can be send in a deceiving way, pretending to be from somewhere or someone else, etc. We should really make sure that Internet of things does not go the same way. Each IP address should be registered and entrusted, "things" should have limited, but strictly defined functionality and strong encription protocols should be used in communicating with them.
User Rank: Author
4/30/2014 | 2:21:22 PM
Re: Compromised IoT, a cheaper way to SPAM?
I agree, we should not be surprised to see new types of device hacks. Take this week's news around a baby monitor being hacked. Anything with a camera deserves special scrutiny.
User Rank: Apprentice
4/30/2014 | 2:11:24 PM
Security and the Internet of Things
Security will be the number one concern when the Internet of things is being introduced into the general public. No one would be willing to trade security for convenience on this level.  That means that the companies that stand to make billions off the industry need to have universal security protocols.  This protects the industry and the consumer.  Everybody wins
User Rank: Ninja
4/30/2014 | 2:07:31 PM
Compromised IoT, a cheaper way to SPAM?
It makes perfect sense that malicious traffic is going to look for a new way to be transmitted, and with the increased awareness of users when it comes to computers, laptops, tablets and smartphones, it isn't a surprise that the path of least resistance when it comes to infecting data-creating devices will be to leverage these smart or connected endpoints to be the new sources to push out the traffic.  Until proper security can be built into the devices themselves, we can expect to see a steady increase in malicious traffic as the adoption rate of IoT increases as well.
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
Graph-Based AI Enters the Enterprise Mainstream
James Kobielus, Tech Analyst, Consultant and Author,  2/16/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll