This post is also available in: heעברית (Hebrew)

Illustration Photo
Illustration Photo

Internet of Things, a business growing at a compound annual rate of 7,9% that is a privileged target for hackers and cyber criminals.

The Internet of Things refers all objects in daily life equipped with identifiers that allow their automatic inventory. Tagging of the Internet of Things could be achieved with various technologies such as the RFID, NFC, digital watermarking, QR code and muck more.

The diffusion of paradigm of the Internet of Things is sustained by phenomena like the improvement of connectivity infrastructure and by the massive introduction of technology in the environment that surround us, from our house to the ambitious project of smart cities.

IDC has given an economic estimation for the evolution of the market that is moving around the Internet of Things, technologies and services spending that generated global revenues of $4.8 trillion in 2012 and that will reach $8.9 trillion by 2020, growing at a compound annual rate (CAGR) of 7.9%.

IDC expects the installed base of the Internet of Things will be nearly 212 billion “things” globally by the end of 2020, around 14% of them will be “connected (autonomous) things” mainly driven by intelligent systems that will be deployed and will collect data across both consumer and enterprise applications.

This growth represents a serious challenge under the cyber security perspective, many researchers are evaluating the possibility to attack these objects or exploit them to compromise the surrounding environment.

At the security conference DerbyCon 3.0 2013, researcher Daniel Buentello made an interesting presentation titled “Weaponizing your coffee pot” showing the consequences of an attack against high-tech objects, like a common coffee pot, connected to the Internet of Things.

The computational capability of connected devices is comparable to the one of a minicomputers but with a substantial difference, in the majority of case these components aren’t protected by defense mechanisms.

If one of these intelligent objects is infected by a malware it could be recruited in a botnet architecture, no matter if hackers control a coffee pot or a smartTV.

iHLS – Israel Homeland Security

Buentello highlighted that once a malware infected our domestic environment it could propagate itself trough Internet of Things, for example reaching the thermostat of our oven or our home server.

The researcher described in his presentation the coffee pot product, dubbed FrigidMore, which is connected to the internet and run a “java” scripts to control the coffee taste and to push notifications to user’s smartphone when coffee is ready.

Buentello analyzed the Nest thermostat that uses a WiFi interface for various operations such as the software updates.

The Nest Learning Thermostat automatically updates its software over Wi-Fi whenever an update is released.”

Cyber criminals could compromise the update process push out malware to all connected devices and recruit them a part of a botnet.

Internet of Things is considered a privileged target of cyber criminals, they will concentrate their efforts to attack so powerful objects. Home automation devices are easy to attack from hackers, search engine like Shodan are a mine of information to discover potential targets and gather info on their structure.

Today, I could scan for open ports on the Web used by a known control system, find them, get in and wreak havoc on somebody’s home. I could turn off lights, mess with HVAC systems, blow speakers, unlock doors, disarm alarm systems and worse.” CEDIA IT Task force member Bjorn Jensen said

Concepts like smart homes and smart cities are fascinating but could hide dangerous pitfalls, despite today Internet of Things is a reality and the number of “intelligent” devices is rapidly increasing, the majority of them is totally unprotected and security for “home automation” is still in the stage of evolution.

Welcome progress, but remember that everything has its price, anything connected to the Internet is hackable.

As reported by Pierluigi Paganini at Security Affairs