The Internet of Threats

If you are one of the many who have recently received spam relayed by a ‘smart’ fridge, it will give you little comfort to know that we should soon be the butt of spam, phishing attacks and more, from vending machines and their ilk. As we are now witnessing a massive expansion of the ‘Internet of Things’ (IoT), those previously dumb and benign appliances are attracting the attention of the bad guys.

Proofpoint, who supply computer security as a service, reported last year that over 750,000 malicious emails were forwarded from IoT devices like fridges and TVs over a two week period.

Although not identified as one of the culprits, a typical ‘smart’ fridge like the Samsung French Door RF4289HARS might have set you back $3500, and shipped with Linux 2.6.28. I wonder how many have been updated to the latest stable kernel release of March 2015, version 3.19.3. In addition to relevant features such as Grocery and Recipe Managers, it includes music streaming, news and weather services, and photo albums, presumably to preserve fond memories of former feasts.

‘Smart’ fridges are also sexy products to announce to the press and display at tech shows, but seem to have unusually short lifetimes: no sooner was LG’s Smart ThinQ fridge launched last year, than it is now posted as having been discontinued. I wonder how long its software support will last.

Even more attractive to hackers is the new generation of ‘intelligent’ (a word we may live to regret) vending machines. These too are Internet-connected so that they can report sales, inventory and service details without the cost and inconvenience of human attendance. Coca-Cola is moving rapidly to these new systems, having acquired 16 million IP addresses in preparation for their onslaught on our thirst.

To help customers part ever more easily with their money, these systems offer cashless payment processing, and many have conventional and contactless credit and debit card readers. This must be the hacker’s dream: an unattended system with an Internet connection and a steady supply of card information.

The first connected vending machine went online about 40 years ago, in Carnegie Mellon University’s Computer Science Department, so we might by now have had time to get used to their issues. But until very recently there were only a handful of such systems, and they were severely stunted in their potential: for much of its working life, CMU’s Coke machine could only give basic status information when prompted using the Finger network protocol – which could not be further from accessing payment processing.

Unlike the millions of phones and tablets now running iOS and its competitors, this Internet of Things is likely to be largely Linux-based. This means that even if a device has been deployed without customary mail and web servers, an open mail relay server ready to propagate spam, or a malicious web server, is simple to implement and install remotely.

Accomplishing that in the locked-down environment of iOS or even the more liberated OS X is tougher and ultimately far less rewarding. Why waste time and effort stealing card details from users one by one, when a popular vending machine can stream them to the comfort of your own botnet controller?

The threat landscape is changing again. No doubt those with vested commercial interests will continue trying to allay concerns with bland assurances as to how invulnerable their IoT devices are. But when it comes to protecting customers and the public, the track record of even sober technology-based corporations like Adobe is hardly encouraging; some of those trying to satisfy our more everyday needs for spending seem unphased if they occasionally leak details of a few million customers.

Just as drug cheats always seem several steps ahead of those trying to stop doping in sport, so computer security is always playing catch-up to hackers. The next time that someone invites you to buy their prophylactic or protection product for your Mac, ask them how it will cope when the Internet of Things becomes the Internet of Threats.

Updated from the original, which was published in MacUser volume 30 issue 04, 2014.