The Icebox Cometh
Will the Internet of Things turn homes into a House of Cards? Our homes are being invaded...but not with critters that you'd call an exterminator for. Last summer I wrote Hackable Homes about the potential risks of smart homes, smart cars and vulnerabilities of just about any-'thing' connected to the internet. (I know, everyone loves a bragger) Many of the many2014 predictions included the internet of things as a breakthrough technology? (trend?) for the coming year. Just a couple weeks ago, famed security expert Bruce Schneier wrote about how the IoT (yes, it already has it's own 3 letter acronym) is wildly insecure and often unpatchable in this Wired article. And Google just bought Nest Labs, a home automation company that builds sensor-driven, WiFi enabled thermostats and smoke detectors. So when will the first refrigerator botnet launch? It already has. Last week, Internet security firm Proofpoint said the bad guys have already hijacked up to 100,000 devices in the Internet of Things and used them to launch malware attacks. The first cyber attack using the Internet of Things, particularly home appliance botnets. This attack included everything from routers to smart televisions to at least one refrigerator. Yes, The Icebox! As criminals have now uncovered, the IoT might be a whole lot easier to infiltrate than typical PCs, laptops or tablets. During the attack, there were a series of malicious emails sent in 100,000 lots about 3 times a day from December 23 through January 6. they found that over 25% of the volume was sent by things that were not conventional laptops, desktops or mobile devices. Instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and that one refrigerator. These devices were openly available primarily due to the fact that they still had default passwords in place. If people don't update their home router passwords or even update the software, how are they going to do it for the 50+ (give or take) appliances they have in their home? Heck, some people have difficulty setting the auto-brew start time for the coffee pot, can you imagine the conversations in the future? 'What's the toaster's password? I need to change the bagel setting!' Or 'Oh no! Overnight a hacker replaced my fine Kona blend with some decaf tea!' Come on. Play along! I know you got one you just want to blurt out! I understand this is where our society/technology/lives are going and I really like the ability to see home security cameras over the internet but part of me feels, is it really necessary to have my fridge, toaster, blender and toilet connected to the internet? Maybe the fridge alerts you when something buried in back is molding. I partially get the thermostats and smart energy things but I can currently program my thermostat for temperature adjustments without an internet connection. I push a few buttons and done. Plus I don't have to worry about someone firing up my furnace in the middle of July. We have multiple locks on our doors, alarm systems for our dwellings, security cameras for our perimeter, dogs under the roof and weapons ready yet none of that will matter if the digital locks for our 'things' are made of dumpling dough. Speaking of dumplings, the smart-steamer just texted me with a link to see the live feed of the dim sum cooking - from inside the pot! My mind just texted my tummy to get ready. ps Related: Proofpoint Uncovers Internet of Things (IoT) Cyberattack The Internet of Things Is Wildly Insecure — And Often Unpatchable For The First Time, Hackers Have Used A Refrigerator To Attack Businesses The Internet Of Things Has Been Hacked, And It's Turning Nasty Smart refrigerators and TVs hacked to send out spam, according to a new report Here's What It Looks Like When A 'Smart Toilet' Gets Hacked Bricks (Thru the Window) and Mortar (Rounds) Technorati Tags: IoT,internet of things,botnet,malware,household,silva,attacks Connect with Peter: Connect with F5:Welcome to the The Phygital World
Standards for 'Things' That thing, next to the other thing, talking to this thing needs something to make it interoperate properly. That's the goal of the Industrial Internet Consortium (IIC) which hopes to establish common ways that machines share information and move data. IBM, Cisco, GE and AT&T have all teamed up to form the Industrial Internet Consortium (IIC), an open membership group that’s been established with the task of breaking down technology silo barriers to drive better big data access and improved integration of the physical and digital worlds. The Phygital World. The IIC will work to develop a ‘common blueprint' that machines and devices from all manufacturers can use to share and move data. These standards won’t just be limited to internet protocols, but will also include metrics like storage capacity in IT systems, various power levels, and data traffic control. Sensors are getting standards. Soon. As more of these chips are getting installed on street lights, thermostats, engines, soda machines and even into our own body the IIC will focus on testing IoT applications, produce best practices and standards, influence global IoT standards for Internet and industrial systems and create a forum for sharing ideas. Explore new worlds so to speak. I think it's nuts that we're in an age where we are trying to figure out how the blood sensor talks to the fridge sensor which notices there is no more applesauce and auto-orders from the local grocery to have it delivered that afternoon. Almost there. Initially, the new group will focus on the 'industrial Internet' applications in manufacturing, oil and gas exploration, healthcare and transportation. In those industries, vendors often don't make it easy for hardware and software solutions to work together. The IIC is saying, 'we all have to play with each other.' That will become critically important when your imbedded sleep monitor/dream recorder notices your blood sugar levels rising indicating that you're about to wake up, which kicks off a series of workflows that start the coffee machine, heat & distribute the hot water and display the day's news and weather on the refrigerator's LCD screen. Any minute now. It will probably be a little while (years) before these standards can be created and approved, but when they are they’ll help developers of hardware and software to create solutions that are compatible with the Internet of Things. The end result will be the full integration of sensors, networks, computers, cloud systems, large enterprises, vehicles, businesses and hundreds of other entities that are 'connected.' With London cars getting stolen using electronic gadgets and connected devices as common as electricity by 2025, securing the Internet of Things should be one of the top priorities facing the consortium. ps Related: Consortium Wants Standards for ‘Internet of Things’ AT&T, Cisco, GE, IBM and Intel form Industrial Internet Consortium for IoT standards IBM, Cisco, GE & AT&T form Industrial Internet Consortium The “Industrial” Internet of Things and the Industrial Internet Consortium The Internet of Things Will Thrive by 2025 Securing the Internet of Things: is the web already breaking up? Connected Devices as Common as Electricity by 2025 The ABCs of the Internet of Things Some Predictions About the Internet of Things and Wearable Tech From Pew Research Car-Hacking Goes Viral In London Technorati Tags: iot,things,internet of things,standards,security,sensors,nouns,silva,f5 Connect with Peter: Connect with F5:My Sensored Family
The Important Things Lately I've been writing a bunch about the Internet of Things or IoT. You know, where everyday objects have software, chips, and sensors to capture data and report back. Household items like refrigerators, toilets and thermostats along with clothing, cars and soon, the entire home will be connected. Many of these devices provide actionable data - or just fun entertainment - so people can make decisions about whatever is being monitored. It can also help save lives. Recently my daughter became a robot, at least according to her. My daughter has a rare genetic disorder called HI/HA GDH - Hyperinsulinism/Hyperammonemia Syndrome in the Glutamate Dehydrogenase gene. Say that 3 times fast. Basically, she produces too much insulin (extreme hypoglycemic) and too much ammonia. She gets blood work done every couple months and recently we've had some concerning numbers on those reports. While we certainly check her blood multiple times a day, the doctor wanted to get a more precise reading over the course of a few days to determine a plan of action. Enter the sensor. The doctor installed a Medtronic Sof-Sensor Glucose meter which measured her blood sugars every 5 minutes and stored it on a chip. They also have models which transmit the BSL to a base for instant readings. Out of the package, the device has a needle almost tented over the sensor. You put it in an apparatus which punches the needle and sensor into the skin. You remove the needle and the sensor stays. You then connect it to a clam shell looking thing which houses the microprocessor. Tape over it, go on with your daily routine and the sensor does the rest. While she had hers in for 3 days, there are some that can be inserted for longer term measurements. After our three days, we pulled it out and retuned it to the doctor. Pulling the tape off her skin hurt more than yanking the sensor out. They connected the storage to a computer and retrieved the data. We could match the charted times and readings (along with a daily food diary) with the regular meter readings to get a great overall picture of what might be causing some of the recent abnormalities. From that, we got our medical marching orders and so far it seems like things are moving in the right direction. The parental worries have also dwindled now that we know what's going on. That anxiety is part of the challenge whether you're a global business or a parent...the data and context to make informed, knowledgeable decisions about a path forward. Sometimes sensors can provide that. This Internet of Nouns trend is still in the early stages and many of our already connected gadgets do provide human benefits over the typical infotainment. While IoT is certainly interesting and the wave is building, I'm not particularly rushing to get everything or everyone connected like that...except for our micro chipped dog. But in this instance, installing a sensor in my daughter's side for a few days made all the difference in the world. And gave us some uncensored peace of mind. ps Related Is IoT Hype For Real? Oh, Is That The Internet You're Wearing? Internet of Food I Think, Therefore I am Connected Play Ball!The Breach of Things The Icebox Cometh The Internet of Sports Welcome to the The Phygital World The DNS of Things Technorati Tags: iot,things,sensors,medical,heath,silva,f5,family,big data Connect with Peter: Connect with F5:Security Sidebar: Defending The Internet of Things
Many experts predict that the number of devices connected to the Internet will top 50 billion (with a "B") by the year 2020. In fact, the following diagram shows that, on average, every person on the globe will have ~3.5 connected devices by next year. I know I'm doing my part to contribute. After all, I have several connected devices even today: Smart TV, Blu-Ray player, PlayStation, laptop, iPad, iPhone, etc. And that's just me! You don't have to look far to find an Internet connected device. We have connected cars, eye glasses, running gear, door locks, weight scales, refrigerators, thermostats, even basketballs! Remind me again why we need an Internet connected basketball? Speaking of...I wish someone made Internet connected golf balls; then I wouldn't have to spend so much time searching for my tee shot. In the near future we will see things like toothbrushes get connected to the net. I recently read a quote from an executive at a toothbrush company who, when asked about Internet connected toothbrushes, said "There are people who are very passionately waiting for it." I'm not sure who those people are, but I'll bet you can pick them out of a crowd with their brilliantly white smiles and minty fresh breath! Even the kids are getting involved in this. Baby monitors are already connected, but pretty soon we will connect to car seats and children's kitchen utensils. Remind me to check the upper limit of IP addresses allowed on my wireless router. I might need to upgrade pretty soon! Clearly this is a very limited list of the many, many things that are currently or will soon be connected to the Internet. With this onslaught of connected devices, the hacking space for nefarious Internet users is getting so big that they almost can't miss when they launch their attack tools these days. The following chart (created by MIT's System Design and Management Program) shows a comparison of knowledge needed to launch an attack and the sophistication of the attack being launched. Many times it's the simple things that allow attackers to be successful. Things like default passwords that are not changed, software patches that are not installed, firmware upgrades that are not completed, etc. Some of the devices that make up the "Internet of Things" (or the Internet of Everything as some are calling it now) are very easy to configure and update; and some are not. If my laptop or router has a recommended software patch or firmware update and I fail to install it, then bad on me...I'm just keeping the door open for the bad guys to use their tools against me. But sometimes it's not that simple. The new Internet connected refrigerator you just bought might not have an upgrade even available. In that case, I'd recommend doing whatever you possibly can to secure the device...if nothing else, see what you can do to change the default password on the thing. In my former life, I routinely analyzed cyber attacks for a major Department of Defense organization. Many times, successful attacks would have been thwarted if the admin or user had simply updated patches, changed default passwords, etc. After an attack, we would conduct a "hotwash" where we would discuss what was done correctly and what needed improvement. In some cases, we were fortunate to have a friendly attacker who would outline exactly how the attack took place and what we could do to stop it (or slow it down) the next time. Each attack was a little different, but I noticed a pattern of unpatched systems being targeted the most. I'm not saying the attackers will never get in if you apply all patches and recommended firmware updates, but it might make them look at the next guy to see if he is an easier target! So, do the little things right. John Wooden coached the UCLA men's basketball team to a record 10 national championships in 12 years...no one else has ever come close. When asked about how he achieved such great success, he said "It's the little details that are vital. Little things make big things happen." I would agree, and I would add that, in the case of security and keeping Internet attackers at bay, little things keep big things from happening...and that's what you want! The Internet of Things is becoming (and has become) a tough landscape for security professionals. F5's own Lori MacVittie wrote a fantastic article where she highlights security challenges associated with the Internet of Things. So what can you do in the face of this daunting road ahead? Should you just not buy any Internet connected devices? No, go ahead and buy them...just remember to do the little things right.
