When refrigerators, TVs, and cars attack: Hacking the Internet of Things

By Adam L. Penenberg , written on January 17, 2014

From The News Desk

Imagine pulling up to a Taco Bell takeout window to collect your Doritos taco and diet soft drink when suddenly your car takes on a life of its own. Maybe the stereo blares audio messages through the open windows for spam staples like penile enhancements or come ons for hair restoration, Russian brides, or e-cigarettes at 110 decibels, transforming your ride into an mobile marketing machine. Maybe it transforms your vehicle into part of a massive, roving bot net. Or it kidnaps you, taking you to a destination of some nefarious person's choice, or worse, the car accelerates, tearing through the parking lot only to smack into oncoming traffic.

The so-called Internet of Things, when all manner of every day objects -- and even people and animals -- boast network connectivity, enabling them to receive and send data, has become the buzzword du jour. It promises a future when everything from our microwaves, refrigerators, toasters, toys, thermostats, and door locks to our cars, homes, and clothes will be joined at the digital hip. In some ways, it recalls the days of the 1980s and 1990s when, often needlessly and annoyingly, manufacturers of VCRs and all manner of other consumer electronics would embed digital clocks into their products, making the transition to and from Daylight Savings Time a pain in the ass. Nevertheless, IoT, as it's called, is coming. Cisco predicts by 2020 50 billion devices could be connected to the Internet while IDC puts the number at 212 billion.

There is truism in hacking. The more people and devices that connect to a network, the more "attack vectors" are created. It's a reason that corporate, university, and government networks, which have to provide remote access to thousands of people, can be so porous. For a skilled cyberfelon, all it takes is one entry point into a system to breach it and cause devastating damage.

Already we are beginning to see the possibilities. Yesterday, security firm Proofpoint claimed to have uncovered a cyberattack involving more than 100,000 smart appliances. In this case, the hackers turned common household devices such as "home-networking routers, connected multi-media centers, televisions and at least one refrigerator" into bot nets to send more than 750,000 malicious email. The global campaign that Proofpoint observed happened over two weeks at the end of December and into January, with more than 25 percent of the volume emanating from devices that were not desktop computers, laptops, smartphones or tablets.

Add to this the recent hack of Target and other retailers, when it is believed that malware was remotely installed on their point-of-sale (POS) machines, capturing data from the magnetic strips on perhaps as many as 40 million credit and debit cards after they were swiped at cash registers, and you can see where all of this headed. More than 40 anti-virus products didn't identify the malware called Black POS, which was readily available on the black market for around $1,800, according to Brian Krebs, a journalist who runs Krebs on Security, a site that provides computer security news.

Now imagine Google's self-driving cars, Google Glass, and contact lenses, Amazon's delivery drones, and billions upon billions of devices connected to networks, each offering hackers entry into the network as a whole. The stakes, then, could be much higher than some teenager from Bulgaria guessing your Twitter or Facebook log in credentials and spamming all your followers and friends. They could get into our homes, offices, and cars, messing with the heat and air conditioning, eavesdropping on our lives, and even preventing us from leaving our homes by remotely locking doors and windows. If you want a taste, read this feature story that Andy Greenberg of Forbes published last summer, when the car he was driving was hacked (with his permission, natch).

Microsoft, Apple, Adobe and others can't get their customers to update anti-virus software or apps to patch security holes. What will happen when the stakes -- and the impact -- is  so much higher?