The “Internet of Things” is great — we’ll soon be able to build apps for our cars, thermostats, refrigerators, and more. But what happens when attackers get into your company’s system through an ice maker instead of the phishing email we’re all so used to?
“Every digital thing ever made has flaws, and there are two ways to deal with that: You hide them and bury them … or you deal with the outside risks and you respond really quickly,” said Lookout Mobile chief technology officer Kevin Mahaffey in an interview with VentureBeat.
“The Internet of Things,” or all the physical devices that you can connect to the Internet, opens up new doors for attackers trying to get into your company’s systems. Mahaffey set out to attack all the devices he could find in his office and home and see just how weak some of them really are. This included his thermostat, Blu-ray player, Apple TV, printer, VoIP phone, projector, white board, and other devices that all connect to the Internet (and likely your company’s network).
“These are the things that hackers lust after,” said Mahaffey during a presentation at the RSA conference in San Francisco. “A lot of these devices have a pretty big attack surface.”
Lucky for us, a lot of these — in particular the thermostats — encrypt their data flows and are difficult to be hacked by traditional means.
The Nest thermostat passed the test, using a secure form of encryption and properly signing their own certificates. Apple TV also passed the test. Things like printers, VoIP phones, a certain kind of smart thermostat called EcoBee, and even a coffee maker did not, however.
But what’s so concerning? Oh, no, someone turned my air conditioning on, boo-hoo. Well, what if all the thermostats in a city suddenly turned their air conditioning on high? Mahaffey explained it could be a means to blow out the power grid. Printers have access to your sensitive documents and directly connect to your networks.
And what about things like fire alarms and HVAC systems that aren’t currently connected to the Internet — but could be someday soon? Maybe the new form of DDoSing a website is to trip the fire sprinklers to rain on a data center.
Mahaffey told VentureBeat he’s most concerned about severe attacks from fire systems and card readers. We’ve already seen big-name organizations such as RSA and the Department of Defense fall to attacks on card readers.
“Who cares about the security guy if you can badge your way in?” said Mahaffey.
He suggests that companies start planning for The Internet of Things now by using modern cryptography to protect all the traffic running in and out of all of their systems. He also suggests IT departments purposefully watch network flows to see what devices are communicating with what parts of the network and then segment devices. For example, your Internet-connected coffee maker likely doesn’t need to talk to your source code server.
Mahaffey goes farther to say that the device vendors themselves should start penetration testing their devices and that the companies who use them should do the same. Otherwise, we’ll suffer from the fact that many of these devices do not get patched often but do get closer and closer to the critical systems we use in our businesses every day.
Kevin Mahaffey image via Meghan Kelly/VentureBeat