Hacked Refrigerators, APIs, and IoT Security
Botnets, in which networks of internet-connected programs communicate to perform malicious tasks, have been around for some time. But a recent botnet that used multi-media centers, home networking routers, televisions, and even a refrigerator to send 750,000 malicious emails was novel enough to generate a blizzard of media attention.
Should this have been a surprise? In Japan, companies have marketed home appliances with Internet connectivity for several years; it’s now routine for Japanese manufacturers to tout the ability of refrigerators to send text messages.
For information security professionals, the recent “refrigerator hack” confirmed what had been expected for some time. As more non-computing devices are turned into “smart” devices, these types of attacks—and the number and scope of devices hacked—will only increase. Consumers and businesses are increasingly demanding smart devices, but manufacturers continue to ignore the threats and pay insufficient attention to securing against them.
The purpose of smart devices is to exchange data over a network, and that exchange often requires authentication of the device and the user. It also requires that the data is vetted against threats. These are the same requirements that have existed since the start of computing, and the same protection needs to be applied to APIs and other parts of the IT infrastructure. In a complex computing environment, this requires a scalable API management platform with those capabilities built in.
In reality, attacks against the IoT date back more than a decade, depending how one defines “things." In 2003, for example, a computer worm penetrated a nuclear plant’s computer network and disabled a safety monitoring system. That same malware took down 13,000 Bank of America ATMs.
Printers have been hackable for years now. This problem is well known, and yet as recently as July 2012, The Guardian newspaper in the UK reported on security research showing that 25% of all HP printers remain vulnerable to hacking. There have also been a number of hacks reported against automobiles, including attacks against braking systems. German security firm Escrypt in particular has done extensive research in this area.
There have even been concerns for several years now about keeping pacemakers safe from hackers. This is fact-based, despite literally being a scenario from the television series Homeland. For example, former U.S. Vice President Dick Cheney revealed that his doctor ordered the wireless functionality of his heart implant to be disabled due to fears it might be hacked in an assassination attempt.
IoT security concerns aren't limited to the private or commercial sector. Even the U.S. Department of Defense has had some of its ‘things’ hacked—specifically, drones. The Pentagon has admitted that Iraqi insurgents have hacked U.S. drones repeatedly, and did so because the U.S. military had failed to encrypt the drones’ video feeds.
So what can we learn from these hacks on IoT devices? It’s a brave new world out there, but basic principles of security still apply. It is easy, and maybe even convenient, to forget about security considerations, but doing so puts your customers and your business at risk. It's important to select tools that give you the ability to detect whether a "things network" has been compromised, and that includes good API management tools.
These tools allow you to create secure networks for the IoT–which are often much more complicated than traditional enterprise IT architectures. They shouldn’t be overlooked.
image: Lars Plougmann/Flickr