Black hats and whitegoods

Black hats and whitegoods

Summary: The Internet of Things will soon become a serious security problem unless we start dealing with it right now. "Our dishwashers will kill us!"? Not quite. It'll be the tumble dryer — coordinated by the TV.


commentary The Internet of Things will soon become a serious security problem unless we start dealing with it right now. "Our dishwashers will kill us!"? Not quite. It'll be the tumble dryer — coordinated by the TV.


Your fridge could be attacked. (Credit: LG)

With dozens of smart, internet-enabled devices connecting to the grid, the risks are certainly multiplying. Are manufacturers paying enough attention to security? I suspect not.

I spent most of yesterday in an AusCERT conference stream covering SCADA industrial control systems, resilient enterprise networks, smart meters, hardware security and the like. The discussion was held under the Chatham House rule, so I can't attribute comments to specific individuals. But I was left with the distinct impression that the bad guys are indeed winning. Again.

Up at the industrial and critical infrastructure end it's all talk of Stuxnet versus SCADA, just like it was at the RSA Conference in February. Iran is already claiming to have been hit by a next-generation Stuxnet, a thing called Stars, and experts reckon we'll probably see low-rent copies of Stuxnet within a year. The information is out there, gleaned from reverse-engineering Stuxnet, and the technology is attractive to criminals.

Why run a protection racket against a casino when you can threaten an entire oil refinery?

Now, the energy industry already understands the risks involved with operating critical infrastructure. Or at least it thinks it does, and it spends time and money working on the problem. Other industries are less knowledgeable. That'll be a challenge, and some of what we're hearing isn't good.

SCADA networks are scanned and probed and hit with distributed denial-of-service attacks (DDoS) with increasing frequency. They can be taken over simply by inserting a USB key into a network-connected PC. We saw that demonstrated live on stage. You can't stop the worm spreading through the protected network because it uses the same ports as SCADA itself. If you block those ports to block the worm, you also block your ability to control your own system. That's a win for the attacker.

"The bad guys know as much about our networks as we do," said one clued-up network defender. "The cat and the mouse? The cat is always going to win, and we've got to build smarter mice."

That doesn't exactly sound optimistic.

However, it's the consumer arena that really needs more attention.

Once smart meters get installed — as is already happening in parts of Australia — we'll soon have devices connected to both the energy company's wireless mesh and the home LANs and WLANs. This means that they're potential gateways. TVs now come with webcams and microphones, so they're potential monitoring devices. Appliances from air conditioners to swimming pool filter pumps have the potential to affect the physical environment. In-home displays can be fed false data.

As one presenter put it, "From the smart meter point of view, every device in the house is potentially hostile." Where is the network boundary here? Who's responsible for what? At this stage that's unclear.

What about the security of these devices? We were shown myriad ways to extract the encryption keys from hardware. As Stephen Wilson from the Lockstep Group tweeted, "I've always thought key management is like car engine maintenance circa 1910. Not for the faint hearted. Nor the future. The science is fine, but the engineering clunky and supply chain totally f***ed up. Crypto keys matter to users as much as DLLs."

Or, as a conference presenter put it, "Key management is epic fail for many systems."

That doesn't exactly sound optimistic, either.

Communications minister Senator Stephen Conroy once used the smart dishwasher as his NBN wonder story. It'd negotiate its own electricity price late at night and you'd save a fortune. Why hack the well-protected PC to rope it into a botnet when you can DDoS from the kitchen appliances?

Or, after last month, the PlayStation?

When was the last time you heard a whitegoods or consumer electronics manufacturer talk about network security? You certainly don't see them at the conferences.

We've been here before. We hooked our PCs into the internet. They got pwned; we didn't know any better. We hooked our smartphones into the internet. They got pwned; we'd forgotten that smartphones are computers, too. Now we're hooking TVs and tumble dryers into the internet. Falling for this trap a third time wouldn't be a good look. So far it's all questions with very few answers, and time is running out.

Topics: Security, AUSCERT


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • There is actually a consumer backlash against this. Customers are sick of computerized washing machines that cost $200 to have a circuit board replaced, and are demanding in ever increasing numbers for the "old fashioned" mechanical timers for washing machines, dryers, dishwashers etc..

    I, for one, don't need an IP address for each individual piece of cutlery in the house.

    When it comes to "smart" metering, I will decide when to operate an appliance. There is no way that I am going to allow an energy supplier to kill the stove mid-cooking, nor will I stand for the desperately needed air-conditioning being shut down down between 2pm and 6 pm in the afternoon.

    When it comes to the existing FIR technology that is used to turn off-peak hot water on and off and even X10 systems that can adjust your lighting and heating automatically, the data transfer rate is far too slow for anyone to be concerned about information disappearing from their PCs.
  • But what if by allowing them to turn off devices you could pay a much lower rate for electricity? Or it was the choice of having some, or none? Networks will need all the help they can get, I fear.