Our hackers, who art in open source, deliver us from refrigerators

Our hackers, who art in open source, deliver us from refrigerators

Summary: Hacked smart refrigerators turned evil? The open-source community has an 'insanely critical' role in developing security standards to prevent this chilling scenario, says Cisco's chief security officer.

TOPICS: Security, Cisco

Yeah, look, I know we've been warning you about the imminent SCADAgeddon, when the nation's critical industrial control systems will all be hacked at once — from power grids and transportation systems to datacentre cooling systems and prison cell doors — cybering society back to the Stone Age. But forget all that.

Actually, don't forget it entirely, because it could still happen, right? (Be quiet, you dissenters up the back.) Just start being aware — because I'm telling you now — that things are actually far, far scarier. A threat of truly biblical proportions.


Few of us have SCADA systems at home. But we all have refrigerators. And televisions. And they're getting smart.

Hackers can turn smart TVs into surveillance devices. And refrigerators have started sending spam. It's only a matter of time before these once-trusted household appliances turn truly malicious.

Yes, Dear Reader, forget SCADAgeddon. I'm talking Refrigergeddon.

It's a chilling scenario.


OK, you'd be right to be sceptical of the spam-sending refrigerator. But security researchers have been warning us since at least 2011 that when it comes to security at the consumer end of the Internet of Things, time is running out.

"When was the last time you heard a whitegoods or consumer electronics manufacturer talk about network security? You certainly don't see them at the conferences," I wrote back then.

We hear warnings of imminent cyberdoom every year, of course, but a lot has changed since 2011. Smart household appliances have started rolling out in ever-larger numbers, and they're far more attractive to hackers than boring old home computers, tablets, and smartphones.

"Before, if you had to rely on the endpoints to spread and scale your attack, and you had people that turned off their computer at night, or they re-imaged the operating system, you lost a lot of that capability," Levi Gundert, head of research for Cisco's threat research group, told Australian journalists on Wednesday.

"With embedded devices, especially like refrigerators, just like with the cloud and the core internet infrastructure, you're going to have a lot more uptime, and you're not going to worry so much about losing those resources."

Plus, they don't have interfaces that tell you what's going on inside. A front panel or smartphone app might reassure you that, yes, your wine and mixers are still chilled and your vodka's still frozen — or whatever you have in your refrigerator — but there's nothing to tell you that it serves another master.

To avoid Refrigergeddon, we'll need security standards, according to Cisco chief security officer John Stewart. Just as every appliance has to conform to electrical safety standards before it can be plugged into the grid, smart appliances should conform to security standards before they can be connected to the internet.

"The only way to pull this off is to essentially have a bar that has to be got over. If nothing else, you could have something like diagnostic instrumentation on your refrigerator to determine, 'Is it chilling the eggs?', but 'Is it also generating spam or launching a DDoS attack?'," he said.

"We're going to probably start advocating [for this] pretty heavily — and I think so will the rest of our compadres in this Internet of Everything discussion... The open-source community is going to play an insanely critical role in this."

Stewart acknowledges that we hear security scare stories from vendors every year, but there are two key factors that mean things are different this year. One, many new and different devices are being connected to the internet in greater numbers. Two, in the last couple of years, we've seen a destructive power emerge — think of the Saudi Aramco attack.

"We can talk about refrigerators sending spam all day long, but the truth of it is, what we really want to be focusing on is exactly how many control systems are ensuring that the pharmaceutical industry is producing the right pill for you, the power is going to your house correctly, the water is not contaminated and is flowing at the right pressure. Each one of these systems is in a convergence paradigm over to IP [internet protocol].

"We've got to pay attention and wake up, because we're going to have a year — and maybe 2014 is or isn't it — that if we continue down the path at the pace that we're going, then we're going to have one of those years where we're not going to be able to say, 'Yep, we made it through another year, and it was tough, but we did a couple of things and we're OK.'

"We're going to hurt someday, and that's what scares me — that if we don't change the way we've chosen to go after these problems, then somebody's going to get hurt."

But for now, we're cool. For now.

Topics: Security, Cisco


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Embedded systems

    usually linux or android with no one to manage or patch them. Huge mistake.
    • Could be worse.

      Like your Windows fridge greying the screen, and popping up this message 5 minutes after you leave for the weekend:

      UAC: Your permission is required to continue.
      Click OK to install Compressor driver update.
      Compressor will not run until update is complete.
    • Lack of updates is the main problem

      It doesn't really matter what OS it runs, if enough time passes somebody will find some hole in it, whatever it is. We need these things to either simply not have Internet access our get updates continously while they do. Which fundamentally requires more standardization in the hardware and drivers in embedded services so that the amount of work required for updating them is manageable.
  • HOAH KAY Chicken Little. . . .

    Until the day that my refrigerator reaches out and tries to strangle/suffocate me,.. .. ..
    I'm NOT gonna worry about it.
    Far Fetched? Well, JAH, JUST a little.
    Maybe in 2033 or 2055 I'd be concerned. Today, tomorrow, next year. . . NOT!!!!
    • A possible type of attack;

      A freezer could shut off and let food that easily go bad get too warm, and then turn on again and refreeze it. That could make some types of food toxic.
  • THe last few articles I've read today. . . . .

    Are you writers on Dope or LSD or "?"!!!!!
  • ZDNet

    ZDNet contributors and authors, repeat after me.

    "It's not called hacking."

    Thank you.
  • «Art» has never been - and is not now - a plural form of to be

    Stigherrian, you might want to note that since in the above you are speaking to hackers, i e, more than one hacker, the proper form of the verb to be (present tense plural, all persons), even in olden times, was «are», and remains so today. «Art» was used only in the 2nd person singular».. ;-)

    • The Lord's Prayer

      mhenriday, you are obviously not familiar with the Christian religion or you would have recognized the title as being a parody of the beginning of The Lord's Prayer. I'm sure the author is perfectly aware of the correct use of the verb to be in normal language! ;)
  • He might be right

    my vacuum cleaner is looking at me suspiciously.
  • Networks...

    Go watch the opening episode of the (more recent) Battlestar Gallactica for one "everything networked" scenario.
  • A well known firm going back to the old days of the AC/DC controversy ...

    has been running "public image" ads (not directly selling anything) bragging about their networked "smart" devices: hospital/medical devices and software, locomotives, and jet engines. No mention of what could happen if these were hacked, but there HAVE been a few cases of X-ray machines with malfunctioning software that administered a fatal dose of radiation in one diagnostic session, not to mention what IV medication dispensers, respirators, EKG/EEG machines, etc. could do. And it's not hard to imagine what could happen with malware controlling a locomotive or an airplane's engines. In fact, a recent suspense show on TV had a terrorist hack into a train's controls with the intent of crashing it into another train in downtown Los Angeles while carrying hazardous chemicals. And another had the criminal remotely controlling a victim's car to cause a crash that would be blamed on DUI, while a supplemental explosion made sure the body was burned beyond identification.

    These scenarios are just a bit beyond believability now, but the line is getting closer. And the fact that "smart" devices do not have conventional PC interfaces to run anti-virus scans (if any are even written for them), but just it there like servers running silently and invisibly, does make them a potential future hazard.

    But notice that, before the appliances start directly attacking their owners, they can, and according to these reports are, acting as relay points in attacking other equipment, thus amplifying the efforts, and hiding the location, of spam and malware distributors.
    • Just noticed my own typos ...

      In paragraph 2: ... but just SIT therd like servers ...

      In paragraph 3: ... they could BE, and ... are, acting as ...

      When are they going to let us EDIT?
      • Typos.

        Your typo in a correction reminded me of another:

        A local newspaper reported, " ... the case was solved by Defective Fred Smith of the Derby Police Force."

        The 'correction' read, "Yesterday's report should have read ' ... the case was solved by Detective Fred Smith of the Derby Police Farce.' "
  • All Brits?

    Are all ZDNet commentators British? If not, why do they write about "datacentres"? We don't have those in America, we have datacenters. I see these British spellings consistently in the articles on ZDNet. What is the story here?
    • US v British spelling

      As this is a global organisation (note the British spelling!), there's no reason why every article should adhere to US spelling. We in the UK don't complain about US spelling - even though it's wrong ;) so please, US citizens, don't complain about British spelling. After all, British spelling is the ORIGINAL English!
    • Australian, actually

      I'm an Australian writer in Australia writing for ZDNet Australia, so oddly enough I write in Australian. I believe that the folks at ZDNet Japan write in Japanese. The horror!
  • One more!

    ... but just sit THERE like servers ...
  • Your headline grabbed my attention

    Making fun of the Lord's prayer is NEVER a good idea. I know you think you are being clever and cute, but it's just dumb, and dangerous. Get a real job maybe.
    Paul on the Mesa
    • God and humour

      If there is a god, he/she gave us humour, so what's wrong with mixing humour and religion. I'm sure god would appreciate it.