All aboard the internet of things infosec hype train

Myriad new connected devices may represent an easy target, but criminals are still making plenty of money by hacking what they've always hacked. So why bother with Refrigergeddon?
Written by Stilgherrian , Contributor

"My tech vendor 2015 predictions media release: Buzz, acronyms, and veiled sales pitches will continue to dominate tech landscape. Stop," tweeted Tim Marshall, whose day job is, um, public relations for a tech vendor. Please dispense a full dose of irony supplement lozenges immediately.

Jokes aside, Marshall is spot on. My inbox overfloweth with vendor press releases touting information security predictions for 2015 that, put together, represent a collective statement of the bleeding obvious.

Mobile devices will become more popular targets. Ransomware will continue to be successful. Distributed denial-of-service (DDoS) attacks will continue to get bigger. Poorly secured point of sale (PoS) systems will continue to provide easy entry into retailers' networks. We'll keep discovering nasty security holes in code libraries that we'd assumed were solid. Consumers will continue to blurt out their personal information in exchange for smartphone-based trinkets and gimmicks. Hackers will get trickier. More and more complex hacks by mysterious "nation-state actors" will be revealed. Something about the cloud.

All that is obvious, because every infosec vendor is looking at the same "threat landscape", as we must call it these days. Every vendor's customers continue to make the same mistakes in the face of those threats, thanks to the universal constants of human nature and corporate incompetence. Criminals will continue to go for the easiest, most lucrative targets. And nation-state spooks will continue to be spooky.

It's fish-in-a-barrel stuff, really, like predicting that there'll be drunken awkwardness at the office Christmas party.

The zeitgeist gorilla of 2014 has of course been the Internet of Things (IoT), aka the internet of everything. Given that technology vendors and analysts have generally spent the year telling us that IoT is both huge and inevitable, it's only natural that security vendors now tell us that it's also scary -- and that we'll need their protection.

Here's Symantec's version, as handed out to journalists in Sydney on Tuesday: "Attacks on the Internet of Things (IoT) will focus on smart home automation. With smart home automation gaining popularity amongst consumers across Asia-Pacific and Japan, Symantec anticipates that commoditised 'plug and play' consumer devices such as CCTV cameras and remote access controls for alarms, lighting and climate control will be exploited by cybercriminals."

Here's a similar warning in a press release from Fortinet's FortiGuard Labs: "In 2014, we saw an interesting shift -- namely, Heartbleed and Shellshock -- focused on server-side vulnerability and exploitation. Looking forward to 2015, we fully expect this trend to continue in an alarming way as black hat hackers pry open the Internet of Things. Hackers will continue to follow the path of least resistance as more and more devices are connected to the network."

And here's a version from Intel Security's McAfee Labs Threats Report (PDF) for November 2014: "The increasingly vast deployment of IoT devices combined with the lack of robust security represents a burgeoning threat to the privacy and security of both individuals and companies."

But wait a minute.

It's nearly a year since I warned of the chilling scenario of Refrigergeddon. Heck, it's three and a half years since I wrote about the threat of black hats and whitegoods. And you know what? It hasn't happened yet. And you know why? Because the bad guys are still making plenty of money by hacking the things they've always hacked, in the same, comfortable ways.

So I was glad to see some cynicism amongst the predictions.

"The Internet of Everything will not bring a rise of machines. Indeed, embedded computing devices are already everywhere and have security flaws, while today's cybercriminals typically don't just hack for the sake of it. They need motivation. After all, there's not much value to having control of your watch or TV at this point, so we won't see hackers targeting them directly, at least for now," David Higgins, WatchGuard Technologies' ANZ country manager, told ZDNet via email.

As Kelly Jackson Higgins, executive editor of Dark Reading, observed, we've known about the IoT security nightmare for maybe five years, ever since research by HD Moore and others uncovered all manner of vulnerable systems: Voice over IP (VoIP) systems, home DSL routers, industrial SCADA systems, printers, video conferencing systems, you name it.

"They had built-in back doors, hard-coded credentials, just stuff that was put in there basically for administrative reasons, but were security nightmares," Higgins told Mandiant's end-of-year review webinar last week.

But perhaps things are about to change.

"This year at Black Hat and Defcon ... there was a lot of research presented about security bugs in consumer systems. And a lot of them were things that have public safety and physical safety issues: Cars, the TSA checkpoint systems, satellite ground terminals, cellphone networks, home automation systems, and even baby monitors. All these devices had similar vulnerabilities [to those that HD Moore found]," Higgins said.

"Is this really, finally, going to start solving the security of these devices, if we have public safety at risk?... The researchers themselves are still a little bit ahead of the attackers -- at least, the researchers believe that -- which is a good thing. But this really, to me, was a big turning point."

I'm not so confident. Startupland geniuses, convinced they'll make their fortune with an app that starts the toaster when their smartwatch tweets that they're ready for breakfast, have always been cavalier about security and privacy. Some dimly remembered news report of a baby-killing internet toaster is unlikely to trigger a sudden change in their ethics.

Symantec does qualify its warning: "[W]e won't see any large-scale attacks leveraging IoT, but instead one-off attacks against connected devices such as home routers, smart TVs, and connected car apps, for example, for sensitive and private information."

But this brings me back to my core point. Sure, IoT represents a glorious greenfield for new attacks, but why bother?

According to Higgins, the CryptoLocker ransomware earned its creators $27 million in its first two months of operation alone, and a total of around $100 million in its first year. Arrests followed, but since then, there's been an evolutionary explosion of ransomware variants. One of them was spotted executing 44,000 infections in a single day.

That's still going to be easy money in 2015. There'll be time for the IoT folks to sort out their mess, and not fall victim to a Refrigergeddon, right?

I'll be wrong, of course.

Editorial standards