Our hackers, who art in open source, deliver us from refrigerators

Hacked smart refrigerators turned evil? The open-source community has an 'insanely critical' role in developing security standards to prevent this chilling scenario, says Cisco's chief security officer.
Written by Stilgherrian , Contributor

Yeah, look, I know we've been warning you about the imminent SCADAgeddon, when the nation's critical industrial control systems will all be hacked at once — from power grids and transportation systems to datacentre cooling systems and prison cell doors — cybering society back to the Stone Age. But forget all that.

Actually, don't forget it entirely, because it could still happen, right? (Be quiet, you dissenters up the back.) Just start being aware — because I'm telling you now — that things are actually far, far scarier. A threat of truly biblical proportions.


Few of us have SCADA systems at home. But we all have refrigerators. And televisions. And they're getting smart.

Hackers can turn smart TVs into surveillance devices. And refrigerators have started sending spam. It's only a matter of time before these once-trusted household appliances turn truly malicious.

Yes, Dear Reader, forget SCADAgeddon. I'm talking Refrigergeddon.

It's a chilling scenario.


OK, you'd be right to be sceptical of the spam-sending refrigerator. But security researchers have been warning us since at least 2011 that when it comes to security at the consumer end of the Internet of Things, time is running out.

"When was the last time you heard a whitegoods or consumer electronics manufacturer talk about network security? You certainly don't see them at the conferences," I wrote back then.

We hear warnings of imminent cyberdoom every year, of course, but a lot has changed since 2011. Smart household appliances have started rolling out in ever-larger numbers, and they're far more attractive to hackers than boring old home computers, tablets, and smartphones.

"Before, if you had to rely on the endpoints to spread and scale your attack, and you had people that turned off their computer at night, or they re-imaged the operating system, you lost a lot of that capability," Levi Gundert, head of research for Cisco's threat research group, told Australian journalists on Wednesday.

"With embedded devices, especially like refrigerators, just like with the cloud and the core internet infrastructure, you're going to have a lot more uptime, and you're not going to worry so much about losing those resources."

Plus, they don't have interfaces that tell you what's going on inside. A front panel or smartphone app might reassure you that, yes, your wine and mixers are still chilled and your vodka's still frozen — or whatever you have in your refrigerator — but there's nothing to tell you that it serves another master.

To avoid Refrigergeddon, we'll need security standards, according to Cisco chief security officer John Stewart. Just as every appliance has to conform to electrical safety standards before it can be plugged into the grid, smart appliances should conform to security standards before they can be connected to the internet.

"The only way to pull this off is to essentially have a bar that has to be got over. If nothing else, you could have something like diagnostic instrumentation on your refrigerator to determine, 'Is it chilling the eggs?', but 'Is it also generating spam or launching a DDoS attack?'," he said.

"We're going to probably start advocating [for this] pretty heavily — and I think so will the rest of our compadres in this Internet of Everything discussion... The open-source community is going to play an insanely critical role in this."

Stewart acknowledges that we hear security scare stories from vendors every year, but there are two key factors that mean things are different this year. One, many new and different devices are being connected to the internet in greater numbers. Two, in the last couple of years, we've seen a destructive power emerge — think of the Saudi Aramco attack.

"We can talk about refrigerators sending spam all day long, but the truth of it is, what we really want to be focusing on is exactly how many control systems are ensuring that the pharmaceutical industry is producing the right pill for you, the power is going to your house correctly, the water is not contaminated and is flowing at the right pressure. Each one of these systems is in a convergence paradigm over to IP [internet protocol].

"We've got to pay attention and wake up, because we're going to have a year — and maybe 2014 is or isn't it — that if we continue down the path at the pace that we're going, then we're going to have one of those years where we're not going to be able to say, 'Yep, we made it through another year, and it was tough, but we did a couple of things and we're OK.'

"We're going to hurt someday, and that's what scares me — that if we don't change the way we've chosen to go after these problems, then somebody's going to get hurt."

But for now, we're cool. For now.

Editorial standards