2014 Threats Predictions: The Internet of Things Offers Handy Gadget Control, Yet Could Unlock More Than We Expect0
This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Toralv Dirro, Aditya Kapoor, and Cedric Cochin.
Many people are looking forward to the Internet of Things and how this trend can make our lives easier and more automated. But many don’t know what this means or how it already impacts us today. The idea behind the Internet of Things is that if people and many common objects in our daily lives were equipped with unique identifiers, then our computers could efficiently automate and manage these objects. Today there are many definitions, but central to all is the management of resources by computers, including mobile devices. To achieve this, these resources must be interconnected. And this is where we can see both benefits—and possible problems—for our lives.
Lots of devices already offer an intranet or Internet connection to make our dealings with them easier; just look at the average new television. Of course it works just fine connected to your cable, satellite, or aerial service. Now add a Blu-ray player and some TVs will automatically exchange information, adopt configurations, etc. For instance, the Anynet+ protocol will link your TV via a network cable or WiFi stick and download content from the Internet, while updating itself with the latest version. These are useful features, but they come with a risk. We have seen that attackers can exploit vulnerabilities in the set (basically it’s just a computer, running an OS and apps) to take over the TV and, for example, activate a built-in webcam. There are even alternate operating systems for some TV sets. If an attacker could take over a TV somewhere in a corporate network and use it to stage attacks on other machines, how would we ever suspect the TV could be the weak link? If this isn’t already happening as part of advanced attacks, we suspect it will occur in the coming year.
Vulnerabilities in Things extend much further than television. The European standard Meter-Bus (or M-Bus) was designed for the remote reading of gas and electric meters. Recently its radio variant, Wireless M-Bus, has gained a lot of popularity. The wireless aspect allows the remote management of lights, heating, electricity, alarm systems, and much more from a central unit using a special protocol. These systems have become affordable for home use and allow the owners to control appliances and other home services via smartphones and tablets over standard WiFi. Soon some houses will do away with keys to unlock doors and replace them with locks that use near-field communications or Bluetooth to identify the owners simply by their smartphones. Some Internet-connected locks will allow the remote locking and unlocking of homes, handy for letting in the house cleaner or the kids after school. What could possibly go wrong? For starters, if attackers can crack your home WiFi, they might easily open the doors to robbery attempts, without having to break in and attract undue attention.
The Internet of Things is still in its early stages. Yet we can foresee even more serious threats. Electric cars can now store and return electricity to the power grid. To do this, they will be connected to the home network and a smart meter, making remote attacks against a car and its systems (disabling brakes, etc.) much more feasible. We can also imagine potentially lethal remote attacks against medical devices such as insulin pumps. And these concerns don’t begin to touch the potential problems of various household or office devices updated by the “backdoor,” for good or ill, by their manufacturers.
In the coming years, having your ID stolen after a criminal compromises your home computer may seem a minor problem. Your security concerns will have to expand beyond traditional computing devices to make sure all networked objects are regularly updated and that you employ secure passwords.