Hackers may target smart appliances
New dangers created when refrigerators and toilets are added to increasingly connected world
LONDON — Come home to a hot iron and smouldering clothes this afternoon? Soon, it may not be a sign of forgetfulness, but rather evidence that you’ve been hacked.
In coming years, your smartphone will be able to lock your house, turn on the air conditioning, check whether the milk is out of date, or even heat up your iron.
Great news, except that all that convenience could also let criminals open your doors, spy on your family or drive your connected car to their lair.
“As these technologies become more sophisticated, it opens up a broader spectrum of threats,” said Gunter Ollmann, chief technology officer of IOActive, a tech security firm in Seattle.
A world of connected devices makes it possible “for the bad guys to have permanent entry into your household.”
What the industry calls “the Internet of things” has been heralded as the next wave of tech riches. By 2020, some 26 billion such devices may be connected to the Internet, up from three billion today, researcher Gartner Inc. estimates. That’s almost four times the number of smartphones, tablets and PCs that will be in use.
The vision is to connect almost everything — from cars to fridges, lamps, even toilets. Forget to flush? There’s an app for that.
Problem is, data security isn’t typically a big focus for toilet, refrigerator or baby- monitor manufacturers. Security lapses on such devices could allow bad guys to disrupt home life, gather valuable personal data, or even use stolen information to extort money from victims, Ollmann said.
Trustwave, a Chicago company that helps corporate
As soon as you fi nd interesting applications for exploiting appliances, I’m pretty sure people will do it.
SEBASTIAN ZIMMERMAN
CHAOS COMPUTER CLUB
clients fight cybercrime, hijacked a Bluetooth connection that controls toilets made by Japan’s Lixil Group. That could allow hackers to open or close the lid and even squirt a stream of water at the user’s behind, Trustwave said.
Lixil said it’s difficult to commandeer its toilets as hackers would need to connect their smartphone using a special remote that comes with the device, making abuse “a very rare case.”
Even some tech companies have created devices lacking sufficient protection. Ollmann’s group broke into a home- automation system from Belkin International, a company that makes mobile phone accessories and Wi- Fi routers. Belkin’s WeMo box fits over electrical outlets to control lamps, fans, coffee makers and other appliances via a smartphone app.
IOActive found a way to take over those switches, turning them into poltergeists that could turn on heaters and irons — a fire hazard and electricity waster. Belkin said it discovered the vulnerabilities and fixed them even before IOActive discovered them in an older device.
As home- automation technologies spread, appliance makers must educate buyers on security, said John Yeo, a director at Spiderlabs, Trustwave’s research unit. That would include stressing the importance of changing default passwords on such devices .
“This push to make everything under the sun Internetconnected, perhaps because it’s in many respects aimed at the consumer end of the market, hasn’t had much of a focus on security,” Yeo said.
Companies that produce the next generation of smart appliances aren’t saying much about the topic. Samsung, which makes washers that users can monitor from their smartphones, said in an email that it “takes the security of its products very seriously” and monitors risks. The company declined to comment further.
Sweden’s Electrolux is developing an interactive countertop, a white surface with hidden elements for cooking food and charging devices such as mobile phones without plugging them in.
Though not many criminal hackers are targeting such devices today, that will change once there’s a reliable way to make money from exploiting them, said Sebastian Zimmerman, a member of the Chaos Computer Club, a German hacker collective campaigning to raise awareness of security and privacy.
Criminals largely ignored mobile phones, he said, until mobile banking apps provided a way to get account information and made them more lucrative targets.
“It depends on the business case,” Zimmerman said. “As soon as you find interesting applications for exploiting appliances, I’m pretty sure people will do it.”
Some pranksters don’t need a profit motive. In April, an Ohio couple told television station Fox19 that they woke up to a strange man’s voice coming through their 10- monthold daughter’s connected baby monitor. The man was screaming obscenities and trying to awaken the baby, according to the report.
The maker of the baby monitor, Foscam Digital Technologies, had already released an urgent notice to users, reminding them to update devices from the default username and password and to download new software. The company says that when correctly configured, its products face “no known vulnerabilities.”
Still, the growing numbers of hackers interested in finding illicit gains from stolen information makes these devices tempting targets, said David Emm, a security researcher at security software company Kaspersky Labs.
“There’s a whole backdrop of a black economy” where criminals profit from taking control of phones and computers, Emm said.
“What we’ll see increasingly is other aspects of our life being drawn into that.”