Eggs, Milk, and Spam: What’s in Your Fridge?

More than 100,000 smart devices were hacked between December 2013 and January 2014 in a cyberattack that generated more than 750,000 spam messages. Some came from expected devices, like tablets. One source was unique: a refrigerator, according to Proofpoint, the cybersecurity firm that uncovered the attack.

How does a refrigerator send out spam? To handle communication and other functions, smart fridges have embedded computer processors that act as self-contained web servers. This particular fridge, as well as the other compromised gadgets, was either poorly configured or set up using default passwords—a classic mistake but one that hackers always expect and seek out. No serious damage was done in this case. But what if the owner of the fridge had decided to check on the contents from a work computer? That would’ve granted the hacker an entry point into the computer and, subsequently, everything in its network.

When Your Fridge Gives Away Your Passwords

In another instance, a smart fridge was designed to show a user’s email-synced calendar on its display. To secure integration, the manufacturer implemented SSL (Secure Sockets Layer)—but unfortunately didn’t add SSL-related security measures. The refrigerator wasn’t designed to validate SSL certificates. This gave hackers access to the user’s entire network, including the email account. Once hackers have this information, it’s only too easy to gain access to other sensitive information.

What’s a homeowner to do to maintain privacy?

“From a consumer point of view, you’re somewhat at the mercy of the vendor,” said Humayun Zafar, an associate professor of information security at Kennesaw State University. “If there’s a baseline flaw in a network device or an IoT device, then at best the consumer can do things like make sure the password they pick for that network is somewhat complicated. Don’t pick a birthday. Be a good digital citizen, so to speak.”

In addition, people can set up encryption models in their homes that de-identify data from all personally identifiable information, effectively protecting their privacy.

The Vending Machine with the Power to Shut Down a University’s Internet

People desperately seeking a soda or a candy bar have always found ways to hack a vending machine. Shake it, kick it, you name it—there’s a YouTube video that shows you how to get what you want. But now that vending machines are connected to the IoT, hackers are taking that to a new level.

At one U.S. university, several vending machines were among a group of 5,000 infected IoT devices that collectively cut off the school’s internet. The infection was designed to send out thousands of Domain Name System (DNS) queries to random seafood websites every 15 minutes, effectively creating a distributed denial of service (DDoS).

“There is notoriety,” said Zafar, in explaining the appeal of hacking. “Some folks break into things because it’s a challenge for them. They can put a stamp on the internet and say, ‘We were the ones who took down this bank or that school,’ without any financial repercussions or benefits whatsoever.”

To avoid falling victim, organizations must regularly assess security and resolve DoS-related vulnerabilities. The affected university, and all organizations, should also look into using network security controls such as services from cloud-based vendors that are designed to respond to IoT attacks.

The Stock Market Is Giving You Food Poisoning

Consider a large fast-food chain that prides itself on dishing up fresh food. As interconnected devices help to increase freshness and productivity, they also open the chain to many vulnerabilities. If the refrigeration system of a chain is hacked, for instance, this might mean that the chain cannot sell its product or, worse, that customers might get sick after eating spoiled food, among other possible outcomes. Hacking a refrigeration system would have an immediate effect on a public company in ways that wouldn’t occur to the average burger-eating citizen.

Think about it: If a public company takes a huge hit, its reputation and value could be damaged. “This is unfortunately where cyber criminals have become quite intelligent about world markets,” said Michael Parker, CMO of Armis, an IoT security platform that helps businesses protect their unmanaged devices. “They know what they’re doing. They’re not just stealing credit cards. They’re actually trying to hurt companies and shift the economic power.”

If a business has a large IoT infrastructure, protection is a bit tricky. Companies should look at implementing a flexible architecture-based defense that automatically identifies, mitigates, and contains an attack the moment it happens. Network segmentation creates separate zones across the IoT network. That means an IoT device can communicate only with its assigned destination. As a result, this technique can help prevent a single attack from sweeping across the network. However, segmentation alone is not enough to prevent breaches, especially since devices can connect externally and to each other, leaving another exposed surface. “Airborne” attacks can travel over wireless or Bluetooth connections, bypassing the network completely and spreading malware from device to device in ways that traditional security methods can't detect. At the end of the day, the most important thing to get right is the security in each and every internet-enabled device.

Agroterrorism Is as Scary as It Sounds

Climate-controlled farms all around the world allow for precision agriculture; they make use of IoT-enabled devices such as drones to inspect fields or spray pesticides, artificial lights programmed to adjust to the needs of the crops, automated tractors, and more. This connectivity can lead to a more efficient farm—and a more vulnerable production system. “The usual rule of thumb when it comes to anything regarding cyber is that as long as something is networked, it can be broken into,” said Zafar. “[Hackers] can shut down production. Now, if the drone, for example, is distributing some kind of pesticide based on timers, someone can actually breach the system and cause some havoc there.”

Food irradiation, electronic pasteurization, and the spraying of preservatives are permitted in more than 50 countries. These processes are potential targets for agroterrorism: the intentional contamination of a food supply with the goal of terrorizing a population and causing harm. If a hacker finds a way to enter the programmable logic controllers (PLCs) of the devices used to carry out these tasks, they can introduce dangerous chemicals into the food production plant. Or they could remotely shut down refrigerators to ruin supply or even create an explosion.

To avoid such situations, the security of IoT devices and cloud environments must be maintained. In addition, companies should ensure additional firewalls are in place, along with access control systems and network traffic monitoring.