[liberationtech] Your refrigerator probably hasn't joined a botnet

Sun Jan 19 11:47:55 PST 2014

On 01/19/14 16:36, Paul Ferguson wrote:
> 
> This nonsense about refrigerators being part of a botnet is not an
> accurate depiction of the world we live in today, but more of a
> warning of where things can go wrong in the future, while
> technologists are rushing headlong into the Internet of Things (IoT).
> 
> While there are certainly some interesting real-world examples of
> unintended consequences of consumer devices being infected by Trojan
> Horse programs and other malware (e.g. digital cameras and picture
> frames coming directly into the retail market "pre-infected" from the
> manufacturer, hospital healthcare devices becoming infected by
> computer worms through incidental contact, etc.), most cases today are
> incidental.

Good collection of such pre-infected devices that gives one an idea of
how frequent this occurs: http://attrition.org/errata/cpo/

> Via BoingBoing:
> 
> "A mediagenic press-release from Proofpoint, a security firm,
> announced that its researchers had discovered a 100,000-device-strong
> botnet made up of hacked 'Internet of Things' appliances, such as
> refrigerators. The story's very interesting, but also wildly
> implausible as Ars Technica's Dan Goodin explains."
> 
> "The report is light on technical details, and the details that the
> company supplied to Goodin later just don't add up. Nevertheless, the
> idea of embedded systems being recruited to botnets isn't inherently
> implausible, and some of the attacks that Ang Cui has demonstrated
> scare the heck out of me."
> 
> http://boingboing.net/2014/01/18/your-refrigerator-probably-has.html
> 
> Don't get sucked in by the IoT marketing hype, but -- and it is a
> *big* but -- there definitely is a potential for this headlong rush
> into the Internet of Things can develop into the unfortunate situation
> where no one spent enough time thinking about the security posture of
> such actions. If no one spends time up front thinking about these
> implications, we can have a real mess on our collective hands.
> 
> - ferg

The problem seems more imminent to me.

I'm not as worried about a malware-infested IoT - as most end-user
computing devices are malware-infested already and even though these
devices are important and information-rich, civilisation has not ended.

What worries me most is that Internet-connected media devices (like
"smart" TVs) are ripe vehicles for taking wholesale surveillance from
its current level (location & communications surveillance) to a whole
new level (surveillance of your most intimate physical space - your
home, but also of course everywhere where TVs would be installed).

Smart TVs have significant advantages over mobile phones (abundant power
& network 24/7, excellent line of sight/sound into the center of the
action, stability), and they are engineered for features and cost, not
"security". See SeungJin 'Beist' Lee's presentation from BlackHat 2013
on remotely hijacking a smart TV and turning it into a surveillance
device for a demo:
https://media.blackhat.com/us-13/US-13-Lee-Hacking-Surveilling-and-Deceiving-Victims-on-Smart-TV.m4v

Easily within the technical capabilities of the intelligence agencies
and hey, if we have accepted location & comms surveillance without much
of a hiccup, it's only a small step to accept physical space
surveillance post-facto, say 10 years from now.

-A