Trails End Computer Club

Bulletin for the week of FEBRUARY 2, 2014

WEEKLY MEETINGS
EACH Wednesday 

Program or Lesson 9:30 - 10:30 AM
One on One Help 10:30-?
In the Library


SPECIAL INTEREST GROUPS:

If you would like to meet in a small group to discuss special computer related subjects or form a Special Interest Group lets discuss it.

Our bulletin is also available on line by visiting tecc.apcug.org and clicking on bulletin.


Our weekly program or lesson is intended
to be of interest to all computer users.
Following the program an allotment of time will
be available for one on one help to those
who want a better understanding of something done
 during the presentation.

Upcoming Events

Wednesday FEBRUARY 5, 2014 Meeting
 9:15 AM Set up your computer
 9:30 AM Lesson 5, Computer Maintenance
10:30 AM One on One help

IraSmart Appliances, New Target for Hackers, Already Compromised

by Ira Wilsker


WEBSITES:

http://www.proofpoint.com/about-us/press-releases/01162014.php

http://www.latimes.com/business/technology/la-fi-tn-refrigerator-hacked-internet-of-things-cyber-attack-20140116,0,5757808.story

http://thehackernews.com/2014/01/100000-refrigerators-and-other-home.html

http://www.engadget.com/2014/01/17/internet-of-things-hacked-malicious-email-phishing/

http://rt.com/usa/hack-refrigerator-home-appliances-747/

http://www.wrcbtv.com/story/24493674/smart-refrigerators-and-tvs-hacked-to-send-out-spam-according-to-a-new-report

http://www.npr.org/blogs/alltechconsidered/2014/01/16/263111193/refrigerator-hacked-reveals-internet-of-things-security-gaps

http://www.komando.com/tips/index.aspx?id=15929&page=1


In recent years, I was a regular attendee of the massive, annual, Consumer Electronics Show (CES) held in Las Vegas. A few years ago, one category of items that most piqued my attention were the smart appliances. These smart appliances were early generations of major appliances that incorporated a functional computer in their design that offered the consumer a multitude of benefits. While many of the items demonstrated at the CES events that I attended were functional prototypes, some of the appliances are now making their way into the retail market.

Sometimes called "internet connected appliances", these smart appliances incorporate a small flat screen monitor, often a touch screen, that is somewhat similar to the common tablet computers that are readily available and often inexpensive today. Most of these internet connected appliances utilized the existing Wi-Fi connection, now common in many American homes, to communicate over the internet with the outside world. Almost all of these internet connected smart appliances used early versions of Google's Android or Microsoft's Windows operating systems. One company displayed major household appliances, such as a washer and dryer pair, that had a Wi-Fi connected touch screen not just to control the selection of functions, but also reported to the consumer such information as operating condition, malfunctions, service information, recalls, and other important facts about the appliances, utilizing the display along with emails and text messages to the consumer. Service calls could also be scheduled on the integral touch screen for any routine maintenance or repairs, with the device itself informing the technician of the problem and any required replacement parts before he leaves his shop for the consumer's home.

I was especially impressed with a prototype refrigerator that had a dedicated computer imbedded in it that was Wi-Fi connected, performed functions similar to the washer and dryer previously mentioned, plus added a UPC code reader to the functionality. The consumer could scan the UPC code of a grocery item with the device's reader, and create a printable shopping list. What was even more exciting was connecting the refrigerator via Wi-Fi and the internet to a simulated supermarket; the shopping list was printed in the order that the scanned items would be found in the supermarket aisles, or the order could be sent to the supermarket, with the desired groceries being carted by market employees for pickup or delivery. The simulated supermarket displayed its current ad on the device when requested, recommended sale items for selection or substitution, created digital coupons which could automatically be credited at time of purchase, and would otherwise save the consumer time and money.

These smart appliances are not some figment of science fiction, but are already appearing in peoples' homes. A quick visit to the store or website of any major seller of flat screen televisions will make abundantly clear the wide assortment of smart TV's currently for sale. These TVs are intended to connect to the home's broadband internet connection either via Ethernet (common networking cable), Wi-Fi, or direct internet connection provided by the cable or satellite providers. Web based services from the likes of Netflix, HuLu, Amazon Streaming Media, YouTube, and other digital content providers can already be received seamlessly on many of the TVs already in use and in the stores. These internet connected TVs currently available have substantial computer power built in to them, and run mostly on variations of existing operating systems from Apple, Google (Android), and Microsoft. as well as a few proprietary operating systems.

With the introduction of internet connected smart appliances, it was inevitable that someone would find a way to hack into them for nefarious purposes, which indeed has happened recently. In the past few days the media has been rife with stories of hacked smart appliances, mostly refrigerators, that have been incorporated as "zombies" in a "botnet" or cluster of purloined or hijacked smart devices, and used to send out massive quantities of spam and phishing (attempted identity theft) emails.

In a published claim by the security company Proofpoint, (proofpoint.com/about-us/press-releases/01162014.php), released on January 16, 2014, " Proofpoint Uncovers Internet of Things (IoT) Cyberattack - More than 750,000 Phishing and SPAM emails Launched from "Thingbots" Including Televisions, Fridge". In their press release announcing the discovery of this form of cyber attack, Proofpoint stated that it " ... has uncovered what may be the first proven Internet of Things (IoT)-based cyberattack involving conventional household "smart" appliances. The global attack campaign involved more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator that had been compromised and used as a platform to launch attacks. As the number of such connected devices is expected to grow to more than four times the number of connected computers in the next few years according to media reports, proof of an IoT-based attack has significant security implications for device owners and Enterprise targets."

Later in the same report, Proofpoint reported that cyber criminals have started to hijack soft targets in consumers' homes, including " ... home routers, smart appliances and other components of the Internet of Things" turning these intelligent devices into "thingbots" for the purposes of sending spam emails, committing identity theft, and a variety of other malicious activities. Proofpoint explains that these early generation smart appliances are "soft targets" because they were not designed and built with strong security measures in place, making them easily vulnerable to attack and hijack. These smart devices are especially attractive to miscreants for targeting because they do not typically incorporate the level of security widely utilized by more established technologies, including PCs, laptops, and tablets. These new smart devices are especially vulnerable to attack because they are poorly configured in terms of security, and often incorporate only factory default passwords; the default passwords have been widely circulated in hacker circles, and since similar devices often have the same default passwords, if one can be hacked into, they all can be hacked into. Also because these smart, internet connected devices have insecure default passwords, there is no need to use more traditional malware methods, such as trojans and viruses, to compromise those devices. At present, there is no readily available method or software that can secure these smart internet connected devices, such as there is security software and hardware available for PCs, tablets, and laptops.

The "thingbots" that Proofpoint uncovered was monitored by Proofpoint from December 23, 2013 to January 6, 2014. During this two-week period, waves of spam emails were often sent in bursts of 100,000, about three times a day. Of all of the spam emails monitored during this time, about one-fourth were sent by this "Internet of Things" consisting of the purloined multi media centers, internet connected smart TVs, home routers, and at least one internet connected refrigerator. Each device connected to the internet has an IP (Internet Protocol) address that identifies it to the internet; in this deluge of spam and other malicious emails, no more than 10 emails were sent at any one time from any individual device, making them difficult to block by traditional anti-spam blocking methods. Since such a small number of emails were sent at any one time from any compromised smart device, users would not likely have noticed any decline in device performance. If these same devices were to be used (as they still may be used in the future) for launching any massive, crippling "DDoS attacks" (Distributed Denial of Service attacks) used to shut down targeted internet servers and websites, then the users may notice a distinct decrease in performance of their devices, as their internet connectivity may be heavily used for nefarious purposes.

According to Proofpoint, this "Internet of Things", or IoT is massive, and increasing at a very rapid rate, compounding the massive degree of cyber threats that these devices may pose when compromised. In its posting on the problem, Proofpoint stated, "IoT (Internet of Things) includes every device that is connected to the internet - from home automation products including smart thermostats, security cameras, refrigerators, microwaves, home entertainment devices like TVs, gaming consoles to smart retail shelves that know when they need replenishing and industrial machinery – and the number of IoT devices is growing enormously. IDC predicts that more than 200 billion things will be connected via the Internet by 2020."

While these internet connected smart devices hold great promise to consumers and businesses, and become even more widely used than they are today, both the manufacturers of these devices and third party security vendors must devise a way to secure them from attack and hijacking. Just imagine if your internet connected home security system is hijacked allowing burglars unfettered access to your house; your smart home thermostat is hijacked by cyber vandals while you are away from home, and either make the home very cold or hot, especially during a freeze of heat wave; hijacked smart refrigerators run at improper temperatures, causing damage or destruction to the contents inside; microwave ovens cook for unintended times and power; and other potential unintended consequences of having insecure technology in our homes and businesses.

In order not to kill their extensive and growing market, it is inevitable that the makers of these "Internet of Things" devices will soon devise a way to secure these useful products.




Submit Your article; deadline for next bulletin is Tuesday noon each week. Only what you write may be published. We cannot publish other peoples work without written permission. Simply click here EDITOR AT TECC and paste your write-up to submit it.
Share your computer experiences with other members. We need articles to publish in the TECC Bulletin each week.

UPDATE YOUR MEMBERSHIP INFORMATION Change your e-mail address, unsubscribe to this bulletin, etc.  Use link below.
UPDATE YOUR MEMBERSHIP