Author:
Alan Grau, VP of IoT, Embedded Systems, Sectigo
Date
11/01/2019
Cyberattacks are on the rise worldwide. Most of the attacks that generate big press coverage are very dramatic and well-documented. We have all read about malware attacks, Denial of Service attacks, which shut down factories, governments and large international businesses - and even portions of the Internet - and ransomware attacks that hold small businesses hostage or take advantage of hospitals, local governments, schools, and other easy-to-infiltrate targets.
In addition, there are entire classes of lesser-known attacks on cars, planes, utilities, etc. One of the most classic is the StuxNet attack on Iran’s uranium enrichment industry that took control of the rapidly spinning centrifuges themselves and caused them to essentially self destruct. Another well-documented attack is the Mirai botnet attack that took control of millions of “slave” devices, forcing them to send out more malware and packet flood attacks, crippling a variety of websites and Internet services.
These kinds of botnet attacks are insidious and can also target any connected appliances and small IoT devices within a home or a business.
As they are not an obvious vector for cyberattack, the embedded electronics inside appliances present an easy path of entry. It’s already been happening. According to Proofpoint and Business Insider, one of the first refrigerator incidents occurred in late 2013 when a refrigerator-based botnet was used to attack businesses.
Many manufacturers essentially ignore these types of appliance botnet attacks because, in most cases, appliances infected with botnet malware don’t really have much effect upon the appliance’s day-to-day operation. In fact, if a “smart” refrigerator gets infected by a bot, the homeowner might not even notice anything wrong.
However, these connected-appliance based cyberattacks are not limited to just refrigerators – and they are rarely one-off incidents. Almost any type of appliance can be hacked and used to host a botnet that could attack online targets. According to Wired Magazine, a botnet of compromised water heaters, space heaters, air conditioners and other big power consuming home appliances, could suddenly turn on simultaneously, creating an immense power draw that could cripple the country’s power grid.
A botnet attack can also impact the end user. What if the infected refrigerator decides to turn off and not turn back on? Without a way for the home user, or even a skilled refrigerator repairperson, to diagnose and cure a malware infection, all the food inside could go bad and the homeowner would be forced to replace their existing infected refrigerator with a new one. And, if the malware is still hiding inside the home’s WiFi modem, central PC, or network, the minute the homeowner plugs in the new refrigerator, it would be infected and instantly compromised as well!
Why Can’t the Homeowner Fix Their Infected Appliances?
There are two reasons that, once infected, most appliances cannot be disinfected by the end user in a home or a business.
First, there is no input/output connections or display screen to allow the home user to navigate inside the connected appliance’s CPU. Most appliances have no connection for a keyboard or a mouse to enable the end to find and remove bad software, download new improved software or middleware, or to re-program the unit. Nor is there a connection for a display to enable the user to see and diagnose what is happening with their appliance or to review the appliance’s software to find the infection.
Second, unlike most home or work PCs running on Windows, iOS or Linux, there is not enough memory and processing power to run a typical anti-virus or anti malware program. Instead of a big, hundreds of gigabytes in size operating system, most appliances run what is called an RTOS (Real Time Operating System), which is extremely small and actually resides inside the appliance’s chips and processors.
What is a Bot?
A bot, quite simply, is an infected computer. Many cyberattacks, like the Mirai malware and the Dyn attacks, infect a network of computers and computer devices, including “smart” connected devices such as home appliances, security cameras, baby monitors, air conditioning/heating controls, televisions, etc., and turn them all into compromised servers.
These compromised servers then act as nodes in an attack and together create a botnet. They can participate in a variety of coordinated attacks, infecting other devices and expanding the network of bots, or participating in Distributed Denial of Service (DDoS) attacks.
Click image to enlarge
Figure 2. A bad actor or cyber criminal can send infected messages to a home or business network that target various appliances or machines. Once infected, that machine is under the control of the bad actor and can be used to send out thousands of infected messages to new targets worldwide
Without any apparent symptoms or notice, a criminally enhanced refrigerator could be generating and sending out thousands of attacks every minute. In addition to the homeowner never realizing what is going on, these attacks may be unstoppable until the machine itself is powered down or disconnected from the web.
Additionally, the infected refrigerator could spread malware from the kitchen to the home’s “smart” TVs, to the home’s computer networks, to other smart devices in the home, and even to connected smart phones. All of these computing targets could then be transformed into malicious bots that continue to attack other devices, further propagating the botnet or could all be instructed to send a flood of messages to a single target as part of an overwhelming DDOS attack.
Click image to enlarge
Figure 3. It is critical that connected appliance and device manufacturers protect all the end nodes on the IoT, not just servers and network nodes
Protecting the Edge Is up to Manufacturers
So how do appliance manufacturers combat the threat of botnets? What can they do to prevent appliances and connected edge devices from becoming infected?
Unfortunately, as detailed above, end users and repair people really have no power to fix this problem. This means that it is up to device manufacturers to protect against these attacks.
Security needs to start at ground zero in the actual design process for the refrigerator itself, in the manufacturing plant, as well as in the supply lines and factories that furnish the various electronic components and control surfaces integrated into the appliances.
As most appliance manufacturers get their control sub-assemblies from a wide network of smaller manufacturers, sometimes with a worldwide supply chain, these suppliers need to make sure that the chips and sub-assemblies they use are secure from hacks.
Here are two critical security practices that should be implemented by appliance makers:
· Secure Remote Updates and Alerts – Validate that the firmware inside the device is authenticated and unmodified before permitting installation of any new firmware updates. Updates ensure the incoming software components have not been modified and are authenticated software download modules from the appliance manufacturer.
· Embedded Firewall with blacklist, whitelist and Stateful Packet Inspection (SPI) support – Protect appliances and edge devices from attacks by building firewall technology directly into the appliance. An embedded firewall can review incoming messages from the web or over the home network and, via a built in and regularly updated blacklist, reject any that are not previously approved. SPI filtering rejects packets that attempt to exploit weaknesses in the TCP protocol as part of denial of service attacks.
Most consumer and device manufacturers are familiar with the potential for attacks on smart devices like door locks, baby monitors, and home thermostats, but this risk awareness needs to expand to all types of connected systems – including appliances.
An infected refrigerator sending out malware is not just a funny story. Ensuring the security of these devices is necessary to protect home networks, slow the spread of malware, and even protect credit card numbers or other personal data stored in smart home devices.
Sectigo