Black hats and whitegoods

commentary The Internet of Things will soon become a serious security problem unless we start dealing with it right now. "Our dishwashers will kill us!"? Not quite. It'll be the tumble dryer — coordinated by the TV.

Your fridge could be attacked. (Credit: LG)

With dozens of smart, internet-enabled devices connecting to the grid, the risks are certainly multiplying. Are manufacturers paying enough attention to security? I suspect not.

I spent most of yesterday in an AusCERT conference stream covering SCADA industrial control systems, resilient enterprise networks, smart meters, hardware security and the like. The discussion was held under the Chatham House rule, so I can't attribute comments to specific individuals. But I was left with the distinct impression that the bad guys are indeed winning. Again.

Up at the industrial and critical infrastructure end it's all talk of Stuxnet versus SCADA, just like it was at the RSA Conference in February. Iran is already claiming to have been hit by a next-generation Stuxnet, a thing called Stars, and experts reckon we'll probably see low-rent copies of Stuxnet within a year. The information is out there, gleaned from reverse-engineering Stuxnet, and the technology is attractive to criminals.

Why run a protection racket against a casino when you can threaten an entire oil refinery?

Now, the energy industry already understands the risks involved with operating critical infrastructure. Or at least it thinks it does, and it spends time and money working on the problem. Other industries are less knowledgeable. That'll be a challenge, and some of what we're hearing isn't good.

SCADA networks are scanned and probed and hit with distributed denial-of-service attacks (DDoS) with increasing frequency. They can be taken over simply by inserting a USB key into a network-connected PC. We saw that demonstrated live on stage. You can't stop the worm spreading through the protected network because it uses the same ports as SCADA itself. If you block those ports to block the worm, you also block your ability to control your own system. That's a win for the attacker.

"The bad guys know as much about our networks as we do," said one clued-up network defender. "The cat and the mouse? The cat is always going to win, and we've got to build smarter mice."

That doesn't exactly sound optimistic.

However, it's the consumer arena that really needs more attention.

Once smart meters get installed — as is already happening in parts of Australia — we'll soon have devices connected to both the energy company's wireless mesh and the home LANs and WLANs. This means that they're potential gateways. TVs now come with webcams and microphones, so they're potential monitoring devices. Appliances from air conditioners to swimming pool filter pumps have the potential to affect the physical environment. In-home displays can be fed false data.

As one presenter put it, "From the smart meter point of view, every device in the house is potentially hostile." Where is the network boundary here? Who's responsible for what? At this stage that's unclear.

What about the security of these devices? We were shown myriad ways to extract the encryption keys from hardware. As Stephen Wilson from the Lockstep Group tweeted, "I've always thought key management is like car engine maintenance circa 1910. Not for the faint hearted. Nor the future. The science is fine, but the engineering clunky and supply chain totally f***ed up. Crypto keys matter to users as much as DLLs."

Or, as a conference presenter put it, "Key management is epic fail for many systems."

That doesn't exactly sound optimistic, either.

Communications minister Senator Stephen Conroy once used the smart dishwasher as his NBN wonder story. It'd negotiate its own electricity price late at night and you'd save a fortune. Why hack the well-protected PC to rope it into a botnet when you can DDoS from the kitchen appliances?

Or, after last month, the PlayStation?

When was the last time you heard a whitegoods or consumer electronics manufacturer talk about network security? You certainly don't see them at the conferences.

We've been here before. We hooked our PCs into the internet. They got pwned; we didn't know any better. We hooked our smartphones into the internet. They got pwned; we'd forgotten that smartphones are computers, too. Now we're hooking TVs and tumble dryers into the internet. Falling for this trap a third time wouldn't be a good look. So far it's all questions with very few answers, and time is running out.