In December 2013, Check Point released its security predictions for 2014. At the top of the list of predicted new threats was criminals looking to exploit IP-based smart devices and appliances to gather personal information, or to launch attacks. However, we didn't expect that this prediction would be proved right within a month, with two security incidents involving a range of new devices.
First came the news that a massive data breach at two leading US-based retailers had resulted in the theft of credit card and personal information of 110 million customers. The attackers used "RAM scraping" malware, which they planted in the point-of-sale terminals at retail stores.
Even though these POS terminals are not be computers in the conventional sense, they do have processors and RAM memory chips, and they perform basic computing functions—like reading the data from customers' credit cards, encrypting it and sending it to the retailer's back-end systems.
Getting into a scrape
The RAM scraping malware is designed to activate when new data is loaded into memory before it is encrypted, to grab the data (which includes the cardholder's name, card number, expiry date, and the three-digit security code) and forward it onto the attacker. While the POS terminals may not be directly connected to the Internet, the retail systems that run the terminals are usually Windows-based and need to be regularly patched, updated and properly configured, and are also probably connected to the Internet.
So an attacker who can find a way into a retailer's Internet server using a vulnerability, may be able to move across to other local networks, and then to the POS systems and terminals themselves.
Second, there was the news that over 100,000 consumer devices including an internet-connected refrigerator, smart TVs and multimedia hubs helped to send more than 750,000 spam and phishing emails over the Christmas holidays.
Of course, it is commonplace for home and business PCs to be compromised by bots and used to generate huge amounts of spam and phishing emails, and to launch "denial of service" attacks on websites—but this attack is the first to be reported in which conventional smart household devices were used as part of the botnet.
The majority of the devices were not actually infected, but were simply left open so that attackers were able to exploit the software running on them to send and relay spam and infected emails. But this incident highlights just how resourceful attackers have become, and how unconventional attack vectors can be effective.
Now that attacks against smart devices have begun, they will only escalate. Analyst agency IDC forecasts that there will be 200 billion devices connected to the internet by 2020—compared with 5 billion devices today (approximately 1 billion PCs, 2 billion mobiles and tablets and another 2 billion devices such as temperature monitors, webcams, etc.)
Sign up for Computerworld eNewsletters.