The Internet of Things is growing fast, with one research firm estimating that it will include 26 billion devices by the year 2020. [1] While there are many benefits of things being connected to the internet and thus everything else, there are many concerns, especially ones related to security and privacy. This Friday, at a security conference, some of those concerns were highlighted when a researcher was able to install and run the video game Doom on a printer that was connected to the internet. [2]
The researcher who demonstrated the hack was Michael Jordon, and he wrote a blog post [3] detailing how it was done. He connected to the web interface of the printer (a Canon Pixma), which does not require authentication, where he could do things like see the status of the printer or print any number of test pages. The interface also allows you to perform a firmware update, and it even lets you change where the printer checks for the firmware update, which lets someone pretty easily provide a malicious firmware that does any sort of malicious thing like maybe spy on the documents that are being printed. Jordon decided to have the printer install and run Doom just for demonstration purposes.
Although being able to install and play Doom on a printer is kind of cool, it demonstrates some potential issues with the internet of things. Besides the obvious fact that more devices being connected to the internet means more cyber attacks, which is an issue even for "non-things," it shows some new problems that we have not really encountered yet.
First, it shows that cyber attacks can do a larger variety of things now depending on the physical object that is being exploited. This lets attackers spy on people in new ways through printers, televisions, cameras, kitchen appliances, etc. Cyber attacks can now be more physical in nature. Cars with computer-controlled devices in them (see: all cars) have been shown to be vulnerable to to attacks, letting attackers do things like shut down the brakes or engine. If these cars were connected to the internet, they could be attacked by anyone. As for humble printers, researchers at Columbia claimed that HP printers could be hacked and set on fire. [4] Although this might be difficult for an attacker to do, one can see the danger in things like ovens or toasters being connected to the internet.
Second, it shows that we really need to think about what we want connected to the internet, and perhaps the internet of things is growing too fast for people to make that decision wisely. Wireless printing is a convenience that for many people outweighs the risks, but I would guess that most people do not consider the risks, or more importantly do not even know the risks. This extends beyond consumers to the producers of internet-connected devices as well. Any device that may be part of the internet of things requires additional design and security considerations, and most likely there will be many products that do not make these considerations, either due to ignorance or to get the products on the market as quickly as possible, and thus they will be vulnerable to cyber attacks.
Really though, we should assume that nothing is secure, no matter how securely designed we think anything is. This is a problem with the internet now, but it will be an even bigger and more interesting problem as the internet of things grows.
[1] https://www.gartner.com/doc/2625419/forecast-internet-things-worldwide-
[2] http://arstechnica.com/security/2014/09/hacker-exploits-printer-web-interface-to-install-run-doom/
[3] http://www.contextis.co.uk/resources/blog/hacking-canon-pixma-printers-doomed-encryption/
[4] http://arstechnica.com/business/2011/11/hp-printers-can-be-remotely-controlled-and-set-on-fire-researchers-claim/
No comments:
Post a Comment