In the security community, engineers have their own name for the Internet of Things (IoT). They call it the “Internet of Insecure Things.”
“In the future, even light bulbs will be controlled by Wi-Fi,” said Kevin Curran, a senior member of the IEEE and a senior lecturer in computer science at the University of Ulster in Northern Ireland. “We’re headed toward a future where people are going to have to update their light bulbs. Are they prepared for that?”
It’s the devices that people aren’t all that worried about that will be the real security risk. Smart baby monitors, webcams, home security systems, thermostats, refrigerators and wearables are all little Trojan horses vulnerable to security exploits. The future implications are numerous and even extend to ad fraud.
The problems may start when consumers forget to update their IoT devices, which is quite likely. Many of those devices don’t even run security because they’ve got a finite amount of memory and slow processors, Curran said.
“These types of devices give cybercriminals a place to install their script and get a foothold into a network,” Curran said. “It’s low-hanging fruit. The exploits only get better over time the more plug-ins there are and the more people don’t update them.”
It’s the equivalent of rolling out a smart red carpet right to the open back door of the Internet of Things.
There’s even a website called Shodan that allows visitors to search for any devices that are connected to the Internet along with associated IP address and default passwords, which consumers often neglect to change. It’s like Google for IoT.
And because all things are connected, there is even a potential link to ad fraud.
“Even if a browser is not set up, it can be converted into an open proxy if you have a central computer to create viewable impressions and tunnel through all those devices,” said David Sendroff, CEO and founder of Forensiq. “There are IP addresses all over the country and the world that are being used for fraud. The Internet of Things is just a new outlet for proxies.”
There’s another saying in the security community, Curran said: “If you want to be secure online, don’t buy a computer – and if you do buy a computer, don’t plug it in.”
Although the Trustworthy Accountability Group, an industrywide fraud-fighting coalition comprised of the IAB, ANA and 4As, hasn’t made an official comment on the Internet of Things, malware is one of its major focus areas.
“Criminals promulgate malware through malicious piece of code, often through advertising, and then take over people’s computers and create botnets,” said TAG President and CEO Mike Zaneis. “From there they can generate fraudulent traffic at whatever levels they want and start pushing traffic to websites they own that have pirated content on it.”
In theory, there’s no reason this sort of activity will be limited to the realm of online advertising.
“One scary scenario is that somebody could buy a zero-day exploit for a particular type of home router, for example, that’s installed across the US,” said Forensiq chief scientist Mike Andrews. “And if they have the right network card, software on a desktop computer and a connection to the Internet, it’s possible to scan billions of IP addresses to find those devices and then, at a rate of maybe a million a day, they can go and install a headless browser to commit ad fraud that way and make a lot of money.”
Curran put it more bluntly: “In the future, when toasters are connected to the Internet, how do you know they won’t be running a spam botnet?”
Of course, it’s well known that fraudsters follow the money, which makes IoT-based fraud a future-facing scenario. But Alex Calic, CRO of The Media Trust, says his team has noticed “some early activity that makes us think the bad guys are testing what’s possible through those platforms.”
The Media Trust operates a malware monitoring network. Although the bulk of its business is around keeping an eye on the web, connected TVs and gaming consoles are also part of its purview.
“Smart TVs have apps on them and they’re a great playground for criminals to expand what they do,” Calic said. “As the ad tech ecosystem becomes more mature and capable and becomes better at targeting TVs and devices with advertising, you’ll start seeing the proliferation of malware.”
There are two basic types of security intrusions, Calic said. One is when people try to hack into a specific network or platform. The other involves using third-party code to get into those environments.
“Ad tech is the greatest third-party code there is – sign up for self-serve and you can get malware through the ecosystem pretty quickly,” Calic said. “Ad tech will lead the malware guys into those new environments. It’s simpler than a brute force attack.”
