April 3, 2014 No Comments-
Kristian A. Bognaes, Director, Norman Safeground Development Center
- Something that we keep hearing more and more frequently is the term ‘internet of things’. I have earlier covered some curious cases of alleged spying through water boilers and refrigerators. One case mentioned in the news these last days is similar, but involves unauthorized use of computing power rather than spying.
Non-PC hardware used for Bitcoin mining
One property of digital currencies is that one can convert computer power directly into money (if the digital currency is convertible, that is). Currencies like Bitcoin have a value, also when stolen CPU power is used to create (mine) them. We’ve seen many examples where computers have been cracked and whole networks of mining ‘drones’ have been employed without their owners approval or even knowledge.
Just the other day, another strain of Bitcoin-mining malware was found and reported by Johannes Ullrich, a researcher at SANS institute. What makes this case stand out was that the malware was found on a common brand of closed-circuit camera recording devices. Even more special is the fact that these recording devices do not use Windows or Linux, but are embedded devices containing ARM processors. Even though the ARM is not terribly efficient when it comes to digital currency mining, it is just a matter of having enough devices available.
Unfortunately, it is easy to forget that password rules and network protection are becoming as important for embedded devices as for your PC, Mac or Linux workstation. The DVR’s in question were set up with default passwords that many users never thought of changing, apparently. In addition, it is very convenient to use existing network infrastructure when wiring up closed-circuit camera systems. The drawback with this, of course, is that the systems are exposed to the internet. While the main concern with cloud-enabled embedded devices has been spying and the theft of data, we now have to be concerned with theft of CPU power as well.
Speaking of the Internet of Things…
Another news story that has been breaking recently is one concerning a certain electric car and the passwords that allow owners to track and unlock their cars via a cloud service. This news story seems spectacular, but it really boils down to basic password security. A researcher found that he could guess the password on the car’s internet portal an infinite number of times without the account being locked. This should be an easy fix. It teaches us, once again, that it is often simple things like a lack of password complexity that may break security. Whether it is your car or your e-mail account – always practice safe passwords!
Norman Safeground Blogs Archive