X

Is your TV virus-proof?

As more cars and home appliances get networked, owners run a greater risk of contracting computer viruses.

Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
Matt Hines
7 min read
The kitchen has long been considered a breeding ground for germs, but you probably don't expect your toaster to infect your cell phone.

A variety of consumer products--from smart phones to digital theater boxes, and from car navigation systems to home security gear--have gone digital. In addition, wireless connectivity has become a cheap add-on for gadgets.

News.context

What's new:
A variety of consumer products--from smart phones to digital theater boxes, and from car navigation systems to home security gear--have gone digital.

Bottom line:
With that new technology comes exposure to a digital ill already the scourge of PC users: computer viruses.

More stories on this topic

With that new technology comes exposure to a digital ill already the scourge of PC users: computer viruses.

"Like humans in a sterile environment, an unconnected device has no chance of infection," said Dan Cregg, vice president of home-automation company Smarthome. "But once you are connected to the outside world, then you are in danger."

Experts agree that with a rapidly expanding landscape of network-ready consumer products, there will be an explosion in opportunities for virus writers. While that hasn't happened yet, it's easy to see how and why it could, said experts.

Today's viruses and "bot" software aim to infect PCs and steal information, or to draft the systems into an online army that obeys the original attacker. Tomorrow's malicious code could disable home security systems, tinker with the TV, steal digital music collections or even lead a driver astray.

"The world of tomorrow includes all sorts of devices connected to networks via wireless, and this will present us with a new set of challenges and threats targeted at relatively vulnerable devices," Ajei Gopal, senior vice president of technology at security software maker Symantec, said in a speech at the Harvard Business School last month.

Ripe for infection?
Though many future devices could be attacked by computer viruses, others will be immune.
Device: Home automation

Danger: Switches and sensors can't be infected but could be controlled. Central server could be an infection point, especially if connected to the Internet.

Device: Smart phones

Danger: Cell phones, which increasingly resemble small computers, will be a likely target of viruses that gather identity information.

Device: Home media centers

Danger: Most are based on a PC and a standard operating system, so could come under attack as more people connect their devices to the Internet.

Device: Cars

Danger: Though cars have a myriad of processors, most cannot be programmed remotely. GPS navigation computers could be a target, but offer little of value to attackers.

Device: Home appliances

Danger: From Roomba vacuums to Internet-connected refrigerators, more devices have processors and bandwidth connections, but they hold little information of appeal to intruders.

Gopal also said that security software companies are at least thinking about how to minimize the danger of such threats. "Creating better protection for the mobile environment is critical, and these are issues that must be addressed in both (networking) infrastructure and on the devices."

As yet, there has not been a full-blown attack on non-PC devices. Mobile phones, which a report last week from IBM highlighted as the next major target of viruses, have just begun to attract writers of malicious programs. Some malicious cell phone programs--particularly the Cabir and Skulls viruses--managed to trick some people into installing them, though they did not become widespread.

The IBM report predicted, however, that the cell phone viruses will spawn a number of offshoots, because the source code for Cabir has been released. It also said that malicious programmers are likely to increasingly focus on finding new ways into systems, using the relatively recent Bluetooth wireless protocol and voice over IP, for example.

An antivirus company said last month that a Lexus car dealership had found a virus infection in the GPS navigation computers in several of its luxury cars. In fact, the reported infections turned out not to exist. Some technology experts believe that virus writers aren't interested in going after less common devices yet.

"Most hackers and virus writers that are trying to use your assets will program for the common denominator," Smarthome's Cregg said. "For computers, they program for Internet Explorer, not Apple's browser. Likewise, there are not that many people on non-PC platforms to make development worth it."

David Emm, a senior technology consultant with Russian antivirus specialist Kaspersky Labs, was asked by one of his company's customers to investigate the possibility of infecting a Lexus. Though the

query was little more than an attempt to test out a theory, Emm believes the problem could become real in the very near future.

"I think that we're going to see more wireless-type threats, and it's not hard to imagine that once people have figured out ways to successfully infect phones and PDAs, they will look to these other kinds of products," Emm said. "And you have to consider that the (wireless attacks) we've seen so far have been pretty basic, but there's a lot more potential out there already for producing subtle threats that are easier for end-users to miss."

Bluetooth is going to be an attack point on a lot of devices
--Stuart McIrvine
Director of corporate security strategy, IBM

The recipe for vulnerability is fairly simple. As illustrated by the Cabir worm, which uses the Bluetooth short-range wireless feature of smart phones to infect other devices, almost any product with a processor, sufficient memory and some kind of network connection could easily become a target.

With the proliferation of wireless technology such as Bluetooth, devices are increasingly communicating with each other. That connectivity makes it easier for malicious software to spread quickly.

The problem could grow quickly, given the slew of consumer products launched last year that added wireless hook-ups, such as Bluetooth connectivity, to previously networking-free items.

"Bluetooth is going to be an attack point on a lot of devices," said Stuart McIrvine, the director of corporate security strategy at IBM. "A lot of applications that are supporting the technology are vulnerable."

Breakfast of champions?
If the thought of Cabir in the navigation system of your car isn't scary enough, consider that the virus could someday sink its teeth into your breakfast.

At January's Consumer Electronics Show in Las Vegas, home-electronics makers introduced all kinds of appliances with wireless networking in the mix.

One of the quirkier applications of wireless technology in the home came from Salton, best known for the George Foreman Grill. The company introduced coffee makers, microwave ovens and bread-making machines, all with Bluetooth inside the box.

Experts agree that attacks via wireless vulnerabilities will undoubtedly happen in smart phones and personal digital assistants, or PDAs, before being turned toward other products. But many argue that the shift from such communications devices to other machines won't take long. Any device connected to a network--even one that isn't wireless--could be at risk.

Smarthome's home-automation products will not be a standalone target for viruses, but they could be vulnerable to a virus after it has infected a home computer, Cregg said. Home-automation devices allow a central

computer, or hub, to control appliances and lighting by sending commands through the power lines and over wireless networks.

However, many home-automation systems don't use a central computer and are "closed," or not connected to the Internet outside.

The real money--and the juicier target for hackers--is in information stored on PCs and personal digital assistants, Cregg maintained. Home-automation networks are not going to be an attractive target, he said. He did not discount the possibility, however, that terrorists may one day try to sabotage homes as an attack--distributing a virus to shuts down home furnaces during a cold snap, for example.

Digital media networks--which link computers, TVs and stereos--are another matter. Though a home user may not have personal and financial information stored on devices such as personal video recorders, or PVRs, the media files could be considered valuable. Microsoft's media-focused operating system, Media Center, is built on top of the Windows XP operating system. That means that creating a virus to infect home entertainment networks is much simpler.

PVR maker TiVo argues that its Linux-based devices are more resistant than machines based on Windows. The open-source operating system has few computer viruses and worms written for it, said Jim Denney, TiVo's director of product marketing. The PVRs also cannot access the Internet on their own, which aids security, he said.

"Software doesn't get installed onto the device unless we install it," he said. "There is also a 'bang for the buck' issue. It is probably easier for virus writers to focus on a general platform like the PC."

One of the biggest dangers in building wireless capabilities into home devices is that the manufacturers typically haven't given much thought to security, said Paul Stamp, a consumer-electronics analyst at Forrester Research.

"Companies have the tendency to give people that nice widget that they don't really need and not inform people of the increased risks they might be exposed to," Stamp said.

And since it has taken years for consumers to begin to understand the threats to their PCs due to the Internet, it will take a long time for owners of wireless devices to see the potential threats, Stamp said. Meanwhile, virus writers have the time to learn how to bury worms and other attacks deep into the fiber of all sorts of machines.

"In many cases, the end-user isn't given the opportunity to mitigate this risk by turning something like wireless connectivity off," Stamp said. "The manufacturers aren't thinking about security, they just want to add that cool new functionality."