The plundering of the Internet of Things has commenced. From a command center in a nondescript high-rise here in the heart of Silicon Valley, security start-up Norse has been gathering shocking evidence of hackers usurping control of Internet-connected appliances, everything from webcams to climate-control systems.
This latest expansion of cybercrime revolves around the IP address assigned to each computing device connected to the Internet. Criminals have begun capitalizing on the fact that many of the mundane digital devices we tie into the Web are easy to find and wide open to hacking.
"There's only one way onto the Internet, and that's through an IP address," Norse CEO Sam Glines says. "The adversary just wants IP space to launch attacks and doesn't really care if it's a baby monitor or a server at a Fortune 1000 company."
The bad guys are using automated programs to scan ranges of IP addresses for signs of vulnerable appliances. It's often a simple matter to take control by installing a few lines of malicious coding.
Norse has devised innovative technology for monitoring such cyberattacks in real time. A tiny sampling of its data, extracted exclusively for CyberTruth, revealed 724 infected appliances actively carrying out fraudulent tasks.
The corrupted appliances included firewalls, routers, modems, printers, DVRs, surveillance cams, webcams, IP cameras, VPN appliances, VOIP phone systems, FM radio transmitters, storage drives, video conferencing systems and climate-control modules. One of the big things these corrupted devices are being used for: payment card fraud.
"We are seeing credit card transactions from baby monitors, DVRs, TVs, printers, medical devices, you name it," says Tommy Stiansen, Norse founder and chief technology officer. "It's coming from all types of industries and from homes."
In a stunning demonstration, Stiansen clicked to the IP address for an activated ABS MegaCam, sold as a $220 baby monitor. The device was activated on the Internet by a resident of Glendale, Calif., who uses Charter Communications as an ISP.
Malicious software embedded on the webcam's Linux operating system causes a live cam view of the homeowner's living room to appear in the browser of anyone who clicks to the webcam's IP address. During Stiansen's demo, a woman and then a man enter the room and sit on a couch.
The bad guy who embedded the malware on the baby monitor probably doesn't care much about snooping; the webcam's computing power , instead, is being used to locate similar devices and help the attacker to control as many as 2,000 ABS MegaCams.
"This is happening at a large scale, and it's growing hugely every day," Stiansen says.
"This is very powerful stuff, and the scariest part is this is only the tip of the iceberg."
Norse notifies proper entities about problems. However, sheer numbers of issues make it impossible to notify everyone, Glines says.
The Internet of Things has proved trivial to hack as the U.S. tech industry puts new consumer technologies on a fast track to store shelves, sometimes with meager quality control or accounting for security and privacy.
That trait is coming to the fore as the tech giants race to profit from the rising popularity of mobile devices and Internet-delivered services.
Meanwhile, the cyberunderground continues to mature into a smooth-running global industry that's quick to pounce on fresh opportunities.
© 2013 USA TODAY under contract with YellowBrix. All rights reserved.