Touch interface on smart kitchen appliance

Smart Homes May Hide Crypto Mining Schemes

Loosely attended smart home appliances may be platforms for cryptocurrency mining scams, a researcher with the firm IOActive warns.

Is your smart refrigerator or connected dishwasher secretly mining Moreno or Bitcoin on the sly? It’s a possibility that experts at the firm IOActive say homeowners, regulators and device makers need to be prepared for.

Writing on the company’s blog on Wednesday, Neil Haskins, IOActive’s Director of Advisory Services warns that embedded systems like those in Internet of Things endpoints could be co-opted by crypto mining malware without their owners being the wiser.

“It’s easy enough to notice if your laptop is being overused – the device slows down, the battery runs down quickly. How can you tell if your fridge or toaster are compromised? With your smart home now interconnected, what happens if the cyber bad guys operate there?”

Touch interface on smart kitchen appliance
Loosely attended smart home appliances may be platforms for cryptocurrency mining scams, a researcher with the firm IOActive warns.

Crypto mining operations that use lightweight, malicious code to hijack web browsers for mining crypto currencies have become a focus of cyber criminal groups as the value of BitCoin and other crypto currencies has skyrocketed in recent months. The firm Tripwire reported this week that a single Monero cryptocurrency mining operation used malware delivery techniques to affect at least 15 million people worldwide since October.

So-called “cryptojacking” scams can lurk on any web page. But on traditional IT endpoints like laptops or desktops, they’re easier to spot, as the mining activity typically consumes processing resources in ways that slows the performance of the system, triggers cooling fans and produces other side affects that attract the user’s attention.

Infected? Who can tell?

Many embedded devices, including smart phones, however lack fans or process monitoring features that would alert a user. In this Security Ledger podcast interview, for example, Dan Cuddeford of the firm Wandera warned about cryptojacking schemes that targeted mobile devices.

IoT endpoints could make attractive targets to hackers interested in crypto mining scams: they are always connected to a power supply, sport Internet access and often have powerful CPUs. Utilization of, say, a connected toaster, is tiny: it is operated for only a few minutes each day – or not at all, depending on the owner’s appetite.

Because users interact with these kind of connected devices only sporadically, they make ideal hosts for mining operations, which can occupy their free cycles minting bitcoin for distant cyber criminal syndicates.

Smart phone to smart homes an infection risk

Haskins theorizes that cybercriminal groups could introduce mining malware to a smart home through a compromised mobile phone. Users might not notice it until they received an electric bill showing a huge spike in electricity use as a result of the mining – if then.

[You might also want to read: Researchers Warn of Physics-Based Attacks on Sensors]

There are few easy answers for consumers worried about the risk of compromised smart home devices being misappropriated for bitcoin mining, spamming, denial of service attacks or hosting illicit images. The easiest solution is simply to not buy “smart” and Internet connected appliances, though consumers may find that unpalatable.

Users concerned specifically about bitcoin mining could use tools that monitor power consumption in their home (though those devices, also, may be vulnerable to manipulation). In the short term the best offense is good defense: keeping mobile phones, laptops, desktops and other systems connected to home networks free of viruses and malware that may provide an entry point for malicious actors.

One Comment

  1. Hi Paul, this is a very good piece.
    I picked up however that you wrote Moreno instead of “Monero” at the beginning of the article.
    I’m not expecting this comment to be published.