Black Hat: Hacking the Internet of Things for Fun and Profit
August 8, 2014 Leave a comment
- Vulnerabilities abound in the wide range of elements that make up the ‘Internet of Things’ (IoT), and developers do not have the security skills necessary to code their IoT creations more securely.
- What’s needed are security standards to help developers create more secure IoT systems and a re-evaluation of the languages they are using to develop them.
Security researchers of all stripes made their pilgrimage to Las Vegas this week for the annual Black Hat/DefCon conferences, and the biggest theme to emerge from presentations was the insecurity of the Internet of Things (IoT). Vulnerabilities were uncovered in a range of devices, including home alarm systems, smart cards, Internet-enabled automobiles, virtual desktops, smart hotel networking, control code on mobile providers’ cellular devices and, of course, POS devices.
Such vulnerabilities should not come as a surprise, given the results of a study published last week by HP. In it, HP researchers claimed that 70% of the most common IoT devices had vulnerabilities, ranging from weak passwords to the Heartbleed bug. In the study, HP researchers analyzed ten different devices, which included home thermostats, sprinkler controls, TVs, webcams, remote power outlets, automatic door locks and more. They found the majority did not use encryption to communicate control information, and many did a poor job of protecting user credentials. In addition, as if Google Glass needed another reason for people to hate it, a team of researchers found a way to use Glass to record users entering passwords into touchscreens and analyze their finger movement to steal the passwords – from up to three meters away and with 90% accuracy. (Shudder.)
Since there are a multitude of technologies that stack up to deliver the Internet of Things, including hardware, operating systems, applications, protocols and networks, the attack surface is quite large. At the same time, there is no monitoring or control of the entire system. Of course, the security industry knows how to manage identities and how to develop code securely, but it is not the security industry that is developing these new IoT capabilities. At the same time, the low-level languages such as C and C++ that developers are using to create the IoT devices and the telematics for them do not make it easy for developers to code securely, because they have to manage system resources manually.
So, what can be done to better secure the IoT? A couple of suggestions came out of the conference, along with a range of quick-fix tools. The researcher that discovered he could take over a hotel’s room automation system, which used an iPad app called ‘Digital Butler’ to control lights, TV and other amenities, had a good suggestion. He suggested that newly formed Internet of Things groups such as the AllSeen Alliance or the Open Interconnect Consortium develop open security standards and involve security experts in that process. Regardless of who takes charge, we really believe this is a problem that should be addressed by the industry sooner rather than later, before it becomes a problem too big to handle.