Hackers set their sights on the ‘internet of things’Posted: November 27, 2013
This article originally appeared in the Financial Times, November 27 2013
“Hacking the internet of things [IoT]” – in which items from cars to TVs and fridges are connected to the internet – “is something that is still very much in the exploratory phase,” says Daniel Cuthbert of Sensepost, the security company. “[However], if history is anything to go by, hackers targeting the internet of things will increasingly occur.” Yet developers are not addressing this issue, which means a hacker could infiltrate the physical realm of the individual, whether it’s by turning on and off light switches or altering the entire security system of a home.
Leading figures from all areas of the information sector met recently at the annual Black Hat conference in Las Vegas. At a meeting on the IoT, Sensepost presented its research on home automation systems, an industry that was worth $1.5bn in 2012, according to Ingersoll, the home security company. Such systems provide a centralised control and monitoring function for various features in the home, including heating, ventilation and air-conditioning (collectively known as HVAC), as well as lighting and physical security systems. The central control panel as well as other household devices, such as security sensors and alarm systems, are all connected to each other and to the internet. During the presentation at the Black Hat conference, Sensepost identified critical vulnerabilities and hacked into the system, unlocking a door in the process.
The hacking was the result of several months of research, and Mr Cuthbert stresses that it was “not something that your average Joe with a computer can do”. But the more that is learned about the technology involved with the IoT, he warns, the more people will be able to exploit the vulnerabilities.
“The easiest [IoT] device to hack is a system that controls door locks, heating, ventilation and air conditioning systems, garage doors, lights, alarm systems, cameras, and a number of other devices,” says Daniel Crowley, a security researcher at Trustwave. For him, one of “the most difficult devices to hack was a child’s toy”, and during his research, he found some home automation systems that were connected to the internet actually allowed “full control over devices without requiring any username or password. These systems can be used to control physical access to a building. An attack could have serious repercussions, depending on what’s attached.”
Smart TVs are particularly vulnerable, adds Josh Yavor, a senior security engineer at iSEC Partners. “It is important to note, however, that performing attacks such as retrieving audio and video from a compromised TV required a great deal more effort and skill than stealing usernames and passwords, so not all ‘hacks’ on the same device are of equal difficulty.”
On a more basic level, the camera and microphone on a mobile phone, according to Mr Ford, are very susceptible to hacking. “A malicious attacker could take over these features pretty easily, listening in to your conversations or taking photos without you knowing from your device.
“While this is a bit disconcerting for the average consumer, what about strangers listening in to conversations about executives, government officials, diplomats, or anyone with access to privileged information? Things can get sticky fast.”
His comments are echoed by Jay Radcliffe, a senior security analyst at InGuardians and a speaker at the Las Vegas conference. “Devices like cars and medical devices have barriers to access that cell phones and consumer electronics do not,” he warns. The current defences against hacking the IoT “are primitive and depend on very short range and knowledge of proprietary systems”, he adds.
Concrete answers are still hard to come by, but anecdotal evidence suggests that items connected to the internet are not very secure. In general, devices are being built without thorough security reviews, Trustwave’s Mr Crowley says.
“If IoT devices continue to be developed with poor security defences and we continue to use them, the threats and number of attacks will most likely increase. What needs to be taken the most seriously are the flaws that are most easily and widely exploitable, since those factors greatly lower the bar for attacks.”