Get started Bring yourself up to speed with our introductory content.

IoT Village DEFCON 24 results: Connected devices still vulnerable

We like to hack stuff. So much so, that we organize events to galvanize the security research community to hack stuff right alongside us. Stretching back to 2013, when we published a piece of security research showing that all of the 13 most popular routers were vulnerable to remote attack, local attack or both, we’ve organized well over a dozen hacking events all over the United States. The purpose of these events is to shine spotlights on areas that may need security improvement, and organize a volunteer army of some of the brightest minds in the security industry to collaborate on addressing these many, often complex, security challenges.

Two such events we organize are IoT Village and SOHOpelessly Broken. IoT Village is a community of security research featuring talks, workshops, hacking contests and press events. SOHOpelessly Broken is a hacking contest that started as the first ever router hacking contest at esteemed security conference DEFCON and has since expanded scope to include all connected devices.

Among many, one of the great benefits of organizing hacking events is that we get a first-hand glimpse into themes across some of the most salient security issues of our time. One such issue pertains to the security considerations introduced by connected devices. During DEFCON 24, which happened in Las Vegas over August 4-7, 2016, we hosted both of these events, which produced some fairly eye-opening results, including a new wave of security findings: 47 new zero-day vulnerabilities across 23 different device types and 21 different manufacturers.

Abstracting from those success metrics, we observed several pronounced themes:

  1. Fundamental issues persist. During its inaugural run last year at DEFCON 23, IoT Village uncovered 66 new zero-day vulnerabilities across 27 device types and 18 different manufacturers. Many of those vulnerabilities were design level violations of well-(mis)understood security principles, leading to issues with privilege escalation, remote code execution, backdoors, runs as root, lack of encryption, key exposure and many more. Fast forward to this year and many of the same basic design flaws persisted, including use of plaintext passwords, buffer overflows, command injections flaws, hardcoded passwords, session management flaws and many more. These were all found on a new crop of devices beyond those investigated last year, suggesting that the scope of the issue not only continues to be systemic, but is expanding as IoT adoption accelerates.
  2. The scope of IoT is expanding. Last year the emphasis of research was focused heavily on the smart home. This continued to be an area of importance this year, however we also saw similar issues across connected transportation and even the energy grid. One harrowing example is where one security researcher showed how an attacker could shut down the equivalent of a small- to mid-sized power generation facility by accessing the flaw in solar panels manufactured by Tigro Energy.
  3. Interest in IoT security is increasing. IoT Village doubled its overall floor space, and yet was still standing-room-only for all of the talks. The CTF track of the hacking contests grew from 11 competing teams to 51 competing teams. DEFCON awarded a coveted “black badge” to the contest winners, which is an exclusive designation only given out in extremely rare occasions, and is DEFCON’s version of the Hall of Fame.
  4. Manufacturers are starting to get more proactive. This year, two different manufacturers (FitBit and Canary) got involved with IoT Village, donating devices for researchers to investigate. Both FitBit and Canary hoped to engage the community in helping make their products more resilient against attack. Another manufacturer (Trane) created a new vulnerability disclosure process across its enterprise, as the result of research into one of the thermostat products. Trane is trying to make it easier for researchers to report security flaws, so issues can more quickly be remediated.
  5. The government is starting to take notice. Top executives from both the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) delivered speeches on the IoT Village stage. Rear Admiral (ret.) David Simpson, the bureau chief of the FCC, spoke to a packed audience about how security research in general — and events like IoT Village in particular — are doing a good job of “making things harder” for malicious hackers. Terrell McSweeny, commissioner of the FTC, presented about the law enforcement actions that her organization is pursuing related to IoT.

It is our hope that by fostering a community of research, we can be a catalyst for change in ways that benefit consumers, business and entire industries. If you are a security researcher, a device manufacturer, a member of the law enforcement community or anyone else with even a passing interest in addressing these challenges, please contact us to get involved.

Happy hunting!

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.