As more and more businesses and consumers adopt connected devices that comprise the so-called Internet of Things (IoT), it begets the question: what security risks are those users also adopting? A wide range of security research — much of which has made its way to mainstream media — has demonstrated some pretty serious IoT security flaws in a number of different device types. However, all of those findings seemed to feel disjointed; are these flaws coincidentally similar, and limited to the particular device or manufacturer studied? Or is there a larger issue at play?
At Independent Security Evaluators, we had the hypothesis that these IoT security flaws in connected devices might plague the entire IoT industry, not just the few manufacturers who had been studied to date. So in order to prove (or disprove!) that hypothesis, we organized a hacking event known as IoT Village.
IoT Village first debuted at esteemed security conference DEF CON from August 7-9, 2015. Over the course of the event, we had researchers from a wide range of security organizations present their work on various aspects of the IoT security flaw problem. In conjunction with these talks, we also had security researchers teaching hands-on workshops about how to break devices and how to harden them. Finally, we had a hacking contest, where we bought a range of devices and encouraged attendees to hack them together.
Upon conclusion of IoT Village, we had unequivocally proven that IoT security flaws in connected devices are pervasive. Here is a snapshot of some of the metrics to support that finding:
66: 0-day vulnerabilities discovered/presented overall
14: 0-day vulnerabilities discovered/presented in the contest
27: Unique devices
18: Different manufacturers
IoT Village proved that security issues are pervasive across connected devices; the event served as a platform that produced 66 previously undiscovered security vulnerabilities across a wide array of manufacturers and distinct device types. Fourteen of those vulnerabilities were discovered on-site during the hacking contest that occurred during the few days of the event. In so doing, IoT Village highlighted the fact that security is an industry issue for manufacturers of connected devices, as these issues are not relegated to any particular manufacturer or device type. Furthermore, many violations of the underlying secure design principles were repeated across devices and manufacturers. This suggests that building security into connected devices is not yet seen as a business-critical mandate in most cases. As connected devices continue to become rapidly adopted, it is imperative that manufacturers better build security in and, through security assessment, better validate that those security measures are effective.
IoT security flaws: Examples
SmartThings Motion Sensor: An attacker could exploit a vulnerability in such a way to interfere with the device’s ability to monitor motion. This would be very useful for a property thief or violent criminal, who could run the attack from outside the physical premise, break in to steal items or attack a tenant, and then leave the premise. After leaving the premise, the adversary would stop the attack against the device, returning it to normal operation. The motion sensor would not have triggered, and thus the adversary could circumvent the entire purpose of the device. (Credit: Wes Wineberg, Synack).
iSpy Tank: Adversaries could exploit vulnerabilities that enable them to take over control of the wheels and the video capture. Effectively, an adversary would be able to obtain a remote controlled, powered, spying machine. This is especially concerning because this toy is intended for children, so most likely anyone victimized by this attack would potentially have exposed their children as well. (Credit: Ken Munro, PenTest Partners).
Parrot Drone: Using a single command, the attacker can make the drone drop out of the sky. As drones are being deployed for an ever-widening array of purposes, so too do the implications of this attack broaden. (Credit: Ryan Satterfield, Planet Zuda).
IoT Village is scheduled to run in future iterations at other upcoming conferences throughout the year. If you are a researcher in this space, manufacturer of connected devices, or in the business of deploying connected devices, we encourage you to get involved. Together we can make meaningful change to resolve this problem.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.