Any discussion of the Internet of Things (IoT) and security usually devolves fairly quickly into hearty chuckles and jokes about "why would anyone want to hack my Internet-connected refrigerator?" As one group of researchers found out, a hack known as "man in the middle" on a Samsung Smart Refrigerator would allow an attacker to read your e-mail, maybe reset your password and then potentially steal your identity.
The smart fridge hack was demonstrated at the annual DefCon security conference in Las Vegas this August, at the IOT Village sessions hosted by Independent Security Evaluators (ISE). Ted Harrington, an executive partner with the Baltimore-based security company, wanted to host the event because he had a theory that the drip-drip of hacker stories belied the true scale of the problem.
"We wanted to confirm or undermine the hypothesis that security vulnerabilities in connected devices are systemic," Mr. Harrington says. "To see if the security problems exist across multiple devices, that there's no particular manufacturer who's bad."
After weeks of contacting the affected companies to give them time to update their systems, Mr. Harrington can now reveal the 60 so-called zero-day flaws (as in, never-before-reported issues) that the group found across 27 devices from 18 manufacturers, some of them technology giants or IoT leaders.
Just a few examples of what they found:
- A video baby monitor from Philips, the In.Sight B120/37, had back-door credentials (likely left there by developers so they could trouble shoot) that let hackers view the live feed. A few other monitors also had back-door access.
- A Bose Sound Touch wireless speaker system was breached and could send out phishing attacks.
- A Smarthings Motion Sensor security system can be remotely turned off, allowing access to a room “secured” against intruders.
- The appropriately named I-Spy Tank allowed a remote attacker to hijack the toy tank, drive it around, and activate the on-board camera.
- The Samsung Smartcam security system (which markets itself as simple, smart, secure) can be blocked so the owner can’t access it.
- Two separate digital door locks, from Yale and Smartlock, could be hijacked.
One of the hacks that gained a lot of attention during DefCon was a vulnerability in the popular Parrot AR quadcopter flying drone. "At the village, a guy approached me, he's got this drone, and he was very excited," says Sam Levin, a developer at ISE who worked its IoT event. "He had a laptop, he issued a command from a command prompt … it killed the drone in mid-flight." It dropped like a stone.
But despite discovering a remotely accessible hole in the flying drone's operating system, L.A.-based Ryan Satterfield had little luck with his attempts to contact Parrot. And even though the company has issued a patch, Mr. Satterfield is still doing research on other vulnerabilities he discovered.
"There are rules in place that the FAA can use against planes that are insecure, but have yet been applied to drones," he says. "I hope to see the FAA take the same stern fist that they have toward plane security and apply it to drone security so companies will have an incentive to make their products more secure."
Ultimately that's what Mr. Harrington wants, for the government and manufacturers to tighten up the way they build connected devices before we reach the point of no return on security. "By 2020, we're gonna have 50 billion connected devices, its an astronomical number," according to some estimates. Right now consumers concerned with the risks of IoT can opt not to buy, but that may not be an option in the near future.
For example, even though researchers proved this past summer that they could remotely hijack Jeep and Dodge vehicles with built-in LTE cellular connections, the auto industry is steaming ahead with plans to introduce more cars with them. In September, GM chief executive officer Mary Barra bragged that the company she leads already has one million connected cars on the road in America, far outpacing rivals.
"I don't think we're that far away where you won't be able to buy a new car that doesn't have connectivity," Mr. Harrington warns.