As expected, IoT devices are filled with vulnerabilities:
As a thought experiment, Martin Hron, a researcher at security company Avast, reverse engineered one of the older coffee makers to see what kinds of hacks he could do with it. After just a week of effort, the unqualified answer was: quite a lot. Specifically, he could trigger the coffee maker to turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly. Oh, and by the way, the only way to stop the chaos was to unplug the power cord.
In any event, Hron said the ransom attack is just the beginning of what an attacker could do. With more work, he believes, an attacker could program a coffee maker — and possibly other appliances made by Smarter — to attack the router, computers, or other devices connected to the same network. And the attacker could probably do it with no overt sign anything was amiss.
Posted on September 29, 2020 at 6:16 AM •
Yet another Internet-connected door lock is insecure:
Sold by retailers including Amazon, Walmart, and Home Depot, U-Tec’s $139.99 UltraLoq is marketed as a “secure and versatile smart deadbolt that offers keyless entry via your Bluetooth-enabled smartphone and code.”
Users can share temporary codes and ‘Ekeys’ to friends and guests for scheduled access, but according to Tripwire researcher Craig Young, a hacker able to sniff out the device’s MAC address can help themselves to an access key, too.
UltraLoq eventually fixed the vulnerabilities, but not in a way that should give you any confidence that they know what they’re doing.
EDITED TO ADD (8/12): More.
Posted on August 10, 2020 at 6:23 AM •
Interesting research on home security cameras with cloud storage. Basically, attackers can learn very basic information about what’s going on in front of the camera, and infer when there is someone home.
Posted on July 9, 2020 at 6:16 AM •
It is amazing that this sort of thing can still happen:
…the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker then tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.
Telnet? Default passwords? In 2020?
We have a long way to go to secure the IoT.
EDITED TO ADD (7/14): Apologies, but I previously blogged this story in January.
Posted on July 8, 2020 at 6:41 AM •
The BSA — also known as the Software Alliance, formerly the Business Software Alliance (which explains the acronym) — is an industry lobbying group. They just published “Policy Principles for Building a Secure and Trustworthy Internet of Things.”
They call for:
- Distinguishing between consumer and industrial IoT.
- Offering incentives for integrating security.
- Harmonizing national and international policies.
- Establishing regularly updated baseline security requirements
As with pretty much everything else, you can assume that if an industry lobbying group is in favor of it, then it doesn’t go far enough.
And if you need more security and privacy principles for the IoT, here’s a list of over twenty.
Posted on July 7, 2020 at 6:38 AM •
Together with Nate Kim (former student) and Trey Herr (Atlantic Council Cyber Statecraft Initiative), I have written a paper on IoT supply chain security. The basic problem we try to solve is: How do you enforce IoT security regulations when most of the stuff is made in other countries? And our solution is: enforce the regulations on the domestic company that’s selling the stuff to consumers. There’s a lot of detail between here and there, though, and it’s all in the paper.
We also wrote a Lawfare post:
…we propose to leverage these supply chains as part of the solution. Selling to U.S. consumers generally requires that IoT manufacturers sell through a U.S. subsidiary or, more commonly, a domestic distributor like Best Buy or Amazon. The Federal Trade Commission can apply regulatory pressure to this distributor to sell only products that meet the requirements of a security framework developed by U.S. cybersecurity agencies. That would put pressure on manufacturers to make sure their products are compliant with the standards set out in this security framework, including pressuring their component vendors and original device manufacturers to make sure they supply parts that meet the recognized security framework.
Posted on July 1, 2020 at 9:31 AM •
New research: “Best Practices for IoT Security: What Does That Even Mean?” by Christopher Bellman and Paul C. van Oorschot:
Abstract: Best practices for Internet of Things (IoT) security have recently attracted considerable attention worldwide from industry and governments, while academic research has highlighted the failure of many IoT product manufacturers to follow accepted practices. We explore not the failure to follow best practices, but rather a surprising lack of understanding, and void in the literature, on what (generically) “best practice” means, independent of meaningfully identifying specific individual practices. Confusion is evident from guidelines that conflate desired outcomes with security practices to achieve those outcomes. How do best practices, good practices, and standard practices differ? Or guidelines, recommendations, and requirements? Can something be a best practice if it is not actionable? We consider categories of best practices, and how they apply over the lifecycle of IoT devices. For concreteness in our discussion, we analyze and categorize a set of 1014 IoT security best practices, recommendations, and guidelines from industrial, government, and academic sources. As one example result, we find that about 70\% of these practices or guidelines relate to early IoT device lifecycle stages, highlighting the critical position of manufacturers in addressing the security issues in question. We hope that our work provides a basis for the community to build on in order to better understand best practices, identify and reach consensus on specific practices, and then find ways to motivate relevant stakeholders to follow them.
Back in 2017, I catalogued nineteen security and privacy guideline documents for the Internet of Things. Our problem right now isn’t that we don’t know how to secure these devices, it’s that there is no economic or regulatory incentive to do so.
Posted on June 25, 2020 at 7:09 AM •
Used Tesla components, sold on eBay, still contain personal information, even after a factory reset.
This is a decades-old problem. It’s a problem with used hard drives. It’s a problem with used photocopiers and printers. It will be a problem with IoT devices. It’ll be a problem with everything, until we decide that data deletion is a priority.
EDITED TO ADD (6/20): These computes were not factory reset. Apparently, he data was intentionally left on the computer so that the technicians could transfer it when upgrading the computer. It’s still bad, but a factory reset does work.
Posted on May 8, 2020 at 9:46 AM •
This law journal article discusses the role of class-action litigation to secure the Internet of Things.
Basically, the article postulates that (1) market realities will produce insecure IoT devices, and (2) political failures will leave that industry unregulated. Result: insecure IoT. It proposes proactive class action litigation against manufacturers of unsafe and unsecured IoT devices before those devices cause unnecessary injury or death. It’s a lot to read, but it’s an interesting take on how to secure this otherwise disastrously insecure world.
And it was inspired by my book, Click Here to Kill Everybody.
EDITED TO ADD (3/13): Consumer Reports recently explored how prevalent arbitration (vs. lawsuits) has become in the USA.
Posted on February 27, 2020 at 6:03 AM •
There’s a Kickstarter for an actual candle, with real fire, that you can control over the Internet.
What could possibly go wrong?
Posted on February 20, 2020 at 2:23 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.