One resounding – but unsurprising – message from this year’s DEF CON conference in Las Vegas, Nevada was the increase in hacks against IoT devices.
The lineup of hacked IoT devices was extensive. Many sessions focused on individual device hacks of consumer devices such as media players, IP cameras, cars, and home automation systems. Other sessions focused on industry-specific hardware such as traffic control systems, mesh camera networks, medical devices, and Industrial Control Systems (ICS)/SCADA. Other sessions focused on how to enumerate the devices and the implications of the data they collected.
One very popular session – Hack All the Things: 20 Devices in 45 Minutes - ended up outdoing itself by covering 22 consumer oriented devices within its allotted time. The researchers – made famous by the Google TV Hack – reiterated the use of a hands-on approach, including physically cracking open the case, and tapping into key data signal interfaces on the devices circuit board to access points where the key data flows occurred.
One very common example of these data signal interfaces is UARTs – Universal Asynchronous Receiver Transmitters – interfaces provided on the circuit board to allow manufacturers and service technicians to develop, prototype, test and even service these devices.
Many device manufacturers don’t understand the security implications of exposing and labeling the data interfaces on their finished system boards. These can be useful if the devices have to be serviced in the future, but sometimes they’re still left on devices that are not meant to be repaired at all. Leaving the labels intact significantly cuts down the time taken for a hacker to reverse-engineer the device.
This hands on approach, while requiring physical access to the device and a fair amount of hardware knowledge, can yield an extensive amount of information about the device’s attack surface. This includes critical information like passwords, keys, firmware images, privilege levels, as well as operating system and component versions (and their resultant vulnerabilities).
An attacker can use the information gleaned from this process to enable remote and local attacks on users with the same vulnerable device installed. Depending on the information gathered, similar devices from the same manufacturer – or even other manufacturers – may also be affected if they share components and services.
From a manufacturer’s perspective, a high profile vulnerability or hack of their device would provide plenty of motivation to get key security issues addressed. Unfortunately, many of the vendors of these devices are relatively small, and may not have sufficient resources to correct these issues in the best possible way.
Thankfully, several of the presenters made note of the fact that they, along with other groups in the industry, are already reaching out to the device vendors. Groups like BuildItSecure.ly have been formed to help facilitate this important cooperation, and we believe that this healthy engagement between security researchers and manufacturers is key to ensuring the continued improvement of security in IoT devices.
Check out our Internet of Everything buyer’s guide titled What to Consider When Buying a Smart Device. This discusses the things you need to know, from a security perspective, about buying smart devices. Doing your homework on these devices before buying them will save you more grief down the road.