IoT Security is Hard: Here’s What You Need to Know

Security for anything you connect to the internet is important. Think of these devices as doorways. They either allow access to services or provides services for someone else. Doorways need to be secure — you wouldn’t leave your door unlocked if you lived in the bad part of a busy city, would you? Every internet connection is the bad part of a busy city. The thing is, building hardware that is connected to the internet is the new hotness these days. So let’s walk through the basics you need to know to start thinking security with your projects.

If you have ever run a server and checked your logs you have probably noticed that there is a lot of automated traffic trying to gain access to your server on a nearly constant basis. An insecure device on a network doesn’t just compromise itself, it presents a risk to all other networked devices too.

The easiest way to secure a device is to turn it off, but lets presume you want it on. There are many things you can do to protect your IoT device. It may seem daunting to begin with but as you start becoming more security conscious things begin to click together a bit like a jigsaw and it becomes a lot easier.

Continue reading “IoT Security is Hard: Here’s What You Need to Know”

Half Baked IoT Stove Could Be Used As A Remote Controlled Arson Device

[Pen Test Partners] have found some really scary vulnerabilities in AGA range cookers. They are connected by SMS by which a mobile app sends an unauthenticated SMS to the AGA to give it commands for instance preheat the oven, You can also just tell your AGA to turn everything on at once.

The problem is with the web interface; it allows an attacker to check if a user’s cell phone is already registered, allowing for a slow but effective enumeration attack. Once the attacker finds a registered device, all they need to do is send an SMS, as messages are not authenticated by the cooker, neither is the SIM card set up to send the messages validated when registered.

This is quite disturbing, What if someone left a tea towel on the hob or some other flammable material before leaving for work, only to come back to a pile of ashes?  This is a six-gazillion BTU stove and oven, after all. It just seems the more connected we are in this digital age the more we end up vulnerable to attacks, companies seem too busy trying to push their products out the door to do simple security checks.

Before disclosing the vulnerability, [Pen Test Partners] tried to contact AGA through Twitter and ended up being blocked. They phoned around trying to get in contact with someone who even knew what IoT or security meant. This took some time but finally they managed to get through to someone from the technical support. Hopefully AGA will roll out some updates soon. The company’s reluctance to do something about this security issue does highlight how sometimes disclosure may not be enough.

[Via Pen Test Partners]

Remotely Get Root On Most Smart TVs With Radio Signals

[Rafael Scheel] a security consultant has found that hacking smart TVs takes nothing much more than an inexpensive DVB-T transmitter, The transmitter has to be in range of the target TV and some malicious signals. The hack works by exploiting hybrid broadcast broadband TV signals and widely known about bugs in web browsers commonly run on smart TVs, which seem run in the background almost all the time.

Scheel was commissioned by Cyber security company Oneconsult, to create the exploit which once deployed, gave full root privileges enabling the attacker to setup and SSH into the TV taking complete control of the device from anywhere in the world. Once exploited the rogue code is even unaffected by device reboots and factory resets.

Once a hacker has control over the TV of an end user, he can harm the user in a variety of ways, Among many others, the TV could be used to attack further devices in the home network or to spy on the user with the TV’s camera and microphone. – Rafael Scheel

Smart TV’s seem to be suffering from  IoT security problems. Turning your TV into an all-seeing, all-hearing surveillance device reporting back to it’s master is straight out of 1984.

A video of a talk about the exploit along with all the details is embedded below.
Continue reading “Remotely Get Root On Most Smart TVs With Radio Signals”

California Looks to Compel IoT Security

There is a bill going through committee in the state of California which, if passed, would require a minium level of security for Internet of Things devices and then some. California SB 327 Information privacy: connected devices in its original form calls for connected device manufacturers to secure their devices, protect the information they collect or store, indicate when they are collecting it, get user approval before doing so, and be proactive in informing users of security updates:

require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device to provide a short, plainly written notice of the connected device’s information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of security patches and updates to a consumer who purchases the device.

This is just a proposal and will change as it finds its way through committee. Currently there a really no methods of punishment outlined, but recent comments have suggested individual prosecutors may have latitude to interpret these cases as they see fit. Additionally it has been suggested that the devices in question would be required to notify in some way the user when information is being collected. No language exists yet to clarify or set forth rules on this matter.

The security community has been sounding the cry of lackluster (often lack of) security on this growing army of IoT hardware and we’ve all known one day the government would get involved. Often this type of action requires a major event where people were in some way harmed either physically or financially that would push this issue. Denial of service attacks have already occurred and hijacking of webcams and such are commonplace. Perhaps what we saw in September finally pushed this into the limelight.

Any reasonable person can see the necessity of some basic level of security such as eliminating default passwords and ensuring the security of the data. The question raised here is whether or not the government can get this right. Hackaday has previously argued that this is a much deeper problem than is being addressed in this bill.

The size of California’s economy (relative to both the nation and the world) and the high concentration of tech companies make it likely that standards imposed if this law passes will have a large effect on devices in all markets.

2017: The Year of the Dishwasher Security Patch

As if Windows Update wasn’t bad enough, one has to deal with a plethora of attention-hungry programs and utilities all begging for a continual stream of patches from the Internet. It’s exhausting, but unfortunately also par for the course. Many of these updates are to close security vulnerabilities that could otherwise expose your computer to undesirables. The Internet of Things will only expand the amount of hardware and software you need to keep updated and protected on a daily basis. Now, it’s your dishwasher that’s under attack.

The Register reports that Jens Regel discovered the bug in a Miele dishwasher with a webserver. It’s a basic directory traversal attack that can net the intruder the shadow password file. Armed with this, it’s simple to take over the embedded Linux system and wreak havoc on your local network.

It’s not particularly surprising – we’ve talked about IoT security and its pitfalls before. The problem is, a dishwasher is not a computer. Unlike Microsoft, or Google, or even the people behind VLC, Miele don’t have infrastructure in place to push out an update to dishwashers worldwide. This means that as it stands, your only real solutions are to either disconnect the dishwasher from your network, or lock it behind a highly restrictive firewall. Both are likely to impede functionality. Of course, as always, many will ask why a dishwasher needs to be connected to the Internet at all. Why indeed.