Ahh DEF CON! One group of hackers shows off how they’ve broken into all sorts of cool devices and other hackers (ahem… “security professionals”) lament the fact that the first group were able to do so. For every joyous “we rooted the Nest thermostat, now we can have fun” there’s a doom-mongering “the security of network-connected IoT devices is totally broken!”.
And like Dr. Jekyll and Mr. Hyde, these two sides of the hacker persona can coexist within the same individual. At Hackaday, we’re totally
paranoid security conscious, but we also like to tinker with stuff. We believe that openness and security are best friends forever. If you can open it, you can see if it’s well-made inside, at least in principle. How do we reconcile this with the security professional’s demand for devices that only accept signed binary firmware updates so that they can’t be tampered with?
We’ve got no answers, but we’ve got plenty of questions. Read on, and let us know what you think.
On Hackability vs. Security
How many home-automation hackers have gotten their start by “reversing” the simple radio protocol that those el-cheapo 432 MHz sockets use? We’ve seen our fair share of projects. (And an Arduino library.) Why? Because they’re cheap and because it’s easy. They’ve got five bits for the channel ID, everything else is straightforward, and you can use any one-dollar 432 MHz transmitter to get the job done. It’s like the RF garage-door openers of old, only simpler. For the tinkerer in us, these RF power sockets are a godsend.
But from a security perspective, they’re a disaster. Of course, the sockets could be equipped with a much more complicated unique ID to increase security. But that raises the barrier to DIY hacking with the device (not that it would stop anyone) and still doesn’t protect you against replay attacks anyway. Totally insecure!
Now the risk of abuse of these RF-controlled power sockets is pretty small. Unlike the garage door example, nobody is breaking into your house by turning your hallway lights on and off. Even if they were, they’d have to get fairly close to your house to do so. If you’ve got someone willing to camp outside your house with RF gear, you’ve got trouble already. So perhaps the balance between hackability and security is ok for these devices?
Enter the IoT
This changes when one brings the Internet to the Things. Exposing yourself not just to your neighbors, but to the whole world, dramatically enlarges the attack surface. Not like we need to be told this. But for some device manufacturers, it was a shocking realization, and they’re responding by locking everything down, and we get sold this story that it’s to protect the consumer from the hacker. IoThings must be secured! You don’t want strangers screaming at your baby, right? (Hint: change the default password.)
But what happens when the hacker and the consumer are the same person? We all know that there’s an embedded Linux distribution inside the Sony BDP-S5100 Blu-Ray player, and we all want at it, but Sony won’t let us play with it because they also want to prevent hackers from getting at it. (Not that it stops anyone.) It’s supposedly made more secure by not being modifiable.
We think not. And a decent consumer counterexample is the Nexus series of smartphones. With a few clicks you can unlock the bootloader and load up a custom OS on the device. Because the bootloader normally requires physical access, this isn’t particularly a security problem. Because you can flash whatever the heck you want in there, the phone is vastly modifiable. Want root? Get root. The Sony Blu-Ray player could be the same.
It’s all about how you give control to the consumer to modify their own device, and there are more or less secure ways to do so. Then why do we see so many devices simply locked down, with no allowances for modifiability? Are the manufacturers just lazy? Or are hackers just too small a market to matter?
Hardware with a “Service”
We fear that there’s something yet more sinister afoot: the razor-blade pricing model. You get the razor for free, but you’ve got to buy corresponding blades at a markup. Or you buy the inkjet printer cheap, but pay ridiculous sums for ink cartridges (Corey Doctorow touched on this in his DEF CON talk). Or you buy the Kodak Brownie camera for $1 in 1900, and make the Eastman Kodak film company dominant for nearly a century.
Now there’s nothing wrong with this pricing model as long as the consumer knows what they’re getting into ahead of time. But suppose you’re a hacker and you’d like to do something out of the ordinary?
Take the Wink Hub, which was busted at last year’s Defcon. It’s a great home-automation device, and at $50 it’s cheap for what it does. But you have to use their app, run through their online service, to control the electronics in your own home. Want to connect to the Wink from your computer? Sorry. Your tablet? Nope. Run your own server? Dream on.
And why? We don’t think that it’s because of security, here. Instead, it’s that whatever data they’re harvesting from you is worth cash money, and they’ve got a vested interest in keeping you from hacking that away from them. And you can’t really blame them — their business model relies on the revenue stream. They can’t give away the razors if they can’t make up their money on the blades.
But as an unfortunate byproduct of this business model, if you want to integrate your Wink into your OpenHAB system, you’ve got to break your way into the device. Which means that you’re always going to be fighting with the manufacturer, and that’s a shame.
We hackers are Jekyll and Hyde; we insist on devices being open(able) and secure. And what’s worse, we’d like them cheap. It’s not clear we can have all of these things at once, and maybe it’s important to think about the tradeoffs. One man’s insecure firmware is another’s extensible and debuggable firmware, and what “security” even means may depend on whether you’re asking the consumer or the device manufacturer.
What’s your take on IoT security? Can one have too much security? Are security and hackability in conflict or are they mutual prerequisites? Do you have better examples? Can we hope for inexpensive, modifiable, and secure gear? Or do we just gotta keep hacking?