The Internet of Things at AppSecEu

I’ve Seen The Future Of The Internet Of Things And It Terrifies Me

idiocracy_hospital

The term IoT, generally used to mean the Internet of Things is a way of describing something that takes an ordinary mundane device and connects it to the Internet. If you’ve been following our blog, you’ll know that I’m quite fond of firmware reversing and doing bad things to embedded devices. As such, for Mandalorian the Internet of Things is like a giant endless hackers’ playground. Security vendors left right and centre have been hacking these devices for the last year or two. Can I tell you a secret the others won’t?

Every IoT device we’ve ever looked at has been compromised in under 2 hours, with the easiest being under 30 seconds.

It’s worryingly easy to hack the Internet of Things because the combination of low-powered embedded devices, cloud platforms and big data make for the perfect storm. Contrary to what many vendors may say, hacking the Internet of Things doesn’t require skill. Anyone can do it.

At the Securi-Tay conference I bought a Pebble Steel smartwatch. It’s a wonderful programmable device that you wear on your wrist and uses sensors and software to connect to services via your watch. It’s fairly (but not fully) open and well documented design meant that I started hacking it while in Singapore last week during downtime from jetlag (there’ll be more to come about that at a later date) but from an initial look in the Pebble app store there’s a worryingly large amount of apps that use unencryped HTTP to communicate with the outside world.

A project we’re working on recently required us to buy an aerial drone. Of course for us the ideal situation would involve us gaining access to the drone’s flight software and modifying it for our purposes. It took less than 30 seconds to compromise the drone and gain a root shell on the device, using a technique allowing us to take over other drones in the sky and force them to drop to their deaths. We’re in talks with the manufacturer so I can’t really say more, but as above I’ll write more later.

A few weeks ago I bought a WeMo switch, a wall switch attached to the Internet. I haven’t tried hacking that yet, I’m not sure how my girlfriend would feel about it. I also bought a set of Philips hue lights which I’ve been told are off limits at home, at least for now.

All of these things and more constitute the Internet of Things, which are basically the very same simple embedded devices that we’ve been utterly pwning at Mandalorian since time immemorial, just connected to the Internet. Again, every IoT device I’ve tried to hack has been hacked in under 2 hours, with the easiest being under 30 seconds.

The Idiocracy of The Internet of Things

The Internet of Things is being used to create devices that track your health, your insulin levels for diabetes pumps, your heart, pulse rate and blood pressure, control valves, manage your car and display pictures of the surface of mars in near real-time on your wrist. What could possibly go wrong?

IoT is generally funded by two sources of bad idea: investors, and the greater public via crowdfunding.

bluesmart

Believe it or not, Bluesmart has actually reached over 2 million dollars in funding pledges on IndieGogo. Of all the features on the bag, the only one worthwhile is the built-in scale, something that’s existed for years. There’s a brilliant blog dedicated to things that shouldn’t be “Internet of”, called We Put A Chip In It. Read it and weep.

The Economy of The Internet of Things

IoT devices appear to follow a common business model. South Park’s Cartman explained it in a way that I can’t even begin to compare to.

sp-bro-down

When there’s big money involved in the form of investment, inevitably poor choices are made. Instead of treating health data as something that should be treated as highly sensitive, we see health data being transferred to third parties while hospitals and doctors struggle to exchange basic information. In the near future, weak artificial intelligence models will alert you to possible illnesses based on your health data, but this data will also be sold elsewhere. To whom? To insurers? To advertisers? In the IoT future, when you start seeing targeted adverts for STD treatments will it be too late for us to go back to a world where we had to physically visit a doctor to see what was wrong with us? There’s nothing like an itch you can’t scratch, and just as social media preys on people’s insecurities and sense of connectedness, the Internet of Things will play on our fears of sickness and death to keep us connected.

Securing the Internet of Things

In my keynote speech at OWASP’s AppSec EU this May, I’m going to talk about the Internet of Things and the problems we face as a security community. OWASP’s own Internet of Things Top 10 Project goes some of the way towards how vendors should secure IoT devices, but there’s plenty of controversial elements in the list, and there’s plenty more that manufacturers, developers and senior management at IoT companies can do.

If you’re going to AppSecEU then come along and watch my keynote, or even better feel free to come and talk to me and we’ll grab a coffee or a beer. I’d love to hear your thoughts on the Internet of Things and how we can secure it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s