Hacking Anything: Internet of Things Shows Need for Learning, New Security Priorities

By: Lee Rickwood

August 14, 2015

Cars on the highway. Baby monitors at home. Wearable fitness sensors and exercise trackers. Drones in the air. Even rifles equipped with computer operating software – yes, there are such things – are all vulnerable to hacking.

As long as there have been computers, networks and mobile gadgets, there have been hacks and hijacks and corresponding risks. Ashley Madison may get the attention, but anyone who is reshaping their view of online security because of that hack has, well, had their head under the covers for way too long.

As more and more new computing products and newly networked devices come to market, more and more hacking opportunities come with them. We have not heeded those calls from the early days of the Internet to be more proactive about security: today, notions about securing this increasingly connected world seem at the very least out of step with those that seek to commercially, if not criminally, exploit it.

Initiatives such as Cisco's Internet of Things (IoT) Innovation Challenges spearhead help to accelerate the adoption of breakthrough technologies and products that will contribute to the growth and evolution of the Internet of Things.

Initiatives such as Cisco’s Internet of Things (IoT) Innovation Challenge help to accelerate the adoption of breakthrough technologies and products that contribute to the growth and evolution of the Internet of Things.

The Internet of Things is a great case in point – the ability to connect all sorts of things online promises great benefits and many advantages, and that has led to some 15 billion or so connected devices out there already – a number that could climb to 50 billion in just five years!

But as Ted Harrington, an executive partner at Independent Security Evaluators (ISE) puts it: “One of the things we’re constantly seeing is functionality absolutely being considered first, and security implications not being considered at all.”

There are plenty of examples.

Yes, drone and software-controlled aerial devices are selling well, but they’re easy to bring down, and of course there’s a tech paper available to show how an attacker can generate fake GPS signals to trick the drone’s GPS, and how to replace legitimate signals with fake ones so that the drone ends up “losing the ability to calculate its position”.

Connected cars are very popular, as well, yet they lead to reports like those recently documenting how two computer security researchers took over a moving vehicle, and were able to control its stereo, A/C and even its speed from miles away.

(The hackers said they wanted to bring attention to security issues they feel have been ignored; smart cars have built-in ‘entry points’, such as wireless communication and navigation systems.)

A conference in 2013 looked at the privacy and security on the IoT.

A conference in 2013 looked at the privacy and security on the IoT.

Closer to home, police in Ontario and a regional Internet service provider are very concerned about the take-over of a baby monitor.

A family’s Internet-connected device was hacked, causing police to issue a reminder that connected cameras are vulnerable, and that many wireless routers have a built-in default option to be remotely enabled. It’s really the opposite of ‘privacy by design’.

“Be aware that potentially nothing is secure if it’s connected to the Internet,” according to Ontario Provincial Police Constable Liz Melvin.

Not just the devices: the connections are vulnerable, too, with word that smart home wireless connections protocols have been hacked. Such protocols are used by several manufacturers in order to let IoT devices communicate with each other, so again, by their very nature, they have vulnerabilities.

The hacking of a home network can lead to the take-over of all its connected devices, from door locks to alarm system to houselights and more.

A screen capture from an app that controls high powered rifles.

A screen capture from an app that controls high powered rifles.

‘More’ could include connected weaponry: new software-powered ‘auto-aim’ rifles are the latest target for known – perhaps even unknown – hacker groups.

Members of the known groups, at least, participate in DEF CON, the developer industry conference, and they will be part of an Internet of Things hacking contest, demonstrating how fast and easy it can be to hack the world of consumer and industrial equipment.

ISE’s Harrington is also a lead organizer of the conference’s IoT activities and he’s among those working to promote more securely built networked consumer devices. “We’re going to try to address head-on the looming challenges that are going to arrive with connected devices.”

The importance of ‘cyber-thing’ security and having proper procedures, policies and technologies should be clear. Yes, we can help protect ourselves from device hacking by using strong passwords, installing software updates and guarding against phishing scams where hackers attempt to solicit sensitive information.

But clearly, manufacturers – as participants in a regulated marketplace – must take a more robust, more proactive stance. Seeking to enable security is one thing, as many manufacturers have done. Having to face liability for a lack thereof is another.

Product guarantees have long been a recognized and actionable way to evaluate promises of performance; contracts too specifically define services to be delivered and penalties when not. Going forward, a security warranty for things on the Internet may have to be delivered with if not before the other promises are made.

 

-30-

 

submitted by Lee Rickwood


Leave a Reply

Your email address will not be published. Required fields are marked *