Following BlackHat 2018, there has been more discussion around IoT security. During the conference, Ijay Palansky, a partner at law firm Armstrong Teasdale, which represented plaintiffs in the 2015 hacking of a Jeep in transit, warned there was a law of understanding of IoT technologies and that many of the devices had been built “with little to no security in mind.”
So what do Iot security risks mean for us? What are the dangers and how we can stop them?
Hacking into a building
Samsung’s SmartThings Hub came under scrutiny recently following the discovery of vulnerabilities present within its firmware. Found by Cisco ‘s cyber threat intelligence team Talos, the vulnerabilities allowed an attacker to execute OS commands or other arbitrary code on affected devices.
The SmartThings Hub is the central controller and manages IoT devices such as smart plugs, cameras and much more. Cisco Talos commented on the risks of the vulnerabilities: “Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorized activities,” it said.
The most concerning examples was that of attackers being able to unlock smart locks and disable home alarm systems, putting buildings at risk.
Taking down the power grid
During the Usenix Security Conference, a group of researchers showed how a botnet of thousands of IoT devices could take down a power grid.
The group from Princeton University presented a study showing that hackers could attack the demand side of the power grid, using IoT devices such as air conditioners, water heaters and space heaters. They estimated that it would only take a one per cent surge in demand to take down at least the majority of a grid.
The result of this botnet attack could result in blackouts, overloading currents on certain power lines, damaging them and triggering protective relays, which turn off the power when they sense dangerous conditions. The researchers also found that once a grid was taken down successfully, it was harder to get back online.
Smaller scale versions of the attack could be triggered in sections of the grid, forcing utility providers to pay for expensive backup power supplies.
Not-so-smart cities
IBM Security recently warned of how “painfully easy” it would be to infiltrate IoT device with the purpose of bringing down a smart city. Places like New York, Las Vegas, Singapore and Barcelona are already using IoT technology to improve public services, however, the failure to update devices from their default passwords could result in them becoming “dumb cities.”
According to its whitepaper, The Dangers of Smart City Hacking, IBM X-Force Red found 17 vulnerabilities falling into three defining categories: SQL Injection, Authentication by-pass and public default passwords.
The study confirmed that if “attackers could track down and research smart-city controls and sensors they would have little trouble exploiting vulnerabilities and getting past minimal security barriers.
IBM confirmed that every single device examined by X-Force Red and Threatcare were still using the default passwords that they came within the box, which are easily found online. They also all had authentication bypass issues. Donned “supervillain” attackers, IBM warned of risks to cities such as disasters (real or fake), manipulation of law-enforcement responses and agricultural crop manipulation.
An echo not to be repeated
According to Tencent’s Blade team, researchers were able to use a modified Amazon Echo device to hack into and spy on other Echo smart speakers. This included taking control over the playback of the speakers and other functionality as well as listening in to what those devices were hearing.
While the team were quick to point out that the hack required a lot of work, the ability to listen into conversations, which would be difficult for the average user to detect, caused them concern.
Reports claim Amazon has since fixed the vulnerabilities used in Tencent’s hack. However, with other technology giants moving into the IoT, artificial space such as Google, and the known vulnerabilities of IoT devices, it might not be long before our everyday conversations are heard by some unknown hacker – both at home and at work.