EMA: IT and Data Management Research, Industry Analysis and Consulting

A Tribute to IoT Device Security Researchers

Written by David Monahan | Jan 3, 2017 4:34:22 PM

This blog in the Internet of Things (IoT) series comes as a tribute to security researchers everywhere. The autumn’s largest security-focused show is the Black Hat Security conference. If you are not familiar with Black Hat, it is a tech conference that started in 1997 and covers numerous security topics in various presentations that are fairly to highly technical. As mentioned in the first blog in the series, IoT-like systems have been around a long time. However, researchers began paying more public attention to IoT around 2011. Visibility on the subject of the security, or lack thereof, of IoTincreased in 2011, when researcher Jay Radcliffe demonstrated that medical devices; in this case, his own automated insulin pump, could be hacked to deliver a lethal dose of insulin.1 Since that time, there were numerous other IoT hacks in various fields, including:

2013:

  • Follow up on medical device hacking by Jay Radcliffe
  • Scheduled presentation on other medical devices (pacemakers) by Barnaby Jack2 (was cancelled due to his death just before the conference). It was this presentation and a television show scenario of the same design that had wireless capabilities of former Vice President Dick Cheney’s pacemaker disabled.

2014:

  • Hack of hotel environmental automation systems, taking over a hotel’s room HVAC, lights, TV, and other amenities.3

2015:

  • Among many things, researchers Charlie Miller and Chris Valasek demonstrated a frightening exploit on an unaltered passenger vehicle (Jeep Cherokee).4 They proved that a significant number of Fiat Chrysler vehicles had similar vulnerabilities, resulting in the eventual recall of over one million vehicles.5 As desired by the researchers, this hack broadened awareness and scrutiny on how connected vehicles were secured (or not) and motivated manufacturers to start addressing the problem.
  • Security researchers of NewAE Technology developed a worm (a self-replicating piece of computer code) to infect smart devices, which also applies to IoT devices.6 Smart home devices, smart cars, and more can be affected by this worm creating havoc and potentially dangerous situations for consumers, as well as opening the door for other various kinds of cyberattacks.

2016:

  • Researchers demonstrated more vehicle hacks, as well as successful attacks against ATMs, Chip and PIN systems, point of sale terminals, and others. Both Black Hat and its sister conference, DEFCON, set up hands-on IoT hacking areas that included the hacking of consumer and office equipment, medical devices, personal health equipment, security cameras, baby monitors, Wi-Fi Smart scale, Apple’s Time Capsule Network Storage, garage-door openers, electronic locks, refrigerators, and even a Linux-powered auto targeting rifle system.7,8,9

The point of these hacks and disclosures is not to breed fear but create a healthy skepticism of what manufacturers of connected, embedded, or other types of IoT devices are telling consumers, and what they are not telling them about their products. These small footprint, Wi-Fi accessible devices are popping up everywhere; sadly, security is still often an afterthought. There is more onus on those purchasing the devices and the people responsible for managing the environments that they reside in both home and office. Each of us is participating in the world of IoT whether by choice or by happenstance, and we must embrace a culture revolving around three key components:

  1. Visibility: We must be able and willing to see what is entering our environments, see what it is doing while it is there, see how it is configured and be able to do that without having ownership or agents installed on it.
  2. Control/Enforcement: Devices operating within the managed environment and attempting to access company assets/resources must be controlled by a standards- and policy-based system to enforce the policy. This will help ensure that those assets are protected even when an agent cannot be placed upon it, which is often the case with Bring Your Own Device (BYOD), fixed function, medical, embedded and other classes of IoT devices. These devices often come with no update capabilities and/or the manufacturer voids warranty and support if the software is modified, like when adding an agent.
  3. Orchestration: Organizations need broad detection and integration capabilities to identify and interact with the most extensive range of device platforms and operating systems. Only identifying and managing some, or even most, of the devices interacting with assets and consuming resources leaves a coverage gap that is unacceptable. In addition, solutions that provide visibility and control must work together better through integration to provide greater value to organizations. Much of this will manifest itself as improvements in operational efficiency. Solutions that fail to provide these improvements must be replaced by those that do.

No matter what form of IoT your organization encounters, it must be ready to deal with them as authorized and entitled hosts, and as undesirable threats.

https://www.youtube.com/watch?v=-q29b3wvbss

http://www.forbes.com/sites/ericbasu/2013/08/03/hacking-insulin-pumps-and-other-medical-devices-reality-not-fiction/#674903764327

https://itcblogs.currentanalysis.com/2014/08/08/black-hat-hacking-the-internet-of-things-for-fun-and-profit/

https://shrikantadhikarla.wordpress.com/2015/09/03/highlights-from-blackhat-2015-defcon-23/

https://iapp.org/news/a/iot-vulnerabilities-galore-a-black-hat-defcon-roundup/

http://www.ibtimes.co.uk/top-5-scary-hacks-that-emerged-black-hat-usa-hacker-conference-1574677

https://www.blackhat.com/us-16/training/offensive-hands-on-internet-of-things-iot-exploitation.html

http://www.darkreading.com/endpoint/internet-of-things-hacking-village-debuts-at-def-con/d/d-id/1321281

https://www.blackhat.com/docs/us-15/materials/us-15-Sandvik-When-IoT-Attacks-Hacking-A-Linux-Powered-Rifle.pdf