With the advent of IoT devices in every home and business, from networked garage doors to luxury home environments available from your mobile phone, hackers both good and bad have started chanting another motto. Hack The Planet! has become Hack All The Things! Def Con 25, an annual hacker conference and largest of its kind in the world, premiered dozens of IoT-like artwork in the form of badges, a subcultural icon amongst hackers. Pictured above is the Car Hacking Village badge, complete with ODB2 connection for hacking vehicles.
Internet of Things (IoT) devices can be found in a dizzying array of household and industrial items, and we are relying more and more on these connected devices for important functions and tasks. IoT hacking has found its way into the news and media a lot in the last few years, including a DDoS (that’s Distributed Denial of Service) attack using compromised IoT devices in a massive online flood that brought down dozens of high visibility and critical websites and web services by overwhelming Dyn DNS. Dyn DNS is a dynamic DNS provider that helps sites map a browser request like www.twinstate.com to the actual location of the website on the internet (think of DNS like your GPS for the web).
IoT isn’t just a subtext at Def Con. IoT exploitation is the focus in the IoT Village, and the site ihackiot.com offers the above learning and hacking kit for those who would like an all-in-one solution to IoT hacking. IoT Village website: https://www.iotvillage.org.
Home Invaders
Awareness on the risks of insecure IoT is rising. USA Network television series Mr. Robot is a stylized depiction of a hacker group bent on forcefully reviving democracy at the leadership of a troubled hacker named Elliot and the collective he founded, F-Society (bearing a clear resemblance to hacktivist group Anonymous). IoT gets a spotlight during an amusing scene in which a home owner with connected IoT devices (similar to the popular Nest suite of connected home gadgets) comes home to find her luxury apartment turned into a house of horrors complete with flashing lights, blaring music, ambient temperature plunges, and other bells and whistles that are used to drive her from her home.
It’s a raucous display of what a home connected in the extreme can become, but it presents a growing problem to which most consumers and businesses are still oblivious: IoT just means connected things, and if your things are connected, they can be found.
Bring in The Buckets
How can you find weak IoT in your network? Start by looking for the basics:
- Default or weak passwords for administration
- Hidden/manufacturer backdoors
- Signal leakage (we’ll talk about this below)
- Exposed debugging functionality – hardware or software
- Weak service configurations
- Weak encryption or authentication
Check each item off in an IoT assessment and if a device fails an item, consider the Bucket Score – our recommendation on whether a failing grade on an item might be cause for tossing that gadget bucket of water before it becomes hacker hardware at your expense!
Criticality
- Low – Not a big deal
- Medium – Annoyance
- High – Risk of breach or loss
- Critical – Unplug!
Ease of Correction
- Easy – Monkeys Got This
- Moderate – AP Student or That Guy You Know
- Complex – Monkeys + Engineer & WikiHow Article
- Expert – Get One, or Say Hi to Your New Brick
Buckets: From 1 to 5
- 1 – Keeper
- 3 – Watch List
- 5 – ON FIRE – BUCKET NOW!
Default or Weak Passwords
Manufacturer documentation will help here in most cases. The IoT administration may have a default or weak, schematic or dictionary based password assigned, putting a 'plug and play' device at risk. Find out from documentation how to change these passwords before you ever plug it in!
- Criticality: Critical
- Ease of Correction: Easy to Moderate
- Bucket Score: 4
Hidden/Manufacturer Backdoors
This is tougher to discover if the manufacturer isn’t willing to disclose their own backdoors in the hardware or software. Often the best way to find these, outside getting direct help from the manufacturer, is to ask the security community. Research into IoT often reveals backdoor accounts, services and functionality, and may already be documented.
If your manufacturer is prone to installing undocumented backdoors or won’t discuss the existence of them in their products, you may want to look for a more security savvy vendor. Once you know what type of backdoor you need to fix, you can use port blocking, reduce the RF range of the device, or request a firmware update process (or refund) from your manufacturer.
- Criticality: Medium to High
- Ease of Correction: Moderate
- Bucket Score: 4
How vulnerable is your network? Find out with a Vulnerability Assessment from Twinstate Technologies.
Signal Leakage
Many IoT devices work on specific radio frequencies to communicate – wireless, Bluetooth, cellular, ISM – and these signals are often detectable at a distance from the device. By sniffing RF signals, an unencrypted communication between your control device and the IoT device might lead attackers to compromising your information or taking over your IoT device. A manufacturer should be able to tell you about the types of RF in use, the protocols used to communicate, and the encryption (or lack of) employed by the device.
- Criticality: (unencrypted RF for device control) High
- Ease of Correction: Moderate to Complex
- Bucket Score: 3
Exposed Debugging Functionality
Dear IoT manufacturers: Turn off debugging before you ship! Many otherwise good platforms have been vulnerable to attack due to a debugging option in software left on. Additionally, debugging hardware can expose certain devices to threats such as a side-channel attack that may make any well-developed software security useless. Fixing this means getting updates from your vendor, and in case of hardware, protecting the debugging circuitry from exposure to unwanted parties.
- Criticality: Medium (unless it exposes a vulnerability)
- Ease of Correction: Complex
- Bucket Score: 3
Weak Service Configurations
Encryption is often overlooked by manufacturers or proprietary, embedded devices like IoT gadgets, but it is still important for protecting data and access to both your device and the devices and information it accesses. Encryption standards are an ever-evolving goal, so the best practice is to find out what encryption is used by your device, and then research the strength of that encryption to withstand attack.
- Criticality: Medium to High
- Ease of Correction: Moderate
- Bucket Score: 3
In Summary
IoT isn’t your friend, but it’s not your enemy either. Get to know the limitations and mechanisms of each device, and when in doubt, lock it out. Keep untrusted or poorly designed devices away from critical infrastructure or sensitive use – don’t put all your eggs in an IoT basket hiding a backdoor.
More Reading
- Def Con IoT Village – www.iotvillage.org
- IoT Exploitation – www.ihackiot.com
- Awesome IoT Hacks Repository (and more articles) – https://github.com/nebgnahz/awesome-iot-hacks
Originally published on 08/18/2017