The Internet of Insecure Things
The “Internet of Things,” or IoT, is exploding like a mushroom cloud. Coffee makers, toys, cars, even light bulbs are getting IP addresses and connections to the cloud as manufacturers rush to “add value” to commodity products. But in the mad dash to realize Dr. Vint Cerf’s famous motto, “IP On Everything,” virtually no attention is being paid to securing smart devices against hackers...
The Connected Future is Looking a Bit Scary
Honeywell Home Automation’s Tuxedo Touch Controller “contains multiple vulnerabilities,” according to a security alert issued by CERT – the Computer Emergency Response Team. “All versions of Honeywell Tuxedo Touch Controller are vulnerable to authentication bypass and cross-site request forgery (CSRF),” says the alert.
That means it’s very easy for anyone to send a command to a Tuxedo Touch Controller that will open doors or unlock windows, turn furnaces or security systems on or off, or tamper with any other device controlled by the Tuxedo Touch. It’s easy to scan the Web and find Tuxedo Touch Controllers, too, much as it was easy (in the early days) for voyeurs to find active Web cameras.
Honeywell released a patch for this vulnerability on July 24. But that doesn’t excuse the company’s failure to design the product right in the first place; the vulnerabilities and how to avoid them have been known for decades. This is what you get when electro-mechanical engineers dabble in Web development.
It’s not just Honeywell that’s been horribly bad at IoT security. Craig Young, security researcher for Tripwire, said in a July 23 media release that he’s found vulnerabilities in the MiOS Vera, WinkHub, and SmartThings Hub that “could allow hackers to identify when people are out of their home, change alarm settings, open locks without authorization, access local area networks and turn smart hubs into zombies,” making them slaves to remote botnet masters.
SmartThings and Quirky, the manufacturer of Wink, quickly issued patches when their mistakes were brought to their attention. But again, the mistakes were rookie mistakes that should never have been made. SmartThings and Quirky pushed the patches out to their devices in consumers’ homes, just as Windows Update automatically delivers security patches. But MiOS doesn’t do automatic updates! Its users have to learn about the danger, locate the patch, and install it themselves. That’s nearly as negligent as not creating a patch at all.
You Think YOU Have Insecurities?
Google’s Nest subsidiary slipped up, too. In March, TrapX Security demonstrated how to hack a Nest Internet-connected thermostat and gain control over other connected devices in a home. That hack required physical access to the device, making it far more difficult than the examples cited above. However, it made buying a used Nest thermostat a risky proposition.
The Nest vulnerability has not been patched, a year after it was first discovered by a University of Southern Florida team led by Professor Yier Jin. “The problem is with the way the hardware is built… Nest can’t repair that,” Jin told Forbes magazine in an interview.
And the problem extends beyond computers, mobile devices and home appliances. A recent Wired story details howhackers took control of a moving Jeep Cherokee from 10 miles away. In this demonstration, a Wired reporter explains how he was powerless to control the air conditioning, radio, windshield wipers, brakes and accelerator, while driving at 70 mph on a highway. The hackers used the cellular connection of the car's Uconnect entertainment system to take complete control of the car. They haven't tried hacking into other makes or models, but I wouldn't be surprised if they are similarly vulnerable.
In a report issued last year, the National Security Telecommunications Advisory Committee said: “…there is a small—and rapidly closing—window to ensure that IoT is adopted in a way that maximizes security and minimizes risk. If the country fails to do so, it will be coping with the consequences for generations.”
Maybe the way to focus manufacturers’ attention on the vulnerabilities of their IoT products is to just stop buying them. Perhaps the Federal Trade Commission can get involved; gaping security holes are certainly indications of a defective, dangerous product. Homeland Security, are you listening?
I don’t know what the solution is, but the problem is serious and growing exponentially. Something must be done to secure the Internet of Things before too many “smart” but insecure devices get embedded in our homes, offices and cars. We need a techno-super-hero here. Maybe Vint Cerf will swoop in and save the day. I'm keeping an eye on the phone booth down the street.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 6 Aug 2015
|For Fun: Buy Bob a Snickers.|
Got Windows 10? Do These 5 Things NOW...
The Top Twenty
Is This the Most Economical Printer?
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- The Internet of Insecure Things (Posted: 6 Aug 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved