“For some reason they invited me back”, said Ken Munro, managing director of Pen Test partners as he took the stage armed with a bunch of connected toys and home appliances, all of which he was about to defile.
Munro has built up something of a reputation for doing exactly that. IoT security is rarely good and you'll see few people who know that as well as Munro. “This presentation may contain hot liquids” said Munro, “no sex toys this year though.”
There are simple principles when writing apps for IoT Munro reminded the crowd. Firstly, write it securely and secondly, obfuscate that code to make reverse engineering that code, and exploiting it, really tough. Very few IoT manufacturers actually do that.
Deserving of a special brand of Munro's contempt was VTech. The smart toy company was the victim of a massive hack last year in which the personal details of millions of adults, and the children who played with VTech's smart toys, were stolen by hackers. The company doesn't seem to have learnt it's lesson said Munro as he held up one of its more popular tablets for children. That toy uses the Rockchip processor, a piece of hardware that has been proven vulnerable for over a year now, and VTech are still selling it.
The problem, in broad terms, is that there's been a huge growth in attack surface over the last decades. Secure IoT requires a lot of secure things: Mobile security, mobile app security, web app security, api security,hardware security, firmware security and RF security, to name a few. Not only that but "you've got to get a manufacturer of 'things' to understand all of this".
First up for embarrassment, was an IoT kettle, a laughably vulnerable device. By performing a port scan, disassembling the kettle and reviewing the source code, it's quite easily attackable. According to Munro “it's like turning a clock back twenty years in terms of security.”
From there you can write your own client software, geolocate unconfigured wireless kettles, and perform a ‘steamy windows' attack, wirelessly boiling the kettle until the unfortunate victim gets a kitchen full of three litres of steam. And more importantly, access their wireless network.
Next was a coffee machine which, with similar ease, could break. One possible attack could start a firmware update which puts the machine into a loop and can, if so desired permanently kill the machine or potentially start a fire. And get access to the victim's network.
Toys present a particularly fertile avenue to defile children's minds. Last year Munro exhibited how easily he could hack into the smart ‘talking' doll, ‘My Friend Cayla'. Though there is now ‘Princess Cayla' and ‘Action Cayla', “nothing's really changed.”
By modifying the content of the doll's database which it looked to to respond to a given question, Munro could change the cheerful infantile tone of the dolls responses, to well, something far more vulgar.
When disclosed to the doll's manufacturer, the company fixed the problem by encrypting the contents of the data, but did so with static key which showed up in the code, presenting no real bar to the wilful hacker.
Hello Barbie, another doll which responds to a child's questions, can be abused in the same way. But “the thing that really bothers me” said Munro, was that parents could see, via a mobile app, what the doll has been saying to the kid, “now hackers are talking to their kids through their Barbies."
The smart kitchens made using Hoover, or Samsung smart appliances presented no real problem getting into either. A WIFI doorbell, which also acts as an intercom when you're out of the house, could easily be unscrewed to get to the reset button inside. That button doesn't wipe the device's state, so, in essence, someone could steal that WIFI key from outside.
“You're giving hardware to your customers” said Munro, but you are allowing attacks not just wirelessly but physically too.
Wearables also provided ample opportunity for tracking people's movements. Munro brought out several connected wearables, some of which paired with phone apps. Pen Test Partners tested five different running apps which could pair with these devices, all had security turned off by default: “the opportunity for stalking is absolutely huge,” as location was tracked in real time.
IoT “is not complex” said Munro “but the problem is people who are doing it are not good at security.” Simply engineers don't do security.
So what to do about all this glimmering nonsense that might give us marginal convenience but cost us our privacy, personal details or even our safety? Be cynical, concluded Munro, “don't adopt technologies that aren't proven secure.” If we don't “do something about it we're going to carry on with flakey kettles and dolls that swear at you.”