Introduction to Cybersecurity Part 4: For the fourth article in the series we’re going to be looking more forwards at some emerging threats out there.
They are only of limited relevance today, but as the technologies involved become more widespread and implemented into every facet of life they will only become more prevalent. While it sounds like the stuff of science fiction, these threats exist now and are not going to go away.
For simplicity, we’ll say that a ‘smart’ device is anything which connects to the internet (or a network) and is not intended to be a computer interface. Intended is the key word there, as many of these devices are insecure for the simple reason that they are a computer. The problem is that it is now cheaper and easier to put a general purpose computer into a device and run some software to, for example, turn lights on and off than it is to design a single-purpose lightbulb which also connects to a network.
The side effect of this is that the smart lightbulb connected to the network is also a computer, and it’s one that the owner has very limited control over. Every ‘smart’ system connected to a network increases the potential attack surface, and potential vulnerabilities. A lot of the time this is overlooked with the argument that, for example, a lightbulb simply isn’t a huge security threat – even if compromised the worst someone might manage would be to turn the lights on and off. Unfortunately things are never that simple.
Without even looking at risks linked to specific devices (we’ll get to those shortly) many smart devices rely on connecting to a wireless network, and will happily connect to a spoofed network while revealing the password to all and sundry. We saw in the last article how a MitM attack can be used to this end, and a smart device is no less vulnerable than any other.
But we covered MitM last time, and there are much more interesting and dangerous issues with many of these ‘smart’ devices. We’ll look only at those which could arguably be called home devices – semi-autonomous vehicles, drones, and similar could easily fill a series on their own. For brevity, we’ll look at three basic threats which come up with ‘smart’ devices – their use for reconnaissance, the potential for mischief, and the potential for physical threats to security. I separate mischief and physical threats only because the people likely to exploit these are two separate groups, pranks and mischief are much more likely for opportunistic attackers with no real targeted motivation, while the dangers of physical damage are much more likely to be a sophisticated, targeted attack of types we are not really seeing on a large scale as yet.
I occasionally do presentations on the dangers of ‘smart’ devices, or the Internet of Things (IoT), and usually start with a list of the absurd devices that can now be connected to a network. It’s a good place to begin, so lets imagine a home equipped with all of the latest devices, from intelligent electronic locking systems with video doorbells through to the ‘smart’ egg rack in the fridge. No, the egg rack example is not a joke, though I will admit I’ve yet to work out a potential threat from someone managing to compromise one.
Our imaginary smart home will be equipped with the following:
- Doorbell with the ability to start a video call to the owner’s mobile when pressed
- External CCTV (basic commercial system, wireless cameras with an online portal to be viewed remotely)
- Electronic door lock, able to be unlocked remotely by mobile
- Smart lighting everywhere, remotely controlled and scheduled
- Automatic pet feeder/treat dispenser with video camera and screen (to check on and talk to the pet when not home, and dispense treats on command)
- Aquarium with mobile-controlled pump and thermostat
- Video-enabled toothbrush, for more effective brushing (this really does exist)
- Smart kitchen appliances, including a fridge, kettle, toaster, oven, microwave, dish washer, tumble drier, and washing machine
I’ve left out quite a few potential devices since they’ll either be of limited use to an attacker, other than the MitM potential mentioned earlier, or duplicate some of the above.
So first of all lets start with everything with a video camera. Whether through an MitM attack, or direct exploitation, most cameras which have not been set up professionally are highly insecure (and a number of those set up by professionals who have not been trained in how to configure IP cameras, since the default settings leave a lot to be desired). Those which are built into smart devices, such as the toothbrush and pet feeder, potentially even more so.
The good news is that the toothbrush relies on Bluetooth rather than wireless networking, so an attacker looking to make use of the spy camera in your bathroom would have to be within range, or have a booster within range. That means they’re limited to being within a few tens of metres, or having a small battery powered device within that range. Of course, our hypothetical attacker would also need to find a suitable exploit to hijack the toothbrush’s camera, but given that manufacturers of these devices are not known for their diligence in designing secure systems, and I have yet to hear of someone connecting their toothbrush to the internet to patch it, someone with the appropriate motivation is likely more than capable of doing so.
The pet feeder, while at least in a less sensitive area, is more of an issue. Since it is designed to connect to a wireless network and allow the owner to both see and communicate through it (of course, having a microphone as well so that the pet in question can speak back) using their mobile phone while away from home, the only thing that prevents an attacker from doing so is the authentication. Some devices or services are so poorly designed as to allow access without any authentication, or use a universal default username and password to grant access to the vendor’s backdoors in the system (which are at least used to update the software).
The CCTV cameras, while also having many of the same issues, highlight another problem with these smart devices. The search engine Shodan (https://shodan.io) allows users to find open devices connected to the internet by type (including automatic number plate recognition systems, wind turbines, and CCTV monitoring nuclear power stations), and where weak devices are used provides a very convenient list for those looking to cause damage. Denial of service attacks in recent years have moved away from making use of individual’s computers, and some of the largest attacks have been enabled by running a botnet consisting of poorly secured CCTV cameras, usually without any monitoring by the owner. This has led to some of the largest attacks ever seen, and they continue to escalate.
The video doorbell, of course, causes the same sorts of issues as any other camera-enabled system, but has a whole new set of risks associated when it is connected to a smart locking system. Not only are these systems easy to hijack physically (earlier this year I gave a presentation on how to ‘pick’ electronic locks based on RFID cards), when they are connected to a cloud service which allows unlocking through a mobile phone (and sometimes through Bluetooth) the problems become obvious.
At this point a dedicated, sophisticated attacker essentially has video surveillance and audio monitoring throughout the house, yet we aren’t quite done as there are some more esoteric attacks against smart devices which can dwarf the simple risk of espionage. The kettle is a prime example of this – initially it does not seem a particularly dangerous device, at worst someone could maybe cause a cold cup of tea or keep re-boiling the water. It’s the second one that becomes a problem (not with all smart kettles, but there are models which have this combination of flaws) where the thermoregulator is implemented in software rather than hardware, and runs on the same general purpose computing as the ‘smart’ controls. Someone wanting to cause real damage, aware of these issues and how to exploit them, could turn off the safety cut out and repeatedly boil the kettle until it ran dry. At that point, continuing to heat causes a clear fire risk.
The same sort of risks apply with the toaster, oven, and some other smart appliances. Another example is, say, a smart freezer – a subtle attacker could cause it to thaw and refreeze overnight, repeatedly, spoiling any food without the owner’s knowledge. While food poisoning is not as immediately dangerous as a kettle bursting into flames, the risk is clear.
Unfortunately at the moment there is no real remedy to many of these problems, except a comprehensive security review of any ‘smart’ devices being purchased by experts. Such a review gets expensive quickly, though many pen testing companies showcase their capabilities by highlighting the risks in commercial products (and in ‘smart’ toys, such as teaching a doll to swear or a teddy bear to share video with strangers) and making them publicly available. Another possibility to reduce the risk would involve making the house network highly secure and isolated, with only a well-protected connection from the phone, but as many of these devices rely on cloud services for management this would remove any benefits of the intelligence.
What is most needed is education about these risks, and a demand from manufacturers for demonstrably secure products based on the best practices established over years of information and cyber security. Without this we will continue to see the attack surface multiply year on year, as more and more ‘smart’ devices are turned against their owners. For the time being, knowing the risks these devices pose, being aware of how they can be misused, and knowing how to isolate them when necessary
(or simply not purchasing them) will have to do.
In the next issue we’ll be looking at a brief introduction to how you can hide (to a point) from OSINT, and make information on yourself harder to find. We won’t be covering the full scope as the field is huge, just a few simple basics to start with and some recommendations on where to find a lot more information.
Insecure Smart Houses
By: James Bore
James Bore is a cybersecurity Jack of all trades by vocation and choice. In over a decade he has gathered experience meandering across a range of industry sectors, organizations, and disciplines in IT, always with a focus on championing and improving security. Currently he heads up security for a challenger bank, and in rare spare time runs a blog on cyber security (https://coffeefueled.org).