No, the Internet of Things is still not safe
Drones aren’t quite yet ubiquitous, but the sight of a Parrot AR quadcopter drone rising in the sky is increasingly common. Less common is watching an Internet-connected, smartphone-controlled flying robot abruptly stop midflight, then plummet and smash to the ground.
That’s exactly what happened at the hacker conference Def Con in August, part of a weekend-long demonstration of how easily hackers can break into—and crash—a broad range of Internet-connected devices.
According to Ted Harrington of Independent Security Evaluators, which organized the Internet of Things “hacking village” at Def Con, hackers and researchers presented 60 previously unknown security holes in 27 Internet-connected devices made by 18 different manufacturers, including Parrot.
Of the 60 security holes, 14 were discovered during the four days of Def Con; the rest were discovered earlier but publicly presented at the conference for the first time. Parrot, as well as most of its fellow makers of devices highlighted at the “hacking village”—satellite signal receivers, refrigerators, Wi-Fi routers, lightbulbs, baby monitors, motion sensors—did not return requests for comment.
“The vast majority of new devices are potentially at risk because there’s been no security testing done—or not the right kind,” Harrington said, adding that the problem extends well beyond Kickstarter or IndieGoGo projects.
He pointed to security failures in devices made by Samsung, which makes more Internet-connected devices than any other company in the world; Philips, which makes Wi-Fi-connected lightbulbs; and Fitbit, which makes fitness trackers that collect biometric data such as users’ heart rate, exercise regimen, and sleep patterns.
In a study it released this year, Hewlett Packard Enterprise determined that 90 percent of Internet-connected devices—or apps used to manage them—have collected at least one piece of personal information. A lack of built-in security, it said, raises privacy concerns in 80 percent of connected devices. And in a study last year, HP found that 70 percent of connected devices contained “serious vulnerabilities.”
Security risks have not slowed business or consumer demand. In a November report, research firm Gartner predicted that companies will spend 22 percent more next year on connected devices’ underlying services. And as connected devices claim a bigger portion of the consumer technology pie, security experts like Harrington worry that device makers’ lax approach to security is putting them on a risky and intractable course.
The FBI in September warned consumers about the security risks of the Internet of Things, or IoT, a term broadly used to refer to electronic hardware devices that can send and receive data, most often but not limited to connecting to the Internet.
“Deficient security capabilities and difficulties for patching vulnerabilities in these devices, as well as a lack of consumer security awareness, provide cyber actors with opportunities to exploit these devices.” — FBI warning about Internet of Things hardware
“Deficient security capabilities and difficulties for patching vulnerabilities in these devices, as well as a lack of consumer security awareness, provide cyber actors with opportunities to exploit these devices,” the agency said.
Ken Munro, a researcher at British security firm PenTestPartners, said people who sell connected devices they no longer want via online marketplaces are particularly vulnerable. His firm showcased at the Def Con “hacking village” how it cracked a Fitbit Aria and forced the scale to give up the Wi-Fi password of its previous owner.
“People sell their used scales on eBay. You extract the Wi-Fi key, and if you know where the seller lived [such as from the return label on the box used to ship the device], you could compromise their home Wi-Fi,” Munro said. Gaining Wi-Fi access could be a boon to a stalker or somebody looking to break into your home, he added—especially if you have connected other devices to it, such as a door lock.
According to this year’s Information Systems Audit and Control Association survey, 73 percent of tech industry professionals think that companies are “likely” to get hacked through connected devices, and 72 percent think that IoT device manufacturers are being lax in their security standards.
“I asked to speak to the security team. They thought I meant the security guards.” — Ken Munro, PenTestPartners researcher on the difficulties getting software security concerns taken seriously by hardware makers
A big part of the problem is that IoT device makers large and small don’t know what to do when somebody reports a security vulnerability to them, Munro said. The first time he tried to alert a manufacturer of an Internet-connected building management system about a security vulnerability, he said, the vendor didn’t understand him.
“I asked to speak to the security team,” Munro said. “They thought I meant the security guards.”
Granted, that was in 2004, but Munro and Harrington both lamented that 11 years later, they still get similar responses—if tech companies get back to them at all.
“We have to be very thoughtful about how we make our software as secure and bulletproof as possible.” — Brett Hansen, executive director, data security solutions, Dell
From “most Internet of Things vendors, you hear nothing back. You instant-message them, direct-message them [on Twitter], tweet [at] them, email them, they won’t talk to you,” Munro said. “They won’t engage with you, but they’re still shipping vulnerable product. So what do you do? Do you let them ship dangerous product, or do you tell the world,” and risk having a less scrupulous hacker potentially cause harm?
Harrington and Munro acknowledged the difficulties that IoT vendors face in simultaneously building new products and creating systems to test them for flaws. “Some Internet of Things makers say they are beginning to take security seriously,” Harrington said.
One of them is electric-car maker Tesla, which Munro said has established “model” policies for disclosing vulnerabilities. Another is Dell, whose “maniacal focus” on security, according to the company’s data security chief Brett Hansen, led it to develop “clear, documented approaches” to security testing and vulnerability reporting.
Philips, which makes a Wi-Fi-connected lightbulb that was hacked at Def Con’s Internet of Things village, said that it takes security “extremely seriously.” To that end, it offers a website and dedicated email address through which security researchers can report vulnerabilities.
“Our devices are subject to regular penetration tests by external agencies, as well as involvement and review of all new features and the full architecture by an experienced architect,” Philips representative Silvie Casanova said.
Meanwhile, Fitbit’s growing security team is working hard to “get the basics right,” a company representative said.
To Fitbit, “this means having strong software development life cycles, ensuring that we deploy controls like encryption at the right places, having ongoing monitoring in place to ensure that security controls are working, and implementing robust vulnerability disclosure and update processes,” the representative said. The company, which recently attended Def Con, has established a bug bounty for independent hackers and a dedicated email address to directly reach its security team.
Security, Dell’s Hansen said, is “not just something that happens. We have to be very thoughtful about how we make our software as secure and bulletproof as possible.”
Updated on Nov. 23, 2015: Added comment from Philips.