Four IoT vulnerabilities, one dangerous trend?
Curiosity, greed, patriotism, revenge, ideology, outrage, color of mood ring: There are almost as many motivations to hack as there are hackers. And at the intersection of inquisitiveness and ego lies an urge to see if any new device can actually be hacked.
As the Internet of Things becomes more prominent, we decided to look at four of hackers’ lesser-known targets and consult with a couple experts about their broader implications. At the moment, they say, vulnerabilities of individual Internet-connected devices don’t present systemic or societal dangers. They do, however, give everyone reasons to maintain a sober vigilance about IoT security.
Livestock trackers. Most people think that cattle rustling is about as contemporary as the steam locomotive and as extant as the great auk. But the last decade has seen as much livestock theft as the age depicted in the silver-screen Western. Just last month, authorities in Oklahoma arrested members of a rustling ring that netted almost $100,000 in stolen cows.
RFID technology has largely come to farmers’ rescue. With the ability to husband one’s own data, ranching in the cloud is more practical than ever—until you’ve suffered a hack, of course.
No, the Internet of Things is still not safe
VTech nightmare exposes parents’ nightmare: The Internet of broken toys
Living on the edge of heartbreak
How to secure your home Wi-Fi
Privacy, failure, and hacking fears hold back ‘smart guns’
Today’s basic radio frequency identification tags, like many IoT devices, lack built-in security. Access is open. You can imagine rustlers rounding up RFID-tagged cattle, hacking into and updating their tags, walking them out past receivers used to track their locations, and sold without auctioneers or police being any wiser.
Door locks. To marry security and customer service for their guest room doors, hotels are moving from brass pin tumbler lock keys to plastic swipe cards to proximity cards. And hackers are moving with them.
The DC connector on the underside of many hotel room lock plates made by Onity, designed to recharge cards and let in locked-out guests, for some time could also let in locked-out hackers armed with dry-erase markers. (Nine months after the vulnerability was fixed, reports of break-ins continued, so you might want to throw on that deadbolt.)
People renting out their homes via services such as Airbnb are increasingly installing so-called smart locks. Owners share keys to some of these locks via an app. Fire it up, press a button (or the lock itself), and voila! The lock retracts or engages. But with just a paper clip, a screw driver, and 15 undetected seconds, hackers have managed to break into Kwikset’s very popular Smartkey locks too.
Apparently, these smart locks are no more secure than traditional deadbolts.
Tea kettles. And then there are “smart” kettles. If you want to see a teapot hack resulting in innocently brewed tea or heated milk, you could hop on a plane to Kenya. But if you want to see a teapot hack resulting in an exposed Wi-Fi password, head to Merry Olde England, where white hats apparently wanted to prove themselves smarter than a local company called Smarter.
Smarter’s Internet-connected kettles are designed to help users avoid “the horrible task of having to walk a few feet and wait a few minutes.” According to a Techdirt report, the researchers used a directional antenna to set up a Wi-Fi network just a little stronger than the one to which the kettle was connected. They then blasted the kettle with a dissociation packet, took over its access point, and were able to view the network’s wireless key.
To our knowledge, nobody has yet landed in hot water as a result of a kettle hack, but having a vulnerable Wi-Fi network is nobody’s cup of tea.
Drug pumps. Today’s drug pumps are designed to enable precise, automated administration of lifesaving but dangerous drugs. Mobile versions dispensing insulin, for example, enable Type I diabetics to live much more normal lives. On the flipside: An unexpected dosage change in a mobile drug pump could could be life-threatening.
Last year, security researchers discovered that five models of pumps made by Hospira, totaling 400,000 machines, were vulnerable to dosage hacking. “A hacker could not only change the dosage of drugs delivered to a patient but also alter the pump’s display screen to indicate a safe dosage was being delivered,” according to a Wired report about the hack.
Hospira later said the hackers had gained physical access to the pumps to update their firmware. “This was not a remote or wireless hack,” it stated, as indicated in a video the hackers had released.
Nevertheless, Medical Design Technology magazine columnist Sam Brusco wrote, “The trend of incorporating IoT into medical devices isn’t going to slow, and current hospital network security needs to be beefed up to accommodate for potential security risks—otherwise we may have actual hacks on our hands.”
Real danger or digital cul-de-sac?
Is IoT hacking a real danger, systemically and societally? Not at the moment, according to Rich Mogull, CEO of information security firm Securosis.
“There is a lot of hype [about hacking networked devices] but not a lot of meat,” he says. “I don’t count power stations and other operational technology as IoT. There have been some big incidents there, but nothing much related to things people have in their homes—fitness trackers, etc. We’ve seen some medical hacks, but mostly those are deep compromises of hospital/medical networks rather than something targeting a medical device directly.”
In other words, systems are the main targets of serious hackers. Hacks of connected objects, Mogull says, are largely conducted by “recreational hackers” or “white hats” hired to perform penetration testing.
That doesn’t mean we shouldn’t keep an eye out.
“The long-term implications,” Mogull says, “are massive. Right now, there aren’t a lot of real-world incidents, but we are setting ourselves up for some nasty ones down the road.”
Many connected objects lack good update processes, says Adam Shostak, author of Threat Modeling: Designing for Security. “It’s also hard to monitor them.”
One of the big issues is life cycle neglect, he adds. Few connected devices “are built by folks who recognize that there’s a need to maintain the code they put into them.”
Shostak and Mogull encourage maintaining a sober vigilance.
“Companies aren’t being hacked via lightbulbs except by their penetration testers,” Mogull says. “But I sure wouldn’t put connected lightbulbs in a secure military facility.”