Tripwire’s IoT Hack Lab team warn about IoT botnets and homes that might be too smart for their own good.
What’s the only real way to render an Internet of Things device safe? Unplug it, says Craig Young. He is a security expert at Tripwire, which ran its first IoT Hack Lab at the SecTor 2015 conference. Along with colleagues Tyler Reguly and Lane Thames, he walked students through the weaknesses in several Internet-connected devices, ranging from picture frames and cameras through to smart TV sets and routers.
The Internet of Things has made the headlines repeatedly in the last year or two, as privacy groups and even governments have questioned the security and privacy risks involved. A constellation of different devices, from door locks to cars, is now connected to the Internet, often with worrying results. In August 2015, Chevy was forced to recall 1.4m vehicles after experts demonstrated how they could take control of a vehicle on the road.
Young worries that as attackers grab access to IoT devices, they can use them to mount attacks on other devices in the home, and even sell vast botnets of connected fridges and TVs, which could be used to carry out denial of service attacks, for example.
The danger is only becoming more severe, as companies release increasingly sophisticated automation products for the home, pointed out Thames. When it comes to security, the ‘smart’ home is anything but. If someone can hack the logic controlling your home automation system, they could gain insights into your home life, checking motion sensors or thermostat settings to understand when you’re away, for example.
Can’t we simply spot and deal with these flaws in Internet-connected devices before they ship? It’s harder than it looks, said Reguly. Market forces and security are often at odds with each other, and the pressure is on to ship quickly rather than wait for a full security audit. The Internet of Things is today where computing was 15-20 years ago, he warned.
The problem is getting more attention from the security industry and from vendors, he added, and events like the IoT Hack Lab help. We’re still a long way from a secure IoT, though, and as we struggle to come to terms with the risks, the devices keep on shipping, in the millions.
Check out SecTor’s interview with the Tripwire Vulnerability and Exposure Research Team (VERT) here: