Abusing the Internet of Things
Nitesh Dhanjani
Beijing Cambridge Farnham Kln Sebastopol Tokyo
Preface
The upcoming age of the Internet of Things (IoT) will blur the line between our physical and online lives. Attacks targeting our online spaces will put our physical security at risk. Traditionally, the attack vectors to our fundamental luxuries have required physical tampering, mostly because access to the infrastructure has been limited from the Internet. This is about to change with the upcoming disruption caused by a future with billions of things connected to the Internet.
In this book, we will take a fascinating look into abusing the most popular IoT-based devices already available in the market. We will take a look at how a simple attack can cause a perpetual blackout targeting LED lightbulbs, how bad security decisions have grossly violated the physical safety and privacy of families, and how the insecurity of powerful electric vehicles can put your life at risk.
The goal of this book is to demonstrate tangible risk in IoT devices that we are going to depend on more and more as time progresses. Once we begin to understand the cause of actual security vulnerabilities in devices today, we will begin to set the path for a future that will help us enable these devices to securely enhance and augment our lives.
Malicious attackers are already hard at work uncovering and exploiting these security defects and they will continue to find crafty avenues to abuse their knowledge every way they can. These attackers span the spectrum of curious college students to sophisticated private and state sponsored criminal gangs that are interested in terrorizing individuals and populations. The impact of security vulnerabilities in IoT devices can lead to mass compromise of privacy and cause physical harm. The stakes are high.
Who This Book Is For
This book is for anyone who is interested in deconstructing IoT devices in the market today to find security vulnerabilities. Doing so will put you in the mindset of malicious attackers who are also busy finding ways to exploit these devices to their advantage. Once you understand the devious tactics employed by entities targeting the world of IoT, you will gain deeper insight into the tactics and psychology of attackers so you can learn to protect yourself and to help design secure IoT products.
How to Use This Book
This book is organized into the following chapters:
Chapter 1: Lights Out: Hacking Wireless Lightbulbs to Cause Sustained Blackouts The book begins with a deep dive into the design and architecture of one of the more popular IoT products available in the market: the Philips hue personal lighting system. This chapter presents various security issues for the system, including fundamental issues such as password security and the possibility of malware abusing weak authorization mechanisms to cause sustained blackouts. We also discuss the complexity of internetworking our online spaces (such as Facebook) with IoT devices, which can lead to security issues spanning multiple platforms. Chapter 2: Electronic Lock Picking: Abusing Door Locks to Compromise Physical Security This chapter takes a look at the security vulnerabilities surrounding existing electronic door locks, their wireless mechanisms, and their integration with mobile devices. We also present actual case studies of attackers that have exploited these issues to conduct robberies. Chapter 3: Assaulting the Radio Nurse: Breaching Baby Monitors and One Other Thing Security defects in remotely controllable baby monitors are covered in this chapter. We take a look at details of actual vulnerabilities that have been abused by attackers and show how such simple design flaws can put the safety of families at risk. Chapter 4: Blurred Lines: When the Physical Space Meets the Virtual Space Companies like SmartThings sell a suite of IoT devices and sensors that can be leveraged to protect the home, such as receiving a notification of a potential intruder if the main door of a home is opened after midnight. The fact that these devices use the Internet to operate has increased our dependency on network connectivity, thereby blurring the lines between our physical world and the cyber world. We take a look at the security of the SmartThings suite of products and also how it is designed to securely operate with devices from other manufacturers. Chapter 5: The Idiot Box: Attacking Smart Televisions Televisions today are essentially computers running powerful operating systems such as Linux. They connect to the home WiFi and include services such as watching streaming video, video conferencing, social networking, and instant messaging. This chapter studies actual vulnerabilities in SamSung branded TVs to understand the root cause of the flaws and the potential impact to our privacy and safety. Chapter 6: Connected Car Security Analysis: From Gas to Fully Electric Cars are also things that are now accessible and controllable remotely. Unlike many other devices, the interconnectedness of the car can serve important safety functionality, yet security vulnerability can lead to the loss of lives. This chapter studies a low-range wireless system, followed by a review of extensive research performed by leading experts in academia. We analyze and discuss features that can be found in the Tesla Model S sedan, including possible ways the security of the car can be improved. Chapter 7: Secure Protyping: littleBits and cloudBits The first order of business when desiging an IoT product is to create a prototype to make certain the idea is feasible, to explore alternative design concepts, and to provide specifications to build a solid business case. It becomes extremely important to design security in the initial prototype and subsequent iterations towards the final product. Security as an afterthought is bound to lead to finished products that put the security and privacy of the consumers at risk. In this chapter, we prototype an SMS doorbell that uses the littleBits prototyping platform. The cloudBit module helps us provide remote wireless connectivity that allows us to prototype our IoT idea to send an SMS message to the user when the doorbell is pressed. Discussion of the prototype steps through security issues and requirements upon desiging the protype and discuss important security considerations that should be addressed by product designers. Chapter 8: Securely Enabling our Future: A Conversation on Upcoming Attack Vectors In the next few years, our dependance on IoT devices in our lives is bound to skyrocket. In this chapter, we will predict plausable scenarios of attacks based upon our understanding of how IoT devices will serve our needs in the future. Chapter 9: Two Scenarios: Intentions and Outcomes In this chapter, we will take a look at two different scenarios to gain a good appreciation of how people can influence security incidents. In the first scenario, we will take a look at how an executive at a large corporation attempts to leverage the buzz surrounding the topic of IoT with the intention that it will impress the board of directors. In the second scenario, we will take a look at how an up and coming IoT service provider chooses to engage and respond to researchers and journalists with the intention of preserving the integrity of their business. The goal of this chapter is to illustrate that, ultimately, the consequences of security related scenarios are heavily influenced by the intentions and actions of the people involved.
Conventions Used in This Book
The following typographical conventions are used in this book:
Next page