Nitesh Dhanjani - Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts

Chapter 1: Lights Out: Hacking Wireless Lightbulbs to Cause Sustained Blackouts The book begins with a deep dive into the design and architecture of one of the more popular IoT products available in the market: the Philips hue personal lighting system. This chapter presents various security issues for the system, including fundamental issues such as password security and the possibility of malware abusing weak authorization mechanisms to cause sustained blackouts. We also discuss the complexity of internetworking our online spaces (such as Facebook) with IoT devices, which can lead to security issues spanning multiple platforms. Chapter 2: Electronic Lock Picking: Abusing Door Locks to Compromise Physical Security This chapter takes a look at the security vulnerabilities surrounding existing electronic door locks, their wireless mechanisms, and their integration with mobile devices. We also present actual case studies of attackers that have exploited these issues to conduct robberies. Chapter 3: Assaulting the Radio Nurse: Breaching Baby Monitors and One Other Thing Security defects in remotely controllable baby monitors are covered in this chapter. We take a look at details of actual vulnerabilities that have been abused by attackers and show how such simple design flaws can put the safety of families at risk. Chapter 4: Blurred Lines: When the Physical Space Meets the Virtual Space Companies like SmartThings sell a suite of IoT devices and sensors that can be leveraged to protect the home, such as receiving a notification of a potential intruder if the main door of a home is opened after midnight. The fact that these devices use the Internet to operate has increased our dependency on network connectivity, thereby blurring the lines between our physical world and the cyber world. We take a look at the security of the SmartThings suite of products and also how it is designed to securely operate with devices from other manufacturers. Chapter 5: The Idiot Box: Attacking Smart Televisions Televisions today are essentially computers running powerful operating systems such as Linux. They connect to the home WiFi and include services such as watching streaming video, video conferencing, social networking, and instant messaging. This chapter studies actual vulnerabilities in SamSung branded TVs to understand the root cause of the flaws and the potential impact to our privacy and safety. Chapter 6: Connected Car Security Analysis: From Gas to Fully Electric Cars are also things that are now accessible and controllable remotely. Unlike many other devices, the interconnectedness of the car can serve important safety functionality, yet security vulnerability can lead to the loss of lives. This chapter studies a low-range wireless system, followed by a review of extensive research performed by leading experts in academia. We analyze and discuss features that can be found in the Tesla Model S sedan, including possible ways the security of the car can be improved. Chapter 7: Secure Protyping: littleBits and cloudBits The first order of business when desiging an IoT product is to create a prototype to make certain the idea is feasible, to explore alternative design concepts, and to provide specifications to build a solid business case. It becomes extremely important to design security in the initial prototype and subsequent iterations towards the final product. Security as an afterthought is bound to lead to finished products that put the security and privacy of the consumers at risk. In this chapter, we prototype an SMS doorbell that uses the littleBits prototyping platform. The cloudBit module helps us provide remote wireless connectivity that allows us to prototype our IoT idea to send an SMS message to the user when the doorbell is pressed. Discussion of the prototype steps through security issues and requirements upon desiging the protype and discuss important security considerations that should be addressed by product designers. Chapter 8: Securely Enabling our Future: A Conversation on Upcoming Attack Vectors In the next few years, our dependance on IoT devices in our lives is bound to skyrocket. In this chapter, we will predict plausable scenarios of attacks based upon our understanding of how IoT devices will serve our needs in the future. Chapter 9: Two Scenarios: Intentions and Outcomes In this chapter, we will take a look at two different scenarios to gain a good appreciation of how people can influence security incidents. In the first scenario, we will take a look at how an executive at a large corporation attempts to leverage the buzz surrounding the topic of IoT with the intention that it will impress the board of directors. In the second scenario, we will take a look at how an up and coming IoT service provider chooses to engage and respond to researchers and journalists with the intention of preserving the integrity of their business. The goal of this chapter is to illustrate that, ultimately, the consequences of security related scenarios are heavily influenced by the intentions and actions of the people involved.