The headlines are swimming with stories about the security challenges surrounding the Internet of Things. For many, though, it’s still an amorphous concept, with a bewildering array of device categories, connected in staggering numbers. This October, SecTor and Tripwire will help people get to grips with it.
For several years now, SecTor has provided a lock pick village, where attendees can spend time testing different locks, and understanding what makes them insecure. This year, the management team decided to expand this idea, and has created an IoT Village.
Operated by the Vulnerability and Exposure Research Team (VERT) at security vendor Tripwire, the IoT village will include tables with several IoT devices, along with reconnaissance tools that can be used to explore them, and some presentations designed to guide people along the way.
Attendees can expect to play with IP cameras, routers, fitness wearables, network attached storage boxes, and even Wi-Fi photo frames, not to mention the odd Smart TV. They will be taught to probe inside the devices using tools including WiFi Pineapple, Ubertooth and Binwalk, explained security researcher Craig Young, a VERT member who will be present at the event.
‘We’ll also go through presentations explaining not only how to extract the firmware, but what to do after that point, what you’re looking for in the extracted firmware and how we can use the information from the firmware to interact with the device,’ he said.
Attendees will also learn how to how to explore and find vulnerabilities in systems when they don’t have access to a firmware image.
Political interest
The IoT village will be a timely addition to the SecTor conference this October. In the US, Congressional leaders formed a bipartisan Internet of Things Caucus in January.
One inspiration for this initiative would have been the National Security Telecommunications Advisory Committee, which published a report last November, advising President Obama of a ‘small – and rapidly closing – window’ to choke off security loopholes in this new technology. ‘If the country fails to do so, it will be coping with the consequences for generations,’ the report added.
What kinds of vulnerabilities and exploits are we talking about? SecTor speakers have covered this in the past – check out the video of this presentation by Mark Stanislav and Zach Lanier, for example. More than six months on, Tripwire has its own worries about IoT security.
‘The risks are distinct between the home and the enterprise environment,’ Young said, singling out smart TVs in conference rooms as an example of an enterprise security issue.
‘A lot of these smart TVs are equipped with teleconferencing equipment for using Skype. If someone is able to start breaching those TVs that are connected to your enterprise network, they may be able to start listening to discussions going on in your boardroom.’
Connected devices could also be used to gain footholds into the rest of the corporate network.
At home, IoT devices could be co-opted to a botnet, or used as a leaping off point to attack home computers containing sensitive details, he added. And there are new privacy and security concerns, too, particularly in the area of home automation hubs, where Tripwire has found several vulnerabilities.
‘If you have cameras in your home you certainly don’t want random strangers to start watching through that camera,’ he said (although many unwitting users make it easy to do that without any firmware hacks at all).
‘If there’s a sophisticated thief, you don’t want them driving to your neighbourhood, unlocking your door through your home automation controller, and recognizing from your motion sensors when you’re home and when you’re not so that they can come in and rob you,’ added Young.
Taming many different beasts
The problem with the Internet of things is that there are just so many different things in it, of many different types. Estimates of the number of IoT-connected devices deployed by 2020 bounce between around 25 billion and double that, depending on which vendor you speak to, and what they consider IoT to be.
Whichever hand-waving vendor you believe, it’s pretty clear that the number of devices will far outpace smart phones, which will number just 2.2 billion by the end of the year, according to a report by the GSMA.
Managing security standards, let alone interoperability, amid this vast constellation of different device types and vendors, is going to be an exercise in cat herding. No wonder political leaders are starting to worry; technology experts have been fretting about it for years. So what can we do about it?
Typically, at this point someone raises the concept of security by design. ‘Security should be built into the DNA of the product,’ they say, rather than an afterthought. But if that is difficult enough to do with more monolithic product categories, with fewer variations in model and operating system, the IoT presents an even bigger challenge.
Walking the supply chain
The key may be to traverse the supply chain, argues Young, targeting the vendors that make key components, such as communications chips and boards.
‘If there’s one thing I learned from working with routers it’s that vendors like taking reference designs for boards and do as little as possible with them before shipping them out,’ he said. ‘So it’s the company making the board that will have fruitful efforts going to those vendors and helping them with their security.’
The White House could be a key ally here, as it moves toward an Underwriters Laboratories-style certification for Internet-connected consumer devices. Spokespeople have said that it will hopefully foster collaboration between private and public sector organizations to emerge with some kind of standard.
They also seem to be recruiting sensibly. Pieter Zatko (Mudge) has announced his involvement with such a project. Zatko was part of the Lopht group, which warned Senators in 1998 that the Internet was insecure and needed fixing. At the time, the US government said that it wanted to do something, but given that 17 years on as much as 7% of the US population was just compromised thanks to insecure government systems, it seems a little behind the curve.
So as we move to a new, more complex Internet, with more things, and a vastly expanded attack surface, can we learn from our past mistakes?
‘It will be interesting to see whether they are going to set up a system where they are testing products, or setting up standards and certifying bodies. It’s a problem of scale, and it’s early on the process to gauge where it’s going,’ Young concluded.
Industry watchers will monitor that process with interest. In the meantime, you can come and explore the IoT yourself at SecTor, this October 20-21. Read Tripwire’s blog post about the IoT Village here.