feature article
Subscribe Now

Teaching a Doll to Swear and Other Stories

Exploiting the Vulnerabilities of the Internet of Things

Is the Internet of Things (IoT) anything more than marketing hype – just a rebranding of M2M – or is it a force that will change the way in which organisations will operate and co-operate?  My feeling is that it is both. The hype comes from the fact that much of the more public conversation about the IoT, particularly in the general media, is still in the realms of the Internet toaster and similar consumer fripperies.

(We may not yet have a commercially available Internet toaster, but we do have both the WiFi kettle and the WiFi coffee machine. Quite why we have them I don’t know, but have them we do. The theory is that you can use your smart phone to control them, over your home WiFi network. As we shall see later, along with the swearing doll, this is may not be a totally sensible idea.)

The IoT is the result of the convergence of cheap, powerful semiconductor devices, multiple types of pervasive communications media, and massive data processing resources. Let’s look at a very simple example of a logistics company using trucks to haul freight containers. The trucks themselves will be calling home using GSM (cell phone) and GPS links. The containers will also have their positions monitored through GPS, and they will be recorded entering and leaving sites through radio readers. They may have their doors monitored as to when and where they are opened to record potential theft. All of this information will be transmitted to, and analysed by, powerful processing centres, possibly in the cloud. Individual packages within the container may also carry sensors to record temperature, humidity, and shocks. All of these are aspects of the real Internet of Things. The logistics company will also be sharing the container information with its customers, and the owners of the containers or the customers may be running their own tracking system. And at every point in this chain of information flow there are vulnerabilities and weaknesses.

At the lowest level of the logistics system, I am increasingly being sent detailed information about packages that are being delivered by courier, such as not just the day I might expect delivery, but also an estimated time. One company links me through to a map that shows where the delivery van is, with an estimate as to how long I will wait for delivery. My cell phone, the van driver’s data terminal, the courier company’s IT system, and the different communications channels are again a part of the IoT.

Other areas that are part of the IoT, which some commentators are calling the Industrial Internet of Things to get away from the IoT hype, include the utilities companies who are controlling supply and balancing demand, even remotely reading the smart meters at the consumer’s site. And this, of course, brings us to smart cities and the smart home. Throw in medical applications, not just within a medical facility, but at-home patient monitoring and medication, such as pace makers, insulin pumps and fit bands. Again we have vulnerabilities at every stage, from the end device, through the local hub and the transmission media, to the data centre, whether on-site or in the cloud.

In an attempt to produce a consistent approach to addressing these vulnerabilities, a number of companies have founded the Internet of Things Security Foundation. Set up under the auspices of Britain’s NMI, the Foundation held a plenary session on November 30th and then, on December 1st, had a one day conference on the broad topic of Security for the IoT.

The founding board includes members from Vodafone, BT, Imagination Technologies, Copper Horse Solutions, Secure Thingz, Royal Holloway University of London, Pen Test Partners, University of Bristol, and NMI. Membership is open globally to all companies & organisations concerned with building, procuring, and using IoT systems – from expert to novice.

The Foundation, like all good organisations, has a tag line, Making it safe to connect, and a mission statement:

“Our mission is to help secure the Internet of Things, in order to aid its adoption and maximise its benefits.  To do this we will promote knowledge and clear best practice in appropriate security to those who specify, make and use IoT products and systems.”

Best practice for IoT security is specified as:

Authoritative: agreed by range of experts,

Specific: Guides you on what to do and not do,

Flexible: gives options to suit the needs of different players,

Appropriate: to the class of objects/services and threats,

Resilient: deals with how to maintain security when (not if!) a breach occurs.

They are starting ambitiously. The plans for 2016 include:

Publish broad industry guidelines covering:

Security “landscape”,

Mapping standards and SDOs,

Checklist for companies and developers.

Build membership and internationalise.

Start work on and publish within the year initial guidelines on:

Patching and updating constrained devices,

Security for Connected Consumer Products,

Self certification scheme process definition.

The conference covered a wide range of related topics. The most entertaining (and hair-raising) were two presentations on hacking, but you will have to wait a few minutes for those.

Beecham Research has been looking at some of the numbers being bandied around for IoT market size. A regular number that crops up is 20 billion devices, or things, by 2020 (in some cases the number is 50 billion). This, according to Robin Duke-Woolley, CEO at Beecham Research, is “pie in the sky.” He argues that, today, if you exclude phones and tablets, there are “significantly less” than 1 billion connected devices.  To reach the tens of billions is going to require growth rates in excess of 50% a year, and he can’t see a market driver for this number. Slicing and dicing the industry in multiple ways still doesn’t yield a killer app. But even the conservative rates he suggests (5 billion in 2020 at most) requires lots of devices to be built, programmed, and sold.

He gave a high-level review of the issues of security that need to be resolved if the IoT is to take off and be trusted. Vulnerability is at all levels from the data centre to the Things, and includes, but is not limited to: identity theft, denial of service attacks (which stop communication within the chain), other forms of cyber-crime, cyber-warfare, and the hacking of Things.

Hearing about hacking is always fun, and two speakers discussed their very different experiences. First up was Ken Munro of Pen Test Partners, a company that normally works with companies to assess and improve the security of their enterprise IT systems, often through penetration testing. He ran through a number of consumer products that he and others had played with, and, while the presentation was entertaining, the issues he identified were not.  Back to our kettle: it is relatively simple to remotely hack, and, while being able to drive by and steam up the owner’s windows and increase their energy bill is irritating, what is worrying is that, with a little work, and skill not beyond the ability of many coders, you are able to retrieve the WiFi network password, potentially giving you full access to the kettle owner’s email, internet traffic, and documents on their hard drive.  Ken also showed how it was possible to locate kettle owners and plot them on Google Maps. He also demonstrated hacks of coffee machines, Samsung voice-operated smart televisions (recently in the news for being always on, so any conversation is transmitted, in plain text, to a third party), a smart refrigerator, with an interface and screen that allow you to use Google, view TV, etc., and which can be cracked to reveal email traffic, a washing machine (Why do you want to remotely control your washing machine? – you have to be there to put the laundry in!) with the same vulnerabilities as the fridge, and even a complete suite of kitchen appliances with WiFi connectivity.

Then there is the internet vibrator, which you can control with your Android phone, using Bluetooth with a default password of 0000. But it also brings the wonder of tele-dildonics – the vibrator can be controlled by your significant other from a distance over the net, and the experience can be shared by video. Intercepting that traffic, or hacking stored images, could be a potential for blackmail.  But the demo that brought the best laughs – and the worst shudders – was hacking My Friend Cayla. My Friend Cayla is like iPhone’s Siri, in a doll’s shape. She connects to Wikipedia through a cell phone, to answer children’s questions, and she can tell stories, play games, and recognize images, using the stored app. Now anyone who has worked with children knows their fascination with rude words (I still remember one smart-alec on an open day persuading a teletype to print off the list of banned words for on-line conversations), so Cayla has a banned word list. However the stories she tells are stored in the Android app. With a bit of work, these can be opened and edited.  Within seconds Cayla can be swearing like a trooper. OK – just a party trick. But Cayla’s communication with the Wikipedia API is not encrypted, and an unpleasant person could easily send back inappropriate material, engage the child in conversation or overhear conversations in the same room as Cayla. Despite input from Pen Test, the manufacturer has not fixed the problem, but it still has a logo on its site that says, “Kid Safe Internet”!

Pen Test has, in fact, just issued an advisory against buying any toy that communicates over the internet, citing the cases where hackers have spoken directly to children, and also citing evidence given to the British Houses of Parliament that the security services could hack toys to monitor suspect households.

There were two lasting things from the session. One is that many of the consumer Internet-connected devices are developed by people who have never considered security – and, even if they do, are not skilled at implementing secure systems. The other is that manufacturers are reluctant to admit that issues exist and are slow at fixing them, even if they know how to.

The second hacking exploit had a totally different perspective. After hackers took over control of a Jeep, security specialists Cloudflare let their Marc Rogers loose on a Tesla Model S. He was even allowed to undo things. What he found was impressive, although not perfect, and Tesla’s reactions were also impressive.

Tesla has partitioned the electronics into two sections: one that actually controls the vehicle – such as engine controls, braking, steering etc. – and the infotainment system, which drives two displays. The LAN on the infotainment system communicates with a gateway, which then talks to the CAN bus connecting the controllers. The gateway translates between the two internal networks and accepts only legitimate requests from the LAN, which it then translates into CAN frames.  This is a very robust architecture, which could be seen as a model for vehicle designers. Even though the researchers found a number of weaknesses, these were frequently easily resolvable, and many were promptly resolved by Tesla. Each car frequently communicates wirelessly with the “Mothership” – the Tesla servers – and Tesla can send updates speedily, rather than, as with traditional cars, issue a recall for owners to go to their local dealer. Even after having had extended physical access to the car and monitoring traffic on the LAN, about all that they could do remotely was to turn off the engine. If this happened when the car was travelling at below around 5 mph, it simply stopped. Above this speed the brakes and steering continued to work, so the driver could bring the car to a safe halt.

The researchers found that, even with a strong underlying architecture, it was possible for mistakes to be made in implementation, such as using old versions of middleware with known security issues, or storing un-encrypted passwords on a memory card. Also important, as with the consumer products, is the security of the whole chain: Tesla was pretty secure, while the consumer chains were weak and vulnerable.

Securing the entire chain was a recurrent theme among the other speakers. Tim Hahn of IBM, a company with a great deal of experience in the enterprise, was very much from the top down, with Things themselves only a part of the story. He sees IoT business patterns as:

Connecting things within the Enterprise, 

Connecting things with business partners,

Connecting things with everyone,

And connecting things that impact safety critical systems.

He creates from this a risk assessment for Confidentiality, Integrity, Availability and Safety, running from medium to extra high.

There was a lot more in the day, with speakers from a range of organisations, and video of the whole conference will be available on-line early in 2016 from http://iotsecurityfoundation.org – it is worth watching, as there is a ton of detailed information on there.

A quote that filled me with fear was, “Gartner predicts that 50% of IoT solutions will originate in start-ups that are less than 3 years old.”  Jessica Rushworth, Director Government Engagement and Policy, Digital Catapult.

There may be some people in these companies who have in-depth experience, but on the evidence of the consumer devices, (and see Bryon Moyer’s rant about people building web interfaces without using any of the hard won knowledge of software development over the years, but the vast majority of the Things will be implemented by people who have recently learned to code. Many will have learned in an environment like this coding academy in London:

The survivors sit at long banks of screens, where they are supposed to spend nine hours a day learning to program computers, although most choose to stay long into the night, practising what they have learned. They work in pairs to bounce ideas off each other and, although there is a helpdesk for those stuck on complex coding problems, there is no teacher to give instructions. The idea is to encourage self-sufficiency and the ability to muddle through with peers, as they will have to do when they reach the workplace. [source] 

Are these guys “muddling through with peers” ever going to be able to meet Bryon’s requirements to develop a sensible web site, or even understand the need to implement devices that are secure and can communicate securely?

To be honest, when I left the conference, one quotation that really stuck in my mind was from Simon Moore, CTO – Secure Thingz Ltd, “The UK Secret Intelligence Services said in 2014, ‘The Internet of Things is a slow-motion train wreck.'”

Leave a Reply

featured blogs
Aug 20, 2018
Xilinx is holding three Developer Forums later this year and registration for the two October events is now open. The US event is being held at the Fairmont Hotel in downtown San Jose on October 1-2. The Beijing event is being held at the Beijing International Hotel on Octobe...
Aug 20, 2018
'€œCircle the wagons.'€ We can find wisdom in these Pilgrim words. The majority of multi-layer printed circuit boards feature at least one, and often a few or several layers that are a ground pour. The b...
Aug 20, 2018
Last summer, I took Fridays to write about technology museums. I planned to do a series on Fridays this summer on the odd jobs that I have done in my life before I started what you might consider my real career. But then Cadence Cloud took precedence. But now it is the dog-da...
Aug 17, 2018
Samtec’s growing portfolio of high-performance Silicon-to-Silicon'„¢ Applications Solutions answer the design challenges of routing 56 Gbps signals through a system. However, finding the ideal solution in a single-click probably is an obstacle. Samtec last updated the...
Jul 30, 2018
As discussed in part 1 of this blog post, each instance of an Achronix Speedcore eFPGA in your ASIC or SoC design must be configured after the system powers up because Speedcore eFPGAs employ nonvolatile SRAM technology to store its configuration bits. The time required to pr...