EEJournal

feature article
Subscribe Now
December 14, 2018

Do This now! Before the IoT Security Tsunami Hits

“Mission Critical, but Not Impossible” says McAfee’s Lynda Grindstaff
by Steven Leibson

“There will be more than 24 billion things connected to the Internet by the year 2020,” said Linda Grindstaff, VP of Content Operations in McAfee’s Office of the CTO, who keynoted at the recent Internet of Things Device Security Summit held in Santa Clara, California. That’s more than four connected devices per person on the planet. “There will be more than 80 connected devices in a household by 2020,” she said, noting that, “all of these devices have security vulnerabilities.”

“60% of consumers are concerned about security and don’t know what to do,” concluded Grindstaff.

Then she discussed an example:

McAfee Labs’ Advanced Threat Research team uncovered a flaw in Belkin’s Wemo Insight Smart Plug. Basically, the Wemo is an IoT smart AC switch, and it has a buffer overflow bug—a very common software problem and one that’s familiar to any Microsoft Windows user.

Yes, so what? Here’s what. It’s possible to hack the WiFi-connected Wemo switch, but that’s not the real problem. Using standard Internet exploits, hackers can turn the Belkin Wemo into a network gateway and use it to gain access to your home’s entire Wi-Fi network. The Wemo can be used to access all of the other less-than-secure IoT devices on your home Wi-Fi network.

For example, your smart TV.

So what, you say. Who cares if a hacker can change the channel on my TV? You probably don’t mind if a remote hacker channel surfs at your expense. After all, they can’t watch the video. But would you mind if they activated your TV’s microphone and listened in on your conversations? How about if hackers used the Belkin Smart Plug to connect to the babycam in your nursery or the Webcam in your teenage daughter’s bedroom? Got the picture?

Let’s make a quick time jump to one of the subsequent speakers at the IoT Device Security Summit, Chowdary Yanamadala from Arm, who discussed two more IoT and near-IoT exploits. The first exploit, the famous Mirai botnet caper, nearly shut down Internet service in the northeastern US in October, 2016 through a DDoS (distributed denial of service) attack. The Mirai malware turns networked devices running Linux into remotely controlled “bots” by identifying vulnerable IoT devices and breaking into them using a table of common factory default usernames and passwords. Mirai finds vulnerable devices, logs into them, and infects them with malware.

In this particular example, the infected IoT hosts included printers, IP cameras, residential gateways, and baby monitors. All of these devices were infected with Mirai malware. The resulting DDoS attack shut down more than 70 big, globally known Web sites including Airbnb, Amazon, CNN, Comcast, DirectTV, github, HBO, Netflix, Starbucks, Twitter, Verizon, and Yelp. (OK, so who cares about Yelp?)

In all, the estimated economic damage topped $100 million.

The Great Paris Streetlight Robbery

You don’t even need the Internet to cause havoc using IoT security exploits, said Yanamadala. His second example involved the ZigBee-connected smart streetlights of Paris (France, not Kentucky or Las Vegas). This exploit took advantage of a bug in the ZigBee chip used in the streetlights. Several bugs, in fact.

The first bug was in the chip’s proximity detector. Normally, the chip is supposed to ignore factory-reset commands from transmitters farther away than 45cm. It’s tough to get that close to a streetlight on a tall pole (but you can do that with a ZigBee-equipped hacking drone, for example.) However, the ZigBee chips used in the streetlights allowed such commands from transmitters as far away as 400m. That’s nearly two orders of magnitude larger than spec. No drones needed.

Next, the hackers (actually researchers) were able to use the global security key that’s used to encrypt and authenticate new firmware for this chip, which was obtained through a side-channel attack that monitored the chip’s current consumption. This key has now been widely published, and that same key is used in every single copy of this particular ZigBee chip. So once the key had been cracked, every such chip was open to hacking.

Using these two exploits, the team could infect a random selection of Paris streetlights by forcing an OTA (over-the-air) firmware update that included code to spread the infection from one connected streetlight to the next. A chain reaction over the entire mesh network of streetlights was then possible.

And now, back to Grindstaff’s keynote.

The IoT security problem is much bigger than simply taking over an IoT device or even an IoT device class. The problem is that these devices can be hacked to broadcast almost any sort of message over the Internet, because IoT devices are connected to the Internet. That’s what put the “I” in IoT.

As the famous New Yorker cartoon said way, way back in 1993: “On the Internet, nobody knows you’re a dog.”

So what can an IoT hack do? Here’s what:

Ransomware: Once a hack gets into the home network of a corporate CEO (or other executive), the hacker may be able to use the executive’s access of a corporate network, using the hacked home network as a gateway, to cause all kinds of mischief. Lucrative mischief.

Life and Death: Grindstaff cited an example where she watched over the shoulder of one of her colleagues at McAfee as he hacked into an X-ray machine at a hospital and pulled up images of a patient’s leg. Don’t think just about X-ray machines. Think about heart-rate monitors, medical infusion pumps, and ventilators. People can die from this sort of IoT hacking. Nearly all medical equipment is going IoT as fast as possible to provide the electronic monitoring needed to stretch human medical staffs across more and more patients. This potential problem grows daily.

Fake Ads: The recent US political campaign season underscored the effects of political advertising. Hacked IoT devices can give covert access to targeted users, making the delivery of surreptitious, fake ads possible.

Social Media Scams: Don’t care about politics? Think phishing for profit instead. Same mechanism, different motive. McAffee has long known that the user is the weakest link in the security chain. Pushing phishing exploits through social media using unexpected security holes made possible by poorly secured IoT devices opens a vast new playing field for phishing scams.

Industrial Control Havoc: Once you understand the IoT security hacking threat, it takes little imagination to think of the havoc to be caused by commandeering pumps, valves, motors, chemical plants, refineries, and nuclear power plants—just to name a few.

So the threat’s real. What’s to be done?

Grindstaff had some specific recommendations for fixing the IoT security problems:

Embed security into the architecture, interfaces, and product design of IoT devices. You cannot effectively add security as an afterthought. Establish and test your basic security assumptions. Ask:

    • How do you protect data?
    • How do you compartmentalize data and code so that data cannot behave like code? So that code cannot be modified like data?
    • How do you authenticate users? (Two-factor authentication is best.)
    • How can you get IoT devices to work together collectively as a secure system/network?
    • How do you secure the IoT device, its network, and the cloud to which it’s connected in a chain of trust?
    • How can you secure legacy devices that don’t have security or have security added as an afterthought?

Do not allow default passwords, for reasons that should be obvious from the discussions above. (Want to see how easy it is to get default passwords? Try www.shodan.io. It will give you plenty of real, IoT default passwords in current use.)

Require patches and upgrades to be encrypted and signed.

Allow only approved software to run on IoT devices.

Authenticate owners and allow only authenticated owners to set limits on data and privacy policies.

Automatically install signed security updates during IoT device provisioning.

Provide advanced configuration and reset capabilities. If an IoT device or its network detects an intrusion attempt, initiate a factory reset to block the hack from the system.

My opinion is this: Grindstaff’s advice is fine, as far as it goes, but it requires all of us to become network engineers and to memorize hundreds of new IoT passwords. I’m pretty sure that it’s not going to work the way Grindstaff described things. Allow me to provide one personal example as positive proof:

I have a friend living in my condo. He installed a Nest IoT thermostat a while ago so that he wouldn’t need to get up all the time to change the temperature setting on thermostat. No, he’s not lazy. He doesn’t walk well, so getting up is a real problem for him. Shortly after the Nest thermostat was installed, it turned the heating system on full blast in the middle of summer. My friend could not shut the system down and was in danger of dehydrating from the heat when he called me.

After all, I’m an electrical engineer with more than a passing familiarity with things Internet. How hard could it be?

I went down to his condo to help.

The Nest thermostat’s built-in user interface was completely unresponsive. Clearly, I needed to access it over its Wi-Fi connection through the app on my neighbor’s cellphone, so the first thing I needed was the password. After all, you can’t let just anyone control an IoT thermostat.

I didn’t know the password, of course, because I hadn’t installed the thermostat. My neighbor, in his agitated, partially dehydrated state couldn’t remember the thermostat’s password either. In this case, the emergency shutoff was the furnace’s circuit breaker. The next step was to call the person who’d installed the thermostat. He had the password and fixed the thermostat a day later.

That’s just an example of one household IoT device. Maybe it’s an extreme example, but it really did happen to me (actually to my neighbor).

Now recall Grindstaff’s prediction at the beginning of her keynote:

“There will be more than 80 connected devices in a household by 2020.”

Think of my neighbor’s experience times 80. A tsunami of IoT security disaster awaits us all.

Need help? (Hint: Yes, you do.) Try McAfee’s Solution Brief: “Secure IoT Devices to Protect Against Attacks.”

Leave a Reply

featured blogs
Cadence Reunites with WITU to Empower Young Women
Apr 25, 2024
Cadence's seven -year partnership with'¯ Team4Tech '¯has given our employees unique opportunities to harness the power of technology and engage in a three -month philanthropic project to improve the livelihood of communities in need. In Fall 2023, this partnership allowed C...
More from Cadence...
Synopsys and Multibeam Accelerate Innovation with First Production-Ready E-Beam Lithography System
Apr 24, 2024
Learn about maskless electron beam lithography and see how Multibeam's industry-first e-beam semiconductor lithography system leverages Synopsys software.The post Synopsys and Multibeam Accelerate Innovation with First Production-Ready E-Beam Lithography System appeared fir...
More from Synopsys...
One Robotic Step Closer to Humanoid Robots in the Home
Apr 18, 2024
Are you ready for a revolution in robotic technology (as opposed to a robotic revolution, of course)?...
More from Max's Cool Beans...

featured video

How MediaTek Optimizes SI Design with Cadence Optimality Explorer and Clarity 3D Solver

Sponsored by Cadence Design Systems

In the era of 5G/6G communication, signal integrity (SI) design considerations are important in high-speed interface design. MediaTek’s design process usually relies on human intuition, but with Cadence’s Optimality Intelligent System Explorer and Clarity 3D Solver, they’ve increased design productivity by 75X. The Optimality Explorer’s AI technology not only improves productivity, but also provides helpful insights and answers.

Learn how MediaTek uses Cadence tools in SI design

featured paper

Designing Robust 5G Power Amplifiers for the Real World

Sponsored by Keysight

Simulating 5G power amplifier (PA) designs at the component and system levels with authentic modulation and high-fidelity behavioral models increases predictability, lowers risk, and shrinks schedules. Simulation software enables multi-technology layout and multi-domain analysis, evaluating the impacts of 5G PA design choices while delivering accurate results in a single virtual workspace. This application note delves into how authentic modulation enhances predictability and performance in 5G millimeter-wave systems.

Download now to revolutionize your design process.

featured chalk talk

E-Mobility - Charging Stations & Wallboxes AC or DC Charging?
Sponsored by Mouser Electronics and Würth Elektronik
In this episode of Chalk Talk, Amelia Dalton and Andreas Nadler from Würth Elektronik investigate e-mobility charging stations and wallboxes. We take a closer look at the benefits, components, and functions of AC and DC wallboxes and charging stations. They also examine the role that DC link capacitors play in power conversion and how Würth Elektronik can help you create your next AC and DC wallbox or charging station design.
Click here for more information about Würth Elektronik Automotive Products
Jul 12, 2023
32,780 views