This episode of At The Edge is made possible by the generosity of our sponsor, Edgescan.
In this episode of At The Edge, Sean Martin is joined by Arthur Hicken, Chief Evangelist at Parasoft and the information security professional affectionately known in the industry as the "Code Curmudgeon".
Arthur manages a site called the IoT Hall-of-Shame where he captures stories of devices and other 'things' — everything from light bulbs to cars — that have, at some point, hit the news for being identified as vulnerable and/or hacked. If it's a smart thing connected to the Internet, it’s probably on Arthur’s list.
To give us a sense of what he’s seen so far this year, Arthur runs through the top 10 entries for the second half of 2018. He gives us a view into connected device vulnerabilities ranging from cameras to medical devices and from teddy bears to musical instruments. There are a few honorable mentions as well, and you might be surprised to hear what he's uncovered during his research.
Surprised or not, it’s important to remember that it's not just the manufacturer’s responsibility; we as consumers have a huge role to play in ensuring that security and privacy are being considered when these devices are being purchased, installed, and used.
While other publications may write that "Your IoT Security Concerns Are Stupid" you might have a different opinion once you hear Arthur tell his IoT Hall-of-Shame tales.
Listen and enjoy!
The Top 10
10. X-Ray Machines
In addition to x-ray machines, MRI and others are still in the investigative phase: data theft as well as a toehold to attack the rest of the system. WannaCry ransomware hit hospitals and sometimes targeted radiology equipment using NSA hacking tools. Somewhere in here there’s a good discussion around the NSA charter when it finds vulnerabilities.
Research found that the updater software requires admin access, so you can make it do all kinds of nasty things. The latest Apple operating system, High Sierra, made the Sony update program not work because of security fixes. Instead of making the updater secure, Sony posted a video on how to give the program greater access. This is the opposite of a good fix. This is the same Sony that had the multiple playstation hacks. I love their cameras, but hate their security posture. Scary - you don't think about this stuff, but you need/want to keep it updated!
Video on the Internet showing how to unlock a door after the expected "one-time" code has been used? This is just a bad idea. The second hack showed how to disable the built-in camera on the device. Should we call them "home insecurity devices"? Be careful about home IoT adoption — at the moment I wouldn't recommend using IoT locks without some VERY serious questions about the product.
7. Smart Meters
Smart meters on homes are vulnerable to cyber attacks. In theory, no personal data is at stake here, although metadata can suggest things. But bad actors can falsify billing resulting in a customer paying extra, with the criminal walking away with the surplus cash. if you don't have one on your home yet, you will soon. Again, this a case of IoT convenience that comes with risk.
More ongoing problems with medical devices. People can hack into pacemakers and defibrillators and turn them off. Pacemaker manufacturers seem not to have done what's necessary to secure these devices. I was at medical conference and there is some belief in "security through obscurity," but hackers will figure out what the protocol is and how it works. RF isn't some kind of magic. I don't think this one is going away.
This is the first time for music instruments in my Hall of Shame. This guitar amp uses Bluetooth but NO pairing security. Many devices have Bluetooth and Wi-Fi now, which is VERY convenient for users, but an open door for attackers. By the way, lots of devices do the same and it's shameful. Have fun and ruin a friend's gig.
Ugh — back doors. "Flaws" allow unrestricted root access and remote access to data, using "mydlinkBRionyg" as the administrator username and "abc12345cba" as the password. Pay attention to sourcing — backdoors have appeared in everything from phones to routers to drives. And just don't allow remote access on your devices — not drives, not routers, etc. Use it in the home or use a reputable cloud service.
3. Gas Pumps
Malware is used to trick customers into paying more — and losing up to 7% of the fuel they thought they bought. Again, this is like ATMs using malicious programs — and this is in addition to the usual skimmers, fake keypads, etc.
2. ATM Machines (again) [note: link opens a PDF]
Criminals use physical access to load malware onto the ATM. A cyber alert was issued — similar to one from last year. It’s the same basic problem: ATM machines that don't have physical authentication can be attacked. It's not just about taking money out, it's capturing data, like other card scrapers.
DEF CON reported on how to attack this smart teddy bear. The Teddy Ruxpin is a smart toy that reads stories to kids (originally from cassette tapes back in the ‘80s — and updated in 2017 to include Bluetooth connectivity and a mobile application). This is a cautionary tale about IoT and its safety around children, as well as the dangers of Bluetooth and other protocols in IoT.
Hackers were able to change traffic lights and cause problems. One report a couple of years ago said that about half of Internet-enabled traffic lights had no security! A few minutes on Shodan (the world’s first search engine for Internet-connected devices) and you can check for yourself. But don't do anything bad! It reminds me of the movie "Italian Job" — the remake, that is. They made a huge deal out of how the hacker was able to control the lights. Turns out all he had to do was log on to Shodan, look up the lights, and then change them. It's not that the security is bad, it's that it doesn't exist.
40 models of cheap Android smartphones had banking malware pre-installed. How convenient! Beware of cheap devices — especially from places like China. Maybe skip that cheapo knockoff phone and buy an older model from a reputable company.
GPS and other systems were exploited to subvert navigations. The same kind of attacks can be and are applied to other things like cars and drones. It’s really a navigation attack rather than a ship attack, but it's easier to confuse a ship — there are no road signs in the ocean. At least I don't think there are….
Various Web-Based Cameras
People hack in a bunch of web-based cameras and take data (feed) from them. This is a GDPR issue, obviously. It’s most scary in the home, especially children’s toys and baby monitors. And other public cameras.
About Arthur "Code Curmudgeon" Hicken
Arthur Hicken is Evangelist at Parasoft where he has been involved in automating various software development and testing practices for over 25 years.
He has worked on projects including cybersecurity, database development, the software development lifecycle, web publishing and monitoring, and integration with legacy systems and maintains the IoT Hall-of-Shame.