Tuesday, April 17, 2018

Everything is hackable

Peter posts about the lousy security of most electronic devices:
I've spoken out before against the so-called "Internet of things" in our homes.  They hold hidden dangers.
  • Frankly, I don't see any need for a "smart thermostat" that can be adjusted from my smartphone, when that means someone else can hack into it and potentially invade my privacy.
  • I think "smart security cameras" that I can operate from my smartphone, anywhere in the country, are an ideal tool for would-be burglars or home invaders, who can monitor them to select the best time to commit their crimes.
  • "Smart door locks" are an invitation to hackers to open my doors for themselves - or just leave them open for their amusement.
He then points out the example of a casino that was hacked via a network-connected thermostat in a fish tank.  I know people in the security business ("Penetration Testers", sometimes called "White Hat Hackers" who are hired by companies to test their defenses) - I've heard stories about how they have done precisely this sort of thing.  One story from around 20 years ago was how they checked into a casino hotel and went to their room.  The mini fridge had an Ethernet connection; they plugged their laptop into the network and found that they were on the main casino IT network.  It seems that someone wanted to have electronic sensors reporting when someone took a beer from the fridge for automatic billing.

My point is that this has been going on a long, long time.  It's not getting better, either: the mad rush to "Internet Enable" every device on the planet reminds me of the mad rush to put up corporate web sites in the late 1990s.  Nobody really knew why they "had" to do this, but everyone was doing it, so they had to as well.  Of course, the security wasn't an afterthought - it wasn't thought of at all.  And so there was idiocy like shopping cart applications that let you download the order form, edit the hidden price field, upload it back to the server, and buy a TV for a penny.

Now there's the "Internet Of Things" that doesn't seem to have any security at all. Everything is hackable.

So what can you do?  The best defense (as is typically the case) is good situational awareness.  When you see one of these devices, remind yourself that it almost certainly has no security built into it.  Imagine what might happen if you installed it in your house (say, a "smart" door lock that will open for anyone who knows the "open sesame" command).  Then ask yourself if the benefits are worth it to you.

For me, the answer is a resounding "no", but you know how nasty and suspicious I am.

But remember that network security is hard, even for people who are highly motivated to have good security.  Casinos have had pretty darn good security, in my experience.  They know what's at stake.  This is why they hire penetration testers, after all.  And they still get hacked through some dumb Internet Of Things device.

If it happens to them, with their experience, motivation, and security budget, what do you think will happen to you?

When you find yourself in a store looking at one of these shiny new devices and the hair on the back of your neck starts to stand up, you will know that you understand the situation precisely.

7 comments:

chris said...

Heh heh - I just posted the same story of the fish tank hack. Beware the IoT!

Rick C said...

Microsoft has a plan! They're supposedly going to ship a Linux distro of their own, aimed at IoT, and with changes that are supposed to obviate a set of common issues.

drjim said...

We recently bought a new Samsung TV set, and yup...it's "Internet Enabled!!".

The first thing I did before powering it up was to Google around and see how to disable it.

Despite all the squawking I had to put up with while walking through the setup screens, I was able to get it functional without any network connectivity.

McChuck said...

Rick - The can call it "LinuXP". It will be proprietary, of course, and any user modifications will void the warranty and the licensing agreement.

Borepatch - I love that picture! I had a copy of it hanging on my cubicle wall when I was still working security.

Jonathan H said...

I have read multiple articles about insecure medical devices; today I read a particularly worrisome one about implanted neurostimulators used for treatment of Parkinson's and other diseases. Personal information and control codes are broadcast in the clear in a strong enough signal to be picked up 20+ feet away - anybody can listen to the broadcast and pick up private medical information, and send commands altering operation of the devices with no encryption or authentication needed.

Rick C said...

MrChuck, you're still thinking in the 2000s.

Did you know you can get Ubuntu running in Windows 10? That with an X Server, you can run X apps on your desktop?

MS has been a pretty big contributor to Linux.

Borepatch said...

Jonathan, it's even worse than this. Tens of thousands of medical diagnostic machines reachable from the Internet.