4 IoT hacks and security technologies you should not have missed this summer
Are you up-to-date?
Want to know what is going on in the IoT space? Here are the most interesting security technologies that have been demonstrated this summer. IoT is continuously making headlines and it is absolutely normal to get slightly overwhelmed with the amount of information. In this blog you will be quickly brought up to speed in case you missed a thing during the holidays: a short recap of the most interesting IoT security hacks and technologies from the summer of 2017.
By Dominika Rusek
This summer, two of the most important security conferences took place: BlackHat & Defcon. Both revolved around the topic of hardware hacking. Hardware is almost always trusted and is not commonly considered an attack surface1. However, as shown by a hacker named Octane2, hardware backdooring is real and introduces an open source solution to verify security of cryptography and private computing. At BlackHat, Colin O’Flynn has presented Chipwhisperer, which is an open source toolchain for embedded hardware security analysis. In addition, Chui Yew Leong showed Evilsploit: an automated hardware hacking process that can assist with side channel analysis (SCA) and fault injection (FI)3 . Unsecured hardware is most likely not a big issue for your smart TV or your automatic pet feeder, but in business context it is. Especially in combination with bad key management, unsecured hardware can be quite dangerous. In case you are interested to learn more about hardware hacking, refer to our colleagues James Gratchoff and Jilles Groenendijk who have created a crash course4.
Countries increasingly rely on wind energy, which also increasingly draws the attention of hackers. Jason Staggs, a researcher at University of Tulsa has spent two years investigating the security of wind farms and he presented the results at Defcon. He was able to get physical access to the wind turbines, hijack the control, damage wind turbines by increasing failure rate of mechanical components, and disrupt the operations altogether. Moreover, he was even able to upload and execute malware. Some of the vulnerabilities that he exploited are preventable by simply changing default passwords or segmenting the network. And of course, remember to prevent your wind turbine from appearing on Internet-connected devices like search engine Shodan!
One of the latest interesting IoT inventions is a smart gun, which can only be fired by an authorized person and can therefore improve safety. But, is it secure? A hacker with pseudonym Plore has proved that it can be hacked. The findings were presented at Defcon and included bypassing the security by using magnets, jamming the gun’s radio signal and creating low frequency interference. The manufacturer of the gun claims that the smart gun is meant to protect when a third person accesses the weapon trying to use it in the heat of a moment. Meticulous preparations to hack it and use the weapon cannot be avoided, although we believe that the risk and consequences of the hack cannot even be compared to the case of smart rifle hack5.
For years, the car industry has been aware that it is possible to spoof the signal from a wireless car key fob to open a vehicle's doors and even drive away with it by using a PKE (passive keyless entry) system. However, Jun Li and his team at Black Hat 2017 presented cheaper and easier versions of this relay hack with a pair of gadgets they built for just 226 USD. The PKE system uses both low and high frequency radio links to perform two-way authentication. The relay attack tricks both the car and the key into thinking that they are in close proximity. This means that hackers are capable of unlocking your car in the parking lot and drive away with it while your key fob is in your pocket. Such an attack can be prevented by requiring tighter timing constrains in the call-and-response communications between key and car. Another counter measure is entirely up to you – keep your keys in a Faraday cage wallet that blocks radio transmissions.
As it turns out, there were quite some new hacks and tools introduced this summer. The importance of hardware security is increasing, which is reflected by the number of tools being developed. An interesting point is that physical access plays a big role in most of the hacks, from smart guns and hardware to wind turbines. However, not all hacks are entirely relevant for businesses and impact the way they operate For instance, the smart gun hack will not disturb the production line while on the other hand, the wind turbines hacks can have painful consequences. Although more tools for attacking IoT devices are entering the marked, innovating in general is a way forward as it benefits businesses. Businesses can be vigilant by monitoring hacker conferences, testing, reaching out to academia and anticipating on the new trends. We advise companies to test newly developed IoT devices for security weaknesses for example with the OWASP IoT top 10 as a baseline7. For some more tips, check out the video below.