Make your IoT device safer: let’s hack it!
IoT Security Blog Series
From industrial systems to smart home devices: Internet of Things (IoT) is showing massive growth. So is the amount of news about security breaches. Applying security by design and having everything that is connected to the internet checked by ethical hackers can help organizations with security. This, in turn, can help them to stand out in this stormy market. This is part one of our blog series on security issues surrounding IoT: let’s hack your IoT device.
By Jillles Groenendijk and Dominika Rusek
The rise of IoT
In January, Gartner predicted 8.4 billion IoT devices to be in use by the end of this year, a 30 percent increase from 2016. In 2020, that number will be over 20 billion. Improving home comfort, business processes, providing entertainment for children and adults, and measuring everything that is measurable are only a few of the numerous applications of devices connected to the internet.
Manufacturers continue to develop new applications and bring them to this interesting market and slowly but surely we are seeing growing attention for the security of IoT devices. This is not only motivated by media coverage about security breaches and growing consumer awareness, but also by GDPR, Europe’s new regulatory framework for data, coming into force in May 2018. A more positive motivation might be that an IoT device that has been tested and found safe can stand out in the stormy and competitive IoT market, now that consumers are also becoming more critical regarding the devices they use.
An important problem is that most of the time the same vulnerabilities in IoT devices can be exploited in other devices that are brought to market, thereby allowing access to private data in the networks of the households or companies using that device. To find those vulnerabilities before real/ill-meaning/malign hackers do, you need to be able to think like a hacker. Not every company has that knowledge in-house.
We help organizations to carefully check the security of the device they want to bring to market, and are ethical hackers with up-to-date hacking knowledge who know where to find vulnerabilities.
To stay fully informed of the developments happening in the area of the IoT, we constantly improve our methods. We recently developed a complete work program for testing devices that use the ZigBee protocol, which is nowadays one of the most popular wireless protocols for IoT applications. The advantages of this protocol above WiFi and Bluetooth are that ZigBee is low power and low cost with a coverage from 10-100 meters, which makes it suitable for devices in smart homes and smart buildings (such as light bulbs, sensors and switches). On top of that, ZigBee is capable of forming a mesh network, which provides the flexibility to accommodate any interference in the radio path, because data packets have multiple paths to reach their destination. Such networks can also grow in size and cover greater physical distances.
But just as any protocol it has its flaws. That is why thorough security assessment of your ZigBee network is very important before marketing it. In our ZigBee work program, we assess the use of the protocol in several steps.
ZigBee uses AES 128-bit encryption to ensure confidentiality and integrity of data. However: the devil is in the details–good security depends not only on protocol design but also on proper protocol implementation. A step in the work program is the verification of whether a device uses default keys, or shares it via over-the-air (OTA) transport in plaintext. In some cases, analysis of firmware and hardware is needed to exploit the protocol; hence it is also included in the work program.
There are several pen testing tools to assess security of ZigBee, but in our work program we use the KillerBee framework, due to large amount of attack vectors that it provides.
As mentioned before, testing the hardware is also part of the ZigBee work program. In our cyber security workshop in The Hague, we have all the tools to fully deconstruct any IoT device and check all its components.
We always start with an inspection of the outside. How is the device closed? Which connectors does it have? Can it be serviced from the outside? What kind of screws are used, and what kind of tools do you need to remove these screws? The easier it is to open the device and the more connectors it has, the easier it is for hackers to gain entrance to the device. On the other hand: if the small computer in an IoT device is encased in epoxy resin, it is safe, but it can’t be serviced and updated anymore.
After the outside, we check the inside. We test all the components on the circuit board, and try to find out what they do exactly. We connect the device to our computer to see how the software on the device works and if it contains any vulnerabilities. How secure are the passwords? Do we see problems in the source code?
Think like a hacker
The essence of our work is to think like a hacker, and to update our knowledge constantly. Hackers are creative and persistent, and capable of hacking almost any device given enough time. Recently Jilles visited a hackers’ convention where someone explained how he found a liquid solution—which is very dangerous—to dissolve the housing of a chip and that way obtained certain codes. It is a simple but good example of how far hackers go to find weaknesses in devices.
After our thorough analyses of the IoT device to find its weak spots, we report our observations and help our clients to implement countermeasures. We help them to find a balance between making their devices as hacker proof as possible while still functioning as they are supposed to function, and being able to respond quickly in case of any breaches.
No matter what the results of our tests are, our advice to our clients is always to implement security by design upfront: to implement security in the core of the development process instead of making it an adjustable variable at the end of that process. That will give manufacturers more assurance, and help their product stand out even more. Our next blog of this series will dive deeper into this.
For more information about IoT, please contact Dana Spataru or Jeroen Slobbe via the contact details below.