ReadWriteHome is an ongoing series exploring the implications of living in connected homes.
Craig Heffner, a security researcher at Tactical Network Solutions, recalls a time when he was able to compromise the privacy of hundreds of people for a few bucks.
Determined hackers have always found ways to infiltrate devices. But now, when seemingly everything’s connected, they don’t even have to try.
At the Federal Trade Commission’s Internet of Things workshop, Heffner told listeners about a hardware vendor that promised users a cloud-storage option, but forgot to purchase one of the four domains it had registered as trusted consumer data servers. He snagged it for $9.
With this (legal) maneuver, Heffner could potentially have consumer data in the palm of his hand, all thanks to one thoughtless mistake. It’s evidence of a systemic problem with the Internet of Things and the connected home—a total lack of incentive for vendors to make their products secure.
“Consumers don’t care much about security, not really,” said Heffner. “This means that vendors don’t have much of an incentive to put time, effort and money into securing their products. They’re better off spending their money and resources on the features that consumers want.”
Security: A Matter Of Life Or Death
In late November, the FTC gathered vendors, privacy advocates, and security experts to weigh in on the emerging consumer issues that come with connected technology.
Even if consumers are lukewarm on security, the FTC is adamant about assuring it. “Companies that fail to protect consumer privacy will have to have it outsourced to the FTC,” said Chairwoman Edith Ramirez. One company, Trendnet, failed to protect its “secure” home webcams from routine hacking, so the government agency put a consent order on it—along with a mandate forcing the company to undergo biennial security assessments for the next 20 years.
Keith Marzullo, a director at the National Science Foundation, named studies in which security researchers successfully hacked connected devices. Each of these examples terrifyingly demonstrated how such hacks could lead to loss of lives.
When former Vice President Dick Cheney revealed his fear that terrorists would hack his pacemaker, some derided it as a sci-fi impossibility. But tell that to Kevin Fu, a researcher at University of Massachusetts Amherst who helped compromise one.
Supposedly, data is transferred to doctors from patients’ pacemakers across a closed system. But in 2008, Fu was part of a research team that showed the system isn’t as secure as previously thought. Not only could the researchers extract patients’ private medical information without their knowledge, but they could even discreetly reprogram the pacemaker in a way that could put the patient’s life in danger.
Today, Fu is co-director of the Medical Device Security Center, which is attempting to develop an unhackable pacemaker. The National Science Foundation determined his research to be so vital, it merits a $450,000 grant.
Marzullo also brought up a research team led by professors at the University of Washington and USCD that was able to hack into a car, with dire results. They used a computer program called CarShark, which hacked the Controller Area Network (CAN) system installed on all new cars built in the United States.
The result of their research? They determined that using just one simple OBD-II computer port, they could break into an automobile’s main computer, insert a virus that would cause the driver to get into a car accident and then erase all traces of itself immediately afterward. Among other things, ranging from silly (honking the horn remotely), to scary (shutting off the brakes completely).
It’s frightening enough without a proof of concept, but the researchers provided that, too. On their research site, the Center for Automotive Embedded Systems Security, they show exactly how they did it.
How To Hack The Connected Home
“With really big data comes really big responsibility. Internet of Things companies should be required to hardcode privacy in…”
—Edith Ramirez, FTC Chairwoman
Want to infiltrate somebody’s home using the Internet of Things? Every other month, Heffner heads a class, Embedded Device Exploitation, to show you how.
Attendees to the bimonthly Columbia, Maryland event are usually employees of consumer and security firms around the Washington area. Under Heffner’s instruction, students take routers and consumer devices—and compromise them one by one.
Heffner wouldn’t share which consumer products his students hack, but said they’re all connected home devices you can buy at the store. In the first portion of the five-day class, students learn to break, extract data from, and otherwise compromise the devices. In the second half, students come to their own rescues by troubleshooting and patching those security holes.
Class activities span both hardware and software exploitation. In one lesson, students identify and extract critical data they’ve found in the firmware.
“Students are always floored by the lack of security in these devices,” he said. “The device may say it’s secure on the box, but until you look at the code running underneath, you don’t know.”
Heffner’s class requires students to already know some of the Python and C programming languages before signing up, but he said it’s usually not very difficult to break in. Sometimes, as when Heffner bought the $9 domain, or when Forbes reporter Kashmir Hill infiltrated a stranger’s home, you don’t even have to hack a thing.
“A lot of times, you don’t need a lot of skill to find vulnerabilities in these devices,” he said. “If you look at the vulnerabilities being published, they’re not sophisticated. Usually, the vendor put a back door in the product and somebody took advantage.”
As a side effect of his occupation, Heffner has spent a lot more time than the average law abiding person thinking about ways to conduct remote home break-ins.
“If targeting a specific person, I’d start with their wireless network,” he said. “Even if their Wi-Fi network is properly secured, I can infer useful information from the encrypted traffic, such as how many devices are connected, who the devices are made by, and in some cases even the specific model and version of their wireless router. This is all useful information for mounting additional attacks.”
It’s important to think like a hacker—and to teach engineers at Internet of Things companies to do so as well—so users don’t have to. Consumers don’t care about security, he said, and they shouldn’t have to. That’s the vendor’s job. And if the vendor won’t do it, the FTC has already shown in the case of Trendnet that it’ll take action.
“With really big data comes really big responsibility,” said Ramirez. “Internet of Things companies should be required to hardcode privacy in, and shift the burden of protection off the shoulders of consumers.”
Heffner says that students sometimes leave his class wanting to disconnect all the devices in their homes. But his goal isn’t to frighten people.
“I don’t want to spread fear, uncertainty and doubt,” said Heffner. “These are things you should be afraid of, but not if you understand them. That’s one reason we do the classes. If you educate people about what they’re up against, they can make informed decisions.”
Photo of Heffner’s classroom courtesy of Tactical Network Solutions.