It’s no secret that we here at ReadWrite love the Internet of Things (IoT). This is our focus, and one of the most interesting sectors of emerging technology today. However, it’s far from perfect. Security issues have long been a concern for IoT, and a recent speaker at the Black Hat technology and security conference shed light on exactly why those concerns aren’t just prudent, they’re often justified.
When you attend Black Hat, the devices you carry with you are about as insecure as they ever could be. A lot of attendees only bring systems with them that are sterile of private information and easily formatted afterwards. Connecting to a public network here is about as advisable as playing Marco Polo in a pool of sharks. Attendees carry cash instead of credit cards, notepads and pens instead of laptops, and often they even leave their driver’s license behind.
But what about IoT devices? These devices have their own software baked in and, by design, give their users a very limited level of control over what they connect to and how.
When Eyal Ronen, a graduate student from Israel, has spent time researching the security of Philips Hue lighting systems. During his research, he was able to build a solution that tricked Philips lights into connecting to his network instead of the one they were presently assigned. He worked out a method to circumvent the 10-20 meter range limitations for controlling these lights and control them from 20-70 meters away – long enough to send signals from a passing car or drone.
— Max Eddy (@wmaxeddy) August 4, 2016
He demonstrated this vulnerability during a session he presented at during Black Hat. His demonstration involved controlling a couple lamps located just off stage, but it offered attendees insight into just how easy it is to circumvent the security of some IoT devices.
The impact of an insecure IoT
The IoT is data driven. Information is continuously being shared between devices and most of them are doing this in a way that the human users never actually see on a screen. When our desktop computers are hijacked and become part of a bot net used by spammers and DDoS attackers, the evidence of this can be exceedingly difficult to identify.
If an IoT device is compromised, how would we know, and how would we be able to correct it? What would you do if your smart oven suddenly started sending spam on behalf of a scammer? These are problems that could cause a lot more heartache than light bulb flickering or baby monitor hijacking.
That doesn’t even take into account the possible implications of a smart door lock or a surveillance camera being hacked. Medical equipment is another big security concern, especially if malicious code running on the device(s) results in inaccurate measurements and/or action.
So, what does this mean for us? For one, it means that the Internet of Things still has some growing to do. For all intents and purposes, IoT solutions are in their infancy and have yet to be thoroughly tested.
Back in May, we published a two-part piece on the sorry state of IoT security. From this demonstration out of Black Hat, it’s clear that we still have a ways to go before we can fully immerse ourselves in a world of connected everything.