Since 2009, there has been a greater number of things connected to the Internet than the number of people using them. However, there appeared a doubt whether the devices of the Internet of Things are secure.
This August the smart fridge hack was demonstrated at the annual DefCon security conference in Las Vegas, at the IOT Village sessions hosted by Independent Security Evaluators (ISE).
According to a group of researchers, a hack known as “man in the middle” on a Samsung Smart Refrigerator would allow an attacker to read user’s e-mail, maybe even reset password and then potentially steal his/her identity.
Ted Harrington, an executive partner with the Baltimore-based security company, decided to host the event since he had a theory that the hacker story may be a part of the true security problem.
“We wanted to confirm or undermine the hypothesis that security vulnerabilities in connected devices are systemic. To see if the security problems exist across multiple devices, that there’s no particular manufacturer who’s bad,” Harrington said.
The researchers found some other hack cases. For instance, a Philips video baby monitor had back-door credentials that let hackers view the live feed. Besides, it turned out that a Smarthings Motion Sensor security system can be remotely turned off, allowing access to a room “secured” against intruders. Another case is that the Samsung Smartcam security can be blocked so the owner can’t access it. Furthermore, two separate digital door locks from Yale and Smartlock could be hijacked.
A vulnerability of the popular Parrot AR quadcopter flying drone gained a lot of attention during DefCon:
“At the village, a guy approached me, he’s got this drone, and he was very excited,” said Sam Levin, a developer at ISE who worked its IoT event. “He had a laptop, he issued a command from a command prompt … it killed the drone in mid-flight. It dropped like a stone.”
Ryan Satterfield, Information Security Auditor & Founder of security company Planet Zuda, attempted to contact Parrot and had luck with that. Even though the company has issued a patch, Satterfield is still doing research on other vulnerabilities he discovered.
“There are rules in place that the FAA [Federal Aviation Administration] can use against planes that are insecure, but have yet been applied to drones,” he said. “I hope to see the FAA take the same stern fist that they have toward plane security and apply it to drone security so companies will have an incentive to make their products more secure.”
Harrington wants the government and manufacturers to regulate the way they build connected devices before the country reaches the point of no return on security.
“By 2020, we’re going to have 50 billion connected devices, it’s an astronomical number, according to some estimates. Right now consumers concerned with the risks of IoT can opt not to buy, but that may not be an option in the near future.” Harrington stated.
Even though researchers proved that they could remotely hijack Jeep and Dodge vehicles with built-in LTE cellular connections, the auto industry is still planning to introduce more cars with them. In September, GM chief executive officer Mary Barra bragged that the company already has one million connected cars on the road in the US, far outpacing rivals.
“I don’t think we’re that far away where you won’t be able to buy a new car that doesn’t have connectivity,” Harrington warned.
A password and data manager Keeper Security considers that “IoT devices are built quickly to get first to market, and are made for convenience rather than security.” In June the company noted in an infographic charting the Internet of Things’ rise, as well as its security vulnerabilities.