A Podcast with Arthur "Code Curmudgeon" Hicken
In this episode of At The Edge with Sean Martin, ITSPmagazine's editor in chief is joined by Arthur Hicken, Chief Evangelist at Parasoft and the information security professional affectionately known in the industry as the "Code Curmudgeon".
Arthur manages a site called the IoT Hall-of-Shame where he captures stories of devices and other 'things'—everything from light bulbs to cars—that have, at some point, hit the news for being identified as vulnerable and/or hacked. If its a smart thing connected to the Internet, it’s probably on Arthur’s list.
To give us a sense for what he’s seen this year, Arthur runs through the top 10 entries for 2017. We hear about new bugs, old bugs, returning bugs, never-fixed bugs, and things that aren’t bugs at all but are just flat-out poor decisions being made by the manufacturers building these devices. Are these poor decisions bugs, or just plain stupidity? You make the call. Either way, it’s important to remember that it's not just the manufacturer’s responsibility; we as consumers have a huge role to play in ensuring the security and privacy are being considered when these devices are being purchased, installed, and used.
The Top 10
A lady bought a smart camera to watch her puppy. When she heard the camera making noises, talking to her following her around, she unplugged it. A smart move, for sure. But, for some reason, she felt compelled to turned it back on. Instead, consider taking it to the local authorities and let THEM play with it—there's a possibility they could track them down before the attacker knew anyone was on to them.
This is a case old vulnerabilities that have been around for years and patches are available—for 2 years at least. This just shouldn't happen. These imaging machines can be hacked by people with low hacking skills according to DHS. It's a situation of flaws in other system code, not just the "main" application.
In this smart fish tank, sensors are connected to PC to (presumably) track temperature and water quality. In reality, 10GB of data was siphoned through the tank via the network it was connected to. Similar to the thermostat attack in Los Angeles at the Chamber of Commerce. A simple device leads to greater value.
The real issue here is the poor corporate attitude toward security. We often think of cybersecurity and automobile theft to be two different things. In today's age, they are one in the same.
Lots of machines are on the Internet and can be used as part of other attacks—like DDoS—crossing an air-gap boundary, stealing credit card information, and more.
The "too hard to hack" is a frequent response from vendors. The same as the TPM tire pressure hack. "It's too hard, it's not worth it, no one will bother." In this case, the vendor claimed 'special' hardware was needed; but you can get it for about $300 on the web.
Cameras as a category are #3 overall on IoT hacks this year. Beware of cheap electronics from countries with no real alliance to US government.
Do you own your device? The service? Do you really have control? Or, can a company lock you out of your house, cancel the service, remote control the device? What else?
There were a variety of bugs reported, and were initially un-patched by Google. Smarthome devices and cameras like these are constantly under attack. In this case the vendor responded very slowly, although sometimes they respond quickly. In short, they were not consistent.
This is a complete mess. If you don't think you'll be attacked, there might be different reasons. The real threat in this case was the shorting of the stock after publishing the vulnerability. Unethical on many fronts.
The hackers of these devices often leave a polite message, others have left silly ones. Others still leave porn. It's happening all over the world on highways, in train stations, and more. Something like Shodan will find them for you. Also try watching the Norse attack map for an interesting view.
One of many toy attacks including "smart" stuffed animals. Also one of many attacks that take advantage of home smart hubs that let you talk to them. What can you do? Change the default trigger keyword! The following question is worth asking: do your kids really need talking stuffed animals? Arthur hates to be a curmudgeon, but let them use their imaginations at least once in a while.
7 different manufacturers were checked during an assessment exercise and all were found to have problems. It's very probably others beyond the 7 assessed do as well. The reason this claim can be made is that there are more than 8,000 known vulnerabilities in 3rd party libraries and these devices likely use one or some of them. One key issue here is that the programmer devices don't authenticate so anyone can reprogram the devices even if they shouldn't be able to.
This is seen on lots of cars; the remote app ecosystems haven't been well thought-out. Think twice before enabling this on any car. Are the risks—the car being stolen, for example—worth the convenience?
There are LOTS of routers and other networking appliances in the hall-of-shame. This one got Arthur's attention because it's everywhere. A simple pen test on one of these years using only crude automated tools, yielded results with essentially no effort at all. Unfortunately, the same was true for Belkin and Netgear, so don't get comfortable just because you don't have one of these 3 devices. Chance are...
The problem here isn't political, it's technical. During a recent hack-a-thon, it took only minutes to hack into these systems. The problem is more complex than you think but also more solvable than you might think as well. We need to stop hyperventilating after elections and seriously plan out actual security for voting machines.
About Arthur "Code Curmudgeon" Hicken
Arthur Hicken is Evangelist at Parasoft where he has been involved in automating various software development and testing practices for over 25 years.
He has worked on projects including cybersecurity, database development, the software development lifecycle, web publishing and monitoring, and integration with legacy systems and maintains the IoT Hall-of-Shame.