As far as I’m concerned, these beasts are a Bad Idea ™ even when they are working as intended.
But, of course, the odds on them working correctly is vanishingly small.
This winter, a team of researchers at Ben-Gurion University of the Negev report on studies of consumer IOT devices including baby monitors, door bells, and a thermostat . The paper sketches their cookbook of methods to analyze, break into, and take over these and similar devices. This is a great tutorial on just how vulnerable your device really is!
They start by opening the cover, which is usually possible without disabling the device. Visual inspection reveals the components which have easy to read identification printed on them, of course. The hackers can easily identify the juicy memory modules and gaping access ports to go after.
The crucial step is, as they say, “Extraction of Firmware and Data”. The paper makes clear just how naked a computer is when the cover is off and it is in the enemy’s hands. Simple techniques sufficed to capture passwords and take control of the system. Ultimately, one way or another, they were able to extract the firmware for analysis. The game is pretty much over at this point.
It is interesting that the widespread use of Linux versions in IOT means that a captured firmware image can be analyzed with standard Unix utilities which have been around since I was a young programmer. For example, IOT devices which use Linux password protection can be conveniently analyzed on any Linux system, because the libraries are the same. Of course, brute force cracking can be slowed by good passwords, but they report relatively easy success with these IOT devices. Beside breaking passwords, analysis of the firmware can also reveal any number of other vulnerabilities.
Overall, they were able to break passwords in a number of devices (and found one null password—oops!). In some cases, they found open network access ports (telnet and FTP), or were able to set them up (because they had root access). Yoiks. They found WiFi credentials, they found hard coded private keys. Double Yoiks!
They also found strong indications that some of the devices were rebranded, i.e., built on the same components as other devices. In this case, the shared hardware and software also shared passwords and vulnerabilities as well. In any case, there are many replicates of each type of IOT device, so breaking in to one potentially compromises whole swathes of the network.
The authors make some completely straightforward recommendations for producers. Disable the ports! Use good passwords! Encrypt as much data as feasible!
Users have little they can do except don’t use these things!
The authors note that economic forces press manufacturers to create cheap products, cutting corners on security. It is also true that many designers have inadequate understanding of security issues.
I’ll add that these problems don’t stem from devices that are too dumb. Quite the contrary. The problem is that very capable processors with a full Linux operating system are cheap and ubiquitous. The success of these technologies has a perverse effect on design, lifting constraints an allowing complex and insecure systems to be built. These devices are far too capable for their intended use.
It is also interesting to note that these ubiquitous and mostly open source technologies are so widely used they are becoming a sort of technical monoculture. The same vulnerabilities are found in many different products because they are all built from a very limited “gene pool” of cheap technology.
Open source development is often put forward as a good approach to creating trustworthy and secure software. The more eyes, the better the software. And open software can’t have secret back doors or other shenanigans in them.
But, as we see in IOT, when relying on open source software also means that everyone is using the same software, there is the risk that serious bugs will be ubiquitous throughout a software monoculture.
Overall, it’s not a comforting picture. And there isn’t much a consumer can do, other than Turn It Off.
- Omer Shwartz, Yael Mathov, Michael Bohadana, Yuval Elovici, and Yossi Oren. Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices. In Smart Card Research and Advanced Applications, 2018, 1-21. https://link.springer.com/chapter/10.1007%2F978-3-319-75208-2_1