Def Con: Do smart devices mean dumb security?



  • 6 August 2016
  • From the BBC
Some people now use automatic feeders to make sure their pets get a meal on time.
From net-connected sex toys to smart light bulbs you can control via your phone, there's no doubt that the internet of things is here to stay.

More and more people are finding that the devices forming this network of smart stuff can make their lives easier.

But that convenience may come at a high cost - namely security.

Def Con, which sees 15,000 of the world's top hackers gather in Las Vegas, was this year studded with talks about the security shortcomings of IoT gadgets. Holes, data leaks and bugs have been found in everything from CCTV cameras to solar panels, thermostats to door locks. One talk about the bugs in those sex toys revealed that these intimate gadgets are being perhaps too candid with data about the people enjoying them.

And there is starting to be evidence that cyber criminals are waking up to the potential for IoT devices to help them carry out attacks that revolve around bombarding websites with more data than they can handle - a Distributed Denial of Service attack (DDoS).

Home CCTV cameras, domestic routers and other smart devices have all been used for these kinds of attacks.

"Using these devices to DDoS a site makes a lot of sense," said Raimund Genes, European technology head at Trend Micro.

Many cyber criminals who run networks of hijacked machines that can be used to DDoS a site are switching to IoT devices, he said, because they are easier to find, take over and manage than the networks of PCs that are more traditionally used for these types of attack.

Bigger risk

While criminals might abuse in-home devices for attacks, they were unlikely to target individual devices in homes with a view to crashing them or locking them up with malware and demanding a fee to free them.

The economics of those types of attack made no sense for competent cyber thieves, said Mr Genes.

"All of the IoT attacks sound cool but commercial cyber crime doesn't have an interest in them," he said. "They are much more interested in volume because they are running a business."
Osram's Lightify lamps can be controlled by an app
"At the moment they are making much more money from ransom ware on Windows PCs," he added.

Deral Heiland, who oversees research into IoT devices for security firm Rapid7, said the broader risks involved with these gadgets became apparent when one considered the ecosystem they were likely to be part of.

"Your mobile phone is part of the loop, so is the app, the cloud interface and then you also have the connectivity between all of these devices," he said. "From a security standpoint, any failing in any one of these devices affects the security of the whole thing, the ecosystem."

Most of the firms that make IoT devices did a poor job of handling updates to their products that fix the bugs security researchers are finding, said Mr Heiland.

However, he said, it was not going to be consumers that felt the true impact of poor IoT security.

Many large firms were now starting to put in place smart systems that manage heating and lighting in buildings, branch offices and factories. Companies could make big cost savings with such systems, said Mr Heiland, giving them a powerful motive to install them.

As these IoT devices are built to work inside offices rather than homes they are typically controlled by more powerful chips, he said. Unfortunately work by Rapid7 suggests they share the same security failings as their smaller counterparts.

This might make them much more attractive to the types of cyber thieves keen to get at corporate networks, said Mr Heiland.
Self-driving cars are the ultimate IoT risk, say security experts
"The person who is doing the administration for the IoT lighting is probably the same person who is doing the administration for the network," he said. "That's certainly someone bad guys want to get to."

Mr Genes from Trend Micro agreed that it was likely the big firms adopting smarter manufacturing systems or putting IoT devices throughout their organization would feel the brunt of any security failings - not consumers.

"We can see that this might be a problem for industrial services," he said, "and we are working with GE, Hitachi and Siemens on this."

The result could be network-based defences that sanitize data traveling to and from plant and machinery to help it avoid being attacked or compromised, he said.
Rolling robot
One Def Con talk revealed security problems with net-linked solar panels
Cesar Cerrudo, chief technology officer of security firm IOActive, believes security problems emerge because it is usually smaller, newer firms making the gadgets. They were not interested in writing secure code because of the pressure they were under to succeed quickly, he said.

"The problem with the start-ups is that they need to get their product out very fast," he said. "If you put security on it then that slows it down and they spend more money and that makes no sense for them."

This was galling, he said, because the types of bugs being found in the software inside IoT gadgets have long been known about. And, he said, there were well-established methods of writing secure code that avoided these problems.

Adding security after the fact was always more difficult than doing it during design and development, he said.

They also had a duty to realise the threat that smart devices represent - especially when the IoT stuff starts moving around on its own.

"That's when the danger goes kinetic," he said, adding that the ultimate example of an IoT device was probably an autonomous vehicle.

"That's really just a robot rolling down the road," he said.
Wow, this and a few other articles has my head spinning (yet I won't stop on my quest for HA). This line sticks out in all of this:
"At the moment they are making much more money from ransom ware on Windows PCs,"
Add to this an article (NY Times, Sunday section?) I came across a few weeks ago on a cyber attack scenario that involved compromised Chrysler products, malware/ransom ware in hospital, emergency services and utilities and someone with enough money to buy these services to cause a major shutdown of a large city. Take a few compromised cars have them cause a few accidents at key locations at rush hour, ransom each service or crash it totally and you'll have your story in the news in time for the evening news. I'm pretty sure you can purchase all of this on the black market now.
And I don't agree this this one bit:

However, he (Mr Heiland) said, it was not going to be consumers that felt the true impact of poor IoT security.
Consumers always bear the brunt of the cost in some way, shape or form and if the issue is news worthy enough consumer confidence will be lost.
However, he (Mr Heiland) said, it was not going to be consumers that felt the true impact of poor IoT security.
Consumers always bear the brunt of the cost in some way, shape or form and if the issue is news worthy enough consumer confidence will be lost.
It's really all about big money and most consumers only see a bit in front of their nose these days of new technology.  Well they would rather not know about the grey areas.
Look at the automation advertisement for GE bulbs.  They are basically looking here (and there) to up their brand consumer confidence.  Thinking that that will help build build new nuclear power plants soon
Sorry I can't stand that commercial or the apartment one he does. Both annoy me to no end.
I removed the you tube video.  I never really found it amusing.
It is a caricature of sorts relating to automation and one way that GE demonstrates "we bring good things to life"  to their new target audience.
Unrelated tidbit of news this morning...8th of August, 2016
ST. LOUIS - All departing Delta Air Lines flights nationwide are currently grounded after a power outage impacted computer systems worldwide.
Passengers are being allowed to get their boarding pass but they're being told no more flights are allowed to be loaded. They can either go to the gate and wait or get a ticket from another airline and have their Delta flight refunded.
Delta posted the following update on their website:
6:55 a.m. ET UPDATE: A power outage in Atlanta, which began at approximately 2:30 a.m. ET, has impacted Delta computer systems and operations worldwide, resulting in flight delays. Large-scale cancellations are expected today. All flights enroute are operating normally. We are aware that flight status systems, including airport screens, are incorrectly showing flights on time. We apologize to customers who are affected by this issue, and our teams are working to resolve the problem as quickly as possible. Updates will be available on
Huh?  A  power outage in ATL?
Huh?  A  power outage in ATL?
That is laughable but I think that most people will read it and not give it a second thought.
pete_c said:
That is what I read somewhere...relating to a vavumn cleaner...
Well that sucks!
I'm still scratching my head on the whole power outage thing. I can't even conceive of one of my customers having a loss of power stopping their services (BU, fail over, various tested contingency plans, etc. to handle this).