The original version of this post was published on SecurityWeek.
The first chunk of actual sky recently slammed into the ground with a resounding thud.
The security community has been actively telling the world that the Internet of Things (IoT) is ripe for compromise and exploitation. Unfortunately, the public has shoved aside these “Chicken Little” warnings in hopes of getting all of the promised gee-whiz technologies without the sky actually falling.
Fortunately, a combined research team from the University of Michigan and Microsoft recently performed in-depth analysis of an IoT home command center and brought the problems into the bright light of day. As sobering as their research results are, they took things a step farther by building four attacks based on their research. These attacks designed real exploits like creating a code for the automated front door lock, stealing a PIN to open other door locks, and disabling detectors and alarms.
The device at the center of the research is the Samsung SmartThings platform, which is a series of products and associated software that is tied together on a hub device. Samsung sells monitors, alarms, and other devices. There is also a community of products that are SmartThings-enabled ranging from door locks to light and fan switches to home weather systems. The community offers applications for the devices as well as mobile and Web apps to control the devices connected to the platform.
It’s software that makes an IoT or embedded device different. The device is, by definition, connected to the Internet. Software not designed and constructed to be secure will contain vulnerabilities that can be exploited to gain access to the device. Anything connected to the Internet can be discovered and potentially infiltrated, and the associated software will be the target.
This research shows what the security industry has known for a while and simply proves it to everyone else.
When people see a television commercial of a couple operating their front door lock from a mobile app on their phone, most see convenience and safety. However, those in the security community immediately see vulnerabilities and exploits. The report validates our apprehension.
The research notes that the majority of the vulnerabilities exist in the software of either the device or the software that controls the devices. This is exactly what the security community has feared. This pattern is repeating every time new technology is introduced without proper consideration for the basics of security. It happened when applications moved to the Web, and we dutifully took note of the lessons learned. But when mobile applications took off, we ignored those lessons and repeated the same mistakes. The pattern persisted when the Cloud emerged, and now we see proof that it is happening again with IoT.