This past weekend, I had the pleasure of helping with the Security of Things event at the MIT Media Lab in Cambridge, Massachusetts. The purpose was to examine the security of Internet of Things (IoT) devices using Synopsys tools. The spirit of the event was a hackathon: let’s see what we can break in a couple of days!
We came with a Santa’s bag full of devices, everything from Internet-enabled video cameras, door locks, and light bulbs to streaming video devices, drones, and a robot. Attendees used Black Duck Binary Analysis to examine the software supply chains of device firmware, then fuzz tested the devices using Defensics.
Despite the short time frame, we were able to achieve good (or bad?) results.
IPv4 fuzzing on a streaming media player revealed a vulnerability that caused a full system reset. We’ve seen this kind of thing before–sometimes an embedded system OS is not as robust as you’d want, and malformed IPv4 packets can trigger a bug deep in the kernel. The device doesn’t know what else to do and reboots itself. Likewise, HTTP fuzzing on a video camera caused obliteration of its configuration. Obviously this is a concern, as it resets the login credentials to default values — “admin” with no password. Finally, protocol analysis and research showed that a certain kind of thermostat deployed worldwide can be controlled remotely, by anyone. Requests to change the desired temperature and the heating or cooling mode were neither encrypted nor authenticated, which is a very poor design. Customers compounded this problem by deploying the thermostats on the public Internet, which means they are accessible to anyone.
These findings are hardly surprising. Software builders are traditionally focused on functionality, trying to make something that works in the shortest possible time. Security and privacy get lost in the mad rush to market. This mindset is especially prevalent in the turgid IoT market, where small devices with small development budgets jockey for position in market that demands speed and features.
The best result from the MIT Media Lab hackathon was the transfer of knowledge. The people that participated learned about software supply chains and techniques like fuzzing that can be used to locate vulnerabilities. Armed with this kind of knowledge, and an understanding of the types of tools that are available, more people will be asking the right kinds of questions about IoT devices in the future: Has the manufacturer designed this device to be secure? Did the manufacturer manage their supply chain effectively? Can I trust this device?
Ofer Maor, Director of Security Strategy at Synopsys, and Mikko Varpiola, System Architect at Synopsys, both spoke before the crowd on Saturday morning along with security industry luminary Bruce Schneier.
Jonathan Knudsen is a Corporate Application Engineer at Synopsys.