Security Experts:

Talking Turkey about IoT Security

What’s worse than having to cook a Thanksgiving turkey? How about being forced to relegate the poor bird—or pieces of it—to a crock pot after discovering that your net-connected oven and wireless meat thermometer have both been hacked by crazy Cousin Constantine?

Looking back, it was a mistake to disinvite him from the Thanksgiving festivities—even if family dynamics had almost required the dis, what with his loyalty to the Pats, tendency to bring Granny to tears, and appetite-curbing penchant for shooting milk out of his eye. Regrettably, I’d neglected to consider his latest hobby: computers.

All up in Your Grill

IoT SecurityFor those who really don’t want to miss any of the game, there are wireless grill thermometers. They will transmit the progress of your cooking straight to your phone. Yippee! And then not. These devices often run the powerful Linux operating system and, if poorly secured, a hacker could use the device to perform a man-in-the-middle attack. In other words, basically to pretend to be your WiFi and steal data from your connections.

Granted, the thermometer is kind of silly in and of itself, but part of the challenge with any of these types of Internet-connected devices is that users aren’t necessarily thinking about security when they buy them. There isn’t always an assessment of what bringing one into a household could mean in the grander scheme of things.

As a colleague recently said to me, “Wait until app developers realize they can post things like, I just saw what you did in the living room. Pay $9.99 to delete it.”

The underlying IoT security message is that there is a lot of inconsistency in terms of the quality and security of devices on the markets. People are buying products like the connected meat thermometer, thinking it’s a great idea, but not realizing that the thing could be lying to them, saying that the inside of their turkey breast is at 165° Fahrenheit when it’s actually only at 30°.

Appetizers for Destruction

If you live in a networked house, you may love how Amazon Alexa turns your lights on and off. But what if she were to, without your command, turn down your oven, crank up the heat, or freeze Sonos on a never-ending loop of “Let It Go”?

Turns out Internet-connected home appliances, while offering convenience, can also be real party poopers. They are susceptible not only to hacks (if connected to your smartphone, your Gmail credentials might be easy prey), but also hijacks. A WiFi-enabled oven might be designed to let you control it from wherever you are (e.g., like 10 feet away, on the couch, absentmindedly watching the Macy’s Thanksgiving Day Parade), but it may just as easily allow a hacker like vindictive Cousin Constantine to change the temperature and ultimately ruin your Thanksgiving meal.

A general lack of security awareness amongst consumers and manufacturers—coupled with an absence of rudimentary security features on connected home devices—can add up to serious issues for users. For instance, let’s say you plug in your new cat cam or baby monitor. By default, the device will usually obtain an IP address from a DHCP server. Once that is done, you will be asked to log in using default “admin” credentials. The next step? That’s where problems begin. Most of these purpose-designed home devices will not require you to change the default credentials let alone enforce use of strong (and frequently updated) passwords.

What’s worse, sometimes users aren’t even given a choice. For example, in the recent case where webcams and DVRs were used to launch a DDoS attack against Dyn to disrupt service to Twitter and other companies, the speculation is that even if users had wanted to change their default passwords, they wouldn’t have been able to. The actual providers who shipped the devices didn’t allow for that function.

Brick-Oven Turkey

Another possible entry point? A poorly secured, open WiFi connection. Thinking back to Cousin Constantine, he could have easily taken advantage of such a vulnerability to gain entry, scan the network and see that the net-connected oven was running and reporting back current temperature settings to a smartphone—almost like a mini SCADA network. All he would have needed to do was look for the Mac address and compare it to the manufacturer.

Once he figured out out how to tear down that packet, he would have been able to send back conflicting information or, perhaps, push a bogus software update to brick the oven. If you think of the CIA triad (confidentiality, integrity, availability), bricking something is an attack on availability. You brick something, it’s as useful as a brick. He could have made the oven impossible to reboot, forcing the family to switch to cooking in the crockpot—and delighting in their misery as they did.

Sweet Finish

Let’s give thanks. To the fact that good home Internet hygiene is within the grasp of anyone. Start with the basic stuff:

• Be thoughtful. Think about your exposure.

• Don’t leave your WiFi open.

• Use proper encrypted protocols (HTTPS, SSH, etc.) over your WiFi (or wired) network.

• Change your modem’s default password; update your modem’s firmware.

• Change your printer login password.

Then, top it all off with a tinfoil hat, a dash of prudent paranoia, and you’re off to a good start with creating a recipe for basic security success.

view counter
Erin O’Malley is a senior solutions marketing manager at Gigamon. Previously, Erin was a product marketing manager for virtualization and cloud security solutions at Juniper Networks. Other past roles have included customer marketing at VMware and as a writer and editor for various companies, including WSGR, Business Objects, the TDA Group, and Hearst Magazines. Erin holds a B.A. in French from Penn State University and an M.A. in French from Middlebury College.