New dangers in both home security and municipal power facilities were revealed as the results of the 2nd Annual IoT Village, held at DEF CON 24 in Las Vegas. More than 47 new vulnerabilities were discovered across 23 different devices from 21 brand name manufacturers.
Between talks, workshops, and onsite hacking contests, IoT Village’s goal is to uncover security vulnerabilities in order to draw attention to the need for greater security considerations in the devices that comprise the Internet of Things (IoT).
Amongst many, one of the most unnerving exploits was presented by researcher Fred Bret-Mounet, who showed an attacker could shut down the equivalent of a small to mid-sized power generation facility by accessing the flaw in solar panels manufactured by Tigro Energy.
In another, researcher Anthony Rose discovered that 75% of the smart locks he investigated could be easily compromised, letting an attacker open the lock on a victim’s front door.
Another researcher, who goes by the handle “jmaxxz,” discovered a series of vulnerabilities with August locks which, if exploited, would mean that “anyone you’ve ever let use your phone, or ever given access to your home as a guest via your smart lock could enter your home without your knowledge or permission.” he said. Smart locks are one of the fastest growing consumer products serving the smart home.
Afflicted manufacturers this year included global enterprises such as Samsung, Subaru, and Trane, as well as smaller startups such as QuickLock, Elecycle, and Blossom. Vulnerabilities ranged from fundamental design flaws such as use of plaintext passwords and hard coded passwords, to susceptibility to longstanding attack techniques such as buffer overflows and command injection.
“There are really two aspects to this story that should be of concern to consumers and regulators alike. The first is that many of these devices are manufactured by companies that don’t have the security expertise or experience to make them resilient to attack. As such what’s happened is that a slew of products are entering the market that are then falling victim to simple security vulnerabilities and well-understood attacks. This would be a problem by itself, but the second aspect here is the cascade effect of the security weaknesses in IoT products. These products aren’t isolated – they are connected to other systems and other devices. What this means is that vulnerabilities in any one IoT product may compromise the security and reliability of a large number of other connected systems and devices. There’s a multiplication of risk with the IoT that needs to be addressed – a flaw in one device could open up very significant numbers of other devices to attack too,” Geoff Webb, Vice President of Solution Strategy, Micro Focus, told Help Net Security.
The government in attendance
This year, IoT Village caught the attention of the federal government. Rear Admiral (ret.) David Simpson, a Bureau Chief of the Federal Communications Commission, spoke at the event and noted that IoT Village is taking strides towards “making things harder” for attackers, by putting the spotlight on these issues.
Terrell McSweeny, commissioner of the Federal Trade Commission, also spoke at IoT Village, discussing the FTC’s law enforcement actions challenging inadequate data security in connected devices. “We believe that improved security is going to be achieved through a synergy between government, manufacturers, and the security community,” added Harrington. “The contributions of both Admiral Simpson and Commissioner McSweeny are invaluable to that effort.”
“IoT Village’s research, which follows OTA’s IoT research released last week, confirms that security (and privacy) fundamentals are being overlooked. While OTA’s analysis has been focused on personal connected devices and solutions (smart Home, wearables), all too often we are seeing the same issues in industrial controls, automotive and media devices,” said Craig Spiezle, Executive Director and President of the Online Trust Alliance.