Slashdot Mirror
Book Review: Abusing the Internet of Things
New submitter sh0wstOpper writes: The topic of the Internet of Things (IoT) is gaining a lot of attention because we are seeing increasing amounts of "things", such as cars, door locks, baby monitors, etc, that are connected and accessible from the Internet. This increases the chances of someone being able to "attack" these devices remotely. The premise of Abusing the Internet of Things is that the distinction between our "online spaces" and our "physical spaces" will become harder to define since the connected objects supporting the IoT ecosystems will have access to both. Keep reading for the rest of sh0wstOpper's review.
Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts
author
Nitesh Dhanjani
pages
296
publisher
O'Reilly
rating
9/10
reviewer
Dan Smith
ISBN
1491902337
summary
Attack & penetration techniques for the Internet of Things
In chapter one the author takes apart the popular Philips hue lighting systems by examining the various types of communication protocols (Zigbee, TCP/IP). Packet captures of communications between various systems are presented in an easy to understand fashion. An actual vulnerability that can be abused to cause a blackout is also described.
This chapter also discusses how the lighting system and other IoT objects are starting to integrate with each other using the If This Then That (IFTTT) platform. As such, cross-platform vulnerabilities are discussed. I appreciated this section in particular because it did a good job of helping me think of how attackers are likely to leverage the fact that various IoT devices will want to integrate with each other and the compromise of one device can give someone access to other devices.
There has been a lot of research in the area of wireless door locks. It is easy to see how a simple vulnerability in such a device can compromise physical safety. Chapter 2 clearly articulates vulnerabilities in popular door locks in hotel rooms and how they have been already abused for theft. This chapter also discusses security issues in the Bluetooth Low Energy protocol and closes with good recommendations for consumers as well as for people responsible for designing locks.
I found chapter 3 interesting because it covers the "saga" of popular audio and video monitors manufactured by a company called Foscam. Many researchers have published multiple vulnerabilities in these monitors and this chapter shows how to actually locate hundreds of thousands of exploitable monitors on the Internet. This chapter shows how discussion on Foscam's own user forums have exploded vulnerabilities.
The Belkin WeMo baby monitor (audio only) is discussed next along with packet captures to show communication details. I like that this book lists such details because it helped me understand how the IoT devices are designed and that made me easier to understand the cause of vulnerabilities.
Real stories of concerned parents as well as incidents of how pranksters have been able to scare parents are also discussed. This really drives home the fact that security issues in these products are being exploited.
The topic of concern of chapter 4 is IoT based devices that can be leveraged to protect physical safety. The popular SmartThings suite of IoT devices are the scope of this chapter. Security issues that include hijacking credentials, abusing SmartThings' own IDE platform, and SSL validation vulnerabilities are described.
I enjoyed chapter 5 in particular because it walks through multiple security vulnerabilities targeting multiple products of one vendor: Samsung. The chapter describes the "TOCTTOU" attack and how it's exploited. I've tried to read the original researcher's white paper on this attack and found it confusing but this chapter described it elegantly and I was then able to go back and read the white paper easily.
Bad encryption is the focus of this chapter and I laughed at the heading "You call that encryption?" followed by the sub-heading "I call that encraption". These sections talk about how badly encryption (using XOR) by Samsung have been used to reverse engineer code. The section ends with the line "The slang term *encraption* (with the emphasis on *crap*) is affectionately used by the cyber- security community to call out badly implemented encryption. As this case shows, the title of this section is entirely justified."
Since the chapter is focused on one company, the author does a good job of equating the situation to other companies in the past (such as Microsoft) and how systemic security issues like these should ultimately be addressed by the leadership so that security is embedded into the DNA of the company. I found this perspective valuable.
The topic of car hacking is one of the reasons I bought this book. I have heard of the author in the past based on his research on the Tesla Model S since I came across his presentation at the Black Hat conference last year. Chapter 6 includes emphasis on the Tesla along with how the back end API works to support features such as locating the car remotely, unlocking it, and even starting it. The lack of 2 factor authentication is an an issue that gives rise to simple technique like phishing that can be used to steal a Tesla. Developers are insecurely leveraging Tesla's API in a way that is making car owners send over their clear-text credentials to them. I am amazed that this is currently happening and most Tesla owners don't even know that they are basically handing over their keys to people who they don't know.
This chapter also covers popular research by Chris Vaslek and Charlie Miller, along with remotely exploitable vulnerabilities in telematics systems which has gained a lot of media attention and concern recently.
I found chapter 7 refreshing because it approaches security from the eyes of someone who wants to design a new IoT product. The chapter walks though a design of a wireless door bell using the littleBits IoT platform which is primarily focused on prototyping. The main point of this chapter is that it is much more valuable to design security earlier on in the prototyping stage than deal with security bugs later on in the process. I liked that the chapter uncovered security flaws earlier on in the prototyping of the wireless door bell and tied it back to vulnerabilities found in previous chapters in existing IoT products.
A comprehensive list of threat agents, i.e. the types of entities that may attack an IoT device is presented. This list includes nation states, terrorists, criminal organizations, disgruntled employees, hacktivists, vandals, cyberbullies, and predators. The author does a good job of demonstrating that it is useful to take the use cases of IoT devices and see how each of these threat agents may want to leverage vulnerabilities to achieve their own goals.
The last topic covered here is the concept of bug bounty programs and why it is important for IoT companies to reward researchers who submit security bugs to them for free. I'm close to implementing such a program in my organization so I felt the content in this section was spot on.
Looking into the future, chapter 8 goes through very interesting methods in ways IoT ecosystems can be exploited, starting with the deployment of drones to track individuals, a group of people, or even take over a city. A 'cross-device' attack scenario (with code) to show how a website on a victim's laptop can verbally instruct the Amazon echo to turn lights off was fun an thought provoking, i.e. the fact that IoT devices around us will be able to tell each other what to do and how this can lead to chaos. In addition to other threats in our future, this chapter opens up discussion on the security of interspace communication (with respect to our goals to send manned spacecraft to mars) and also the importance of treading carefully when it comes to super intelligence.
Chapter 9 includes 2 short stories, i.e. "hypothetical scenarios" of an security executive abusing the "buzz" around IoT and failing to think of how to secure his company because of lack of strategical thinking. The second short story demonstrates how IoT companies also need to think of human elements, emotions, and public relations in addition to the technical content in this book.
Overall, I enjoyed this book and I would recommend it to others. I do feel that a lot of the content can be absorbed even if the reader isn't technical, but there may be some parts that may be frustrating to someone who doesn't understand basic concepts of HTTP, TCP/IP, and/or some coding. After reading this book, I feel I have a better grasp of what IoT means to us and what security issues we are facing, and will face.
You can purchase Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know
This chapter also discusses how the lighting system and other IoT objects are starting to integrate with each other using the If This Then That (IFTTT) platform. As such, cross-platform vulnerabilities are discussed. I appreciated this section in particular because it did a good job of helping me think of how attackers are likely to leverage the fact that various IoT devices will want to integrate with each other and the compromise of one device can give someone access to other devices.
There has been a lot of research in the area of wireless door locks. It is easy to see how a simple vulnerability in such a device can compromise physical safety. Chapter 2 clearly articulates vulnerabilities in popular door locks in hotel rooms and how they have been already abused for theft. This chapter also discusses security issues in the Bluetooth Low Energy protocol and closes with good recommendations for consumers as well as for people responsible for designing locks.
I found chapter 3 interesting because it covers the "saga" of popular audio and video monitors manufactured by a company called Foscam. Many researchers have published multiple vulnerabilities in these monitors and this chapter shows how to actually locate hundreds of thousands of exploitable monitors on the Internet. This chapter shows how discussion on Foscam's own user forums have exploded vulnerabilities.
The Belkin WeMo baby monitor (audio only) is discussed next along with packet captures to show communication details. I like that this book lists such details because it helped me understand how the IoT devices are designed and that made me easier to understand the cause of vulnerabilities.
Real stories of concerned parents as well as incidents of how pranksters have been able to scare parents are also discussed. This really drives home the fact that security issues in these products are being exploited.
The topic of concern of chapter 4 is IoT based devices that can be leveraged to protect physical safety. The popular SmartThings suite of IoT devices are the scope of this chapter. Security issues that include hijacking credentials, abusing SmartThings' own IDE platform, and SSL validation vulnerabilities are described.
I enjoyed chapter 5 in particular because it walks through multiple security vulnerabilities targeting multiple products of one vendor: Samsung. The chapter describes the "TOCTTOU" attack and how it's exploited. I've tried to read the original researcher's white paper on this attack and found it confusing but this chapter described it elegantly and I was then able to go back and read the white paper easily.
Bad encryption is the focus of this chapter and I laughed at the heading "You call that encryption?" followed by the sub-heading "I call that encraption". These sections talk about how badly encryption (using XOR) by Samsung have been used to reverse engineer code. The section ends with the line "The slang term *encraption* (with the emphasis on *crap*) is affectionately used by the cyber- security community to call out badly implemented encryption. As this case shows, the title of this section is entirely justified."
Since the chapter is focused on one company, the author does a good job of equating the situation to other companies in the past (such as Microsoft) and how systemic security issues like these should ultimately be addressed by the leadership so that security is embedded into the DNA of the company. I found this perspective valuable.
The topic of car hacking is one of the reasons I bought this book. I have heard of the author in the past based on his research on the Tesla Model S since I came across his presentation at the Black Hat conference last year. Chapter 6 includes emphasis on the Tesla along with how the back end API works to support features such as locating the car remotely, unlocking it, and even starting it. The lack of 2 factor authentication is an an issue that gives rise to simple technique like phishing that can be used to steal a Tesla. Developers are insecurely leveraging Tesla's API in a way that is making car owners send over their clear-text credentials to them. I am amazed that this is currently happening and most Tesla owners don't even know that they are basically handing over their keys to people who they don't know.
This chapter also covers popular research by Chris Vaslek and Charlie Miller, along with remotely exploitable vulnerabilities in telematics systems which has gained a lot of media attention and concern recently.
I found chapter 7 refreshing because it approaches security from the eyes of someone who wants to design a new IoT product. The chapter walks though a design of a wireless door bell using the littleBits IoT platform which is primarily focused on prototyping. The main point of this chapter is that it is much more valuable to design security earlier on in the prototyping stage than deal with security bugs later on in the process. I liked that the chapter uncovered security flaws earlier on in the prototyping of the wireless door bell and tied it back to vulnerabilities found in previous chapters in existing IoT products.
A comprehensive list of threat agents, i.e. the types of entities that may attack an IoT device is presented. This list includes nation states, terrorists, criminal organizations, disgruntled employees, hacktivists, vandals, cyberbullies, and predators. The author does a good job of demonstrating that it is useful to take the use cases of IoT devices and see how each of these threat agents may want to leverage vulnerabilities to achieve their own goals.
The last topic covered here is the concept of bug bounty programs and why it is important for IoT companies to reward researchers who submit security bugs to them for free. I'm close to implementing such a program in my organization so I felt the content in this section was spot on.
Looking into the future, chapter 8 goes through very interesting methods in ways IoT ecosystems can be exploited, starting with the deployment of drones to track individuals, a group of people, or even take over a city. A 'cross-device' attack scenario (with code) to show how a website on a victim's laptop can verbally instruct the Amazon echo to turn lights off was fun an thought provoking, i.e. the fact that IoT devices around us will be able to tell each other what to do and how this can lead to chaos. In addition to other threats in our future, this chapter opens up discussion on the security of interspace communication (with respect to our goals to send manned spacecraft to mars) and also the importance of treading carefully when it comes to super intelligence.
Chapter 9 includes 2 short stories, i.e. "hypothetical scenarios" of an security executive abusing the "buzz" around IoT and failing to think of how to secure his company because of lack of strategical thinking. The second short story demonstrates how IoT companies also need to think of human elements, emotions, and public relations in addition to the technical content in this book.
Overall, I enjoyed this book and I would recommend it to others. I do feel that a lot of the content can be absorbed even if the reader isn't technical, but there may be some parts that may be frustrating to someone who doesn't understand basic concepts of HTTP, TCP/IP, and/or some coding. After reading this book, I feel I have a better grasp of what IoT means to us and what security issues we are facing, and will face.
You can purchase Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know
The Internet of Things...it's a cookbook!
You are welcome on my lawn.
>> Chapter 9 includes hypothetical scenarios of an security executive abusing the "buzz" around IoT
>> concept of bug bounty programs
>> chapter 7 refreshing because it approaches security from the eyes of someone who wants to design a new IoT product
So...who's the audience, exactly? Executives? Developers? Engineers? None of the above?
>> The slang term *encraption* (with the emphasis on *crap*) is affectionately used by the cyber- security community to call out badly implemented encryption
I'v been in the industry 15 years. I've never heard anyone use that term.
Any chance this book is available for my IoT toaster, so I can read it while waiting for my toast?
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
You are all cows. Cows say moo. MOOOO! MOOOO! Moo cows MOOOOO! Moo say the cows. YOU COWS!!
Many many thanks to share this information.
What is the fricking difference?
Abuse is the only explanation for the Internet of Things that's made any sense.
How about not connecting devices that can be compromised by opening an email attachment or clicking on a URL ..
I'm going to sell air-gap-ultrasecured(TM) cars, door locks, baby monitors, etc, that are unreachable from the Internet of Things. They will be impervious to any and all Internet of Things protocols! You might break an encryption key with your ad-hoc compute cluster but grandma's skeleton key is unPwnable!
... you can't turn the lights off because the internet connection is down. ... there's a three-second round-trip lag to turn your car on. ... you can turn your heating off from halfway around the world with your phone, but can't find a button on the wall. ... your computer gets a virus and your TV starts advertising sites selling viagra of dubious origin.
the network abuses you... you go larry lessig, bring chomsky & scott olsen with you...
The Internet of Things is about sensors everywhere and to a more limited extent actuators. But actuators are relatively few compared to sensors. Fine grained sensors are out at the edge here there is no normal wireless connectivity and are quite a challenge to innovate, power and scale out at very low cost. The next challenging is gathering the edge information at highly distributed small systems that may be more wireless/internet connected in some form. While you could hack to corrupt data feeds flowing up the question is what would be the significant payoff to make it worth it at all? You corrupt the out on the farm soil sensors so the watering systems give too much or too little water? Not so easy to get away with and no payoff beyond malice and an ego trip.
Automated and even driverless cars are not IoT. They will be no easier and likely a great deal harder to hack than your average MS box.
Really, I would expect hackers worth the name to be thinking of cool things to do with the accelerating technology not ways that it will mess up or to mess things up.
Please don't play into FUD coming out of groups that fear for their current business models in the age of driverless cars and trucks. You are being played.
...for several decades without a Bluetooth connected screwdriver!
And not on some of that Packt Crap.
Interesting, but here comes a short story about 1979:
We had Internets of Things back then- Magnets and Faraday Cups and Wire Chambers- those sorts of Things so useful for a huge Particle Accelerator.
There was a basic Modcomp Computer addressing scheme: a unique Four Hex Address followed by a Four Hex Command. The device would respond with that Four Hex Address and a Four Hex Response. Very simple and abstract and Real Time; most of it was hardwired in the PDM Chassis, and the Modcomps turned it all into something resembling English.
Except the Modcomp meant for Diagnosis had its budget cut, and we did without.
If something went Tits-Up out in the field, the Techs would have to grab a 'scope and relevant Boolean Electrical Prints, and try to Diagnose, right there in the field, and most often when it was raining. Well, it was good exercise.
One night I discovered something interesting. (I was supposed to be repairing PDM Transmitter and Receiver cards...) I was playing around with the Four Hex Addressing with Thumbwheel Switches, and sent out an Address _without_ a Command on the Data Highway. The PDM Chassis dutifully returned a Diagnostic, which was only meant to be seen by the unbought Modcomp. A little card that latched both the Thumbwheel Address and the Diagnostic was whipped up and put in place in a day, right next to the Printroom, just down from the Control Room. (It's not really this simple; The Modcomp Networks were Real Time Synchronous, and my little doohickey was Asynchronous. There was only a 200 Millisecond window every six seconds that the "Send" Button could be safely hit. I managed.)
When something went T-U somewhere Out There, just grab the Print, set the Thumbwheels, hit "Send", and compare the LEDs to the Boolean Diagnosis at the bottom of the Print. It was usually either a bad Waterflow switch, or a blown fuse. (Once, mice had settled in a PDM Chassis, and had eaten much of the Insulation on the Backplane, being very careful to make sure that none of the Copper wires touched as a result.)
I went from lowest-of-the-low Techie into Operations within a month, and within a Decade, I was running my own Accelerator.
I suppose that what I did may be called "Hacking". I called it "Lazy Expediency". Computers are really stupid, and are easily outwitted, or even replaced by a 22 year old with access to Thumbwheel Switches.
These new "Internets of Things" have the same basic Issues: Addressing, Command and Response, Diagnostics. The only really new thing is Security.
I have a solution for that too.
Sorry peeps. But I have zero interest in connecting anything in my house to the internet other than my computers as I at least stand a chance of having reasonable security on them (I configure them)
It's plainly obvious to me that most manufacturers are utterly clueless. Hard coded piss weak default passwords, internet facing administrative backdoors which are open by default, open ports, a design philosophy of "everything open to anyone by default", no thought that someone might try to attack the device by using it in an unintended manner etc. etc. It's like they're getting newborn children who've never seen the internet to design the security of all this "IOT" crap.
This whole idea should be called the "Internet Of Piss Poor Security" (IOPPS)
Not interested at all.
Sky subscribers are morons. They pay to be advertised at !