This post was originally published here by (ISC)² Management.
Following the success of the one-day Secure Events and Security Congress in EMEA, (ISC)²’s new look two-day Secure Summits bring multi-subject sessions from hands on practical workshops to keynotes and panel discussions, featuring local and international industry experts to maximise the learning experience and CPE opportunities.
Serving the entire (ISC)² EMEA professional community with five regional events, the Summits offer a wealth of educational value, networking opportunities, and a community forum for likeminded professionals, all of which are FREE to (ISC)² members & (ISC)² Chapter members. Read on for insights from one of our popular Secure Summit UK sessions:
Day one of Secure Summit UK saw ethical hacker Ken Munro from Pen Test Partners take the stage to deliver a truly chilling demonstration of how easy it is to gain access to your data, and even spy on you through the vulnerabilities inherent in many modern IoT devices. His day job involves testing devices on the market and during this session, he revealed some of his findings.
IoT Kettle
Ken began by demonstrating how to hack into someone’s network via an internet connected kettle. Simply by taking the base apart he found the Wi-Fi module, and using readily available tools, he was able to find its IP address. A quick Google search brought up an online manual for the kettle, revealing its default password as ‘000000’. Also in the document were AT commands, including one which brings up the network’s wireless key.
Furthermore, he demonstrated that physically factory resetting the device resets the password but keeps the wireless key. This means that hackers can buy these kettles second hand on eBay and essentially buy people’s Wi-Fi passwords. Using a tool called Shodan, he revealed that you can geolocate all these devices as well, meaning a hacker can literally find where you live through your kettle.
Cayla Doll
Ken revealed that a Cayla Doll – an interactive talking children’s toy – can easily be hacked and be made to swear. Although it advertises an anti-profanity filter feature, by exploiting the PIN-less Bluetooth connection between the doll and its companion app, he was able to access the SQL database which contained the blacklist of swear words and easily delete it. The doll could then be made to say anything. Furthermore, the microphone could also be commandeered to effectively spy on the user.
Thermostats
Ken’s next demonstration was to show how hackers can even put ransomware on smart devices like a thermostat. He showed the audience how easy it was to find the device’s firmware online and by reading the code, he was able to find 14 different vulnerabilities where code can be inputted. Here, hackers can upload ransomware.
There are far wider implications from vulnerable thermostats. Currently, there are around 1 million IoT thermostats in the UK. What if you could control all the thermostats of the same brand because they have the same vulnerability? These could be commanded to turn on all the air-conditioning units at the same time, causing a huge power spike. This could bring down the power grid, and cause a blackout. This shows that our critical national infrastructure could be at stake because of insecure IoT thermostats.
Regulation
It’s clear that the gold rush of creating IoT devices has left our cybersecurity seriously compromised. But despite these vulnerabilities, things are starting to improve. Industry is starting to take security more seriously, and the new laws and regulations are coming to improve this situation. He explained that a Star Wars toy last year shipped with vulnerabilities but the manufacturer fixed them in just 8 days after they were pointed out, and thankfully the vulnerabilities he mentioned no longer exist. Furthermore, the EU is working on legislation that will help provide a standard of security across these types of devices.
In the meantime, he warned, to be wary of just how many threats there may be in internet connected devices around us.
Photo:Huffington Post
