To Mark Loveless, an internet-enabled cordless drill seemed like a perfect recipe for an IoT security nightmare.

Duo Security’s senior security researcher confessed that it sounded silly and quite possibly part of a push by the electronics maker to inject “smarts” into devices that ultimately turned them into hackable punching bags for adversaries to exploit. So when he examined an internet-connected Milwaukee Tool cordless drill he was pleasantly surprised to find the device’s “smarts” were implemented in a safe and responsible manner. The results of his findings are part of research published Monday, “Bug Hunting: Drilling Into the Internet of Things (IoT).”

“My expectations for security were very low for a smart drill,” Loveless said. “But after examining the security, I feel like there is hope that consumer-device IoT can be done the right way.”

The drill in question was a $250 Milwaukee Tool ONE-KEY M18 Fuel 1/2″ Drill/ Driver. The drill comes with an asset-management platform called One-Key. The platform allows tool owners to use a smartphone app or website to track the drill’s whereabouts using GPS technology. It also allows for remote custom configuration of equipment (such as the drill’s torque), or disable it should it be stolen.

When it comes to the world of IoT devices, there is no shortage of faulty security to keep experts such as Loveless skeptical. From IoT botnet-fueled Mirai to the co-opting of the Conficker worm to target hospital IoT devices, last year alone IoT malware activity more than doubled.

That is why after Loveless closely examined the drill he was impressed to find that the manufacturer appeared to have performed comprehensive threat modeling on the device, used reliable open source software libraries correctly, and implemented strong SSL encryption.

“If DVR and CCTV makers took the steps Milwaukee Tool did, Mirai wouldn’t have had a chance,” he said.

That’s not to say all was perfect. Loveless’ investigation found what he called “minor flaws.” One was that static passwords were hard-coded into the smartphone app. Also found, the power drill could be readily identified by a potential thief remotely via Bluetooth scanning.

“With a $100 Bluetooth antenna I could scan the neighborhood and find these expensive drills within a half-mile radius,” Loveless said.

During his research, it was also discovered that the GPS data used for inventory tracking could be spoofed. “Basically, if I stole your drill, I could fake the GPS data to make it look like another neighbor had the drill in his toolshed,” he said.

The big caveat to his research? “We are talking about a drill. If this were an insulin pump, pacemaker or security alarm these flaws would be a lot more serious,” Loveless confessed.

In all, four vulnerabilities were identified by Duo Security, generating two unique CVEs.

CVE-2017-3214 relates to the fact, “the ONE-KEY app includes master credentials in base-64 encoded format that are needed to obtain a bearer token. The bearer token allows for read-write access to information stored in Milwaukee Tool’s website.”

With CVE-2017-3215, the One-Key app has a bearer token that doesn’t expire and stays stored on the phone. “A typical bearer token has an expiration time of 1-2 hours, these have an expiration time of one year, and are stored on the phone for reuse while the phone is logged in. In the event of a compromised phone, it is possible for an attacker to gain access to the bearer token and use it,” according to the report.

Loveless told Threatpost that he believes the Milwaukee Tool drill is the exception, not the rule, when it comes to IoT security. “As Milwaukee competitors are racing to catch up, they have raised the bar and made security a first thought – not an afterthought.”

Categories: IoT, Vulnerabilities

Comment (1)

  1. Anonymous
    1

    A possible solution to the continual attack on IOT, SoHo devices and network capable appliances in general, may lie in removal of the attack surface. We all know the easiest method is cracking the admin software, like the webgui (http), telnet, ssh, ftp, snmp and so forth.

    These things sit on these devices for years, rarely used, cept maybe during initial config. They are rarely part of the device’s update cycle. Vendors send out patches to make the product better but overlook the admin tools and the software stacks its made from. But web guis are a necessity these days, the average user just wants an easy way to config and forget.

    And with offboarding (toggle/switch based air gap) the admin tools and other rarely used features, would provide 100% protection, regardless of consumer IT skill and vendor lifespan. Products retain their ease of use when needed and secure when not, no longer easy pickings for quick botnet takeovers. Who cares if my IOT runs 2002’s bug ridden firmware, the stuff rapid bots exploit is not even connected to the mainboard, cept during that 5/10/15 min period i need to cfg my device.

    I just want hit the toggle switch with a built-in 10 min timer, so i can configure my net-enabled printer/fridge, etc via the webgui, when done the switch breaks (fail to safe spring) the connection and now my IOT is secure. Well least from the low hanging fruit, i know theres tons more vectors to attack from. I offboarded my wifi router, all vendors admin tools are on external storage, which i put into a drawer 10ft away, with no issues. When i need to cfg it, i just reconnect to storage device and web in, cfg and yank the storage device, simple, fast and secure. Would be easy to relocate all my IOT vendor admin tools from the devices to my USB stick and have one item to figure them all. And for vendors to implement this would be trivial.

Comments are closed.