To Mark Loveless, an internet-enabled cordless drill seemed like a perfect recipe for an IoT security nightmare.
Duo Security’s senior security researcher confessed that it sounded silly and quite possibly part of a push by the electronics maker to inject “smarts” into devices that ultimately turned them into hackable punching bags for adversaries to exploit. So when he examined an internet-connected Milwaukee Tool cordless drill he was pleasantly surprised to find the device’s “smarts” were implemented in a safe and responsible manner. The results of his findings are part of research published Monday, “Bug Hunting: Drilling Into the Internet of Things (IoT).”
“My expectations for security were very low for a smart drill,” Loveless said. “But after examining the security, I feel like there is hope that consumer-device IoT can be done the right way.”
The drill in question was a $250 Milwaukee Tool ONE-KEY M18 Fuel 1/2″ Drill/ Driver. The drill comes with an asset-management platform called One-Key. The platform allows tool owners to use a smartphone app or website to track the drill’s whereabouts using GPS technology. It also allows for remote custom configuration of equipment (such as the drill’s torque), or disable it should it be stolen.
When it comes to the world of IoT devices, there is no shortage of faulty security to keep experts such as Loveless skeptical. From IoT botnet-fueled Mirai to the co-opting of the Conficker worm to target hospital IoT devices, last year alone IoT malware activity more than doubled.
That is why after Loveless closely examined the drill he was impressed to find that the manufacturer appeared to have performed comprehensive threat modeling on the device, used reliable open source software libraries correctly, and implemented strong SSL encryption.
“If DVR and CCTV makers took the steps Milwaukee Tool did, Mirai wouldn’t have had a chance,” he said.
That’s not to say all was perfect. Loveless’ investigation found what he called “minor flaws.” One was that static passwords were hard-coded into the smartphone app. Also found, the power drill could be readily identified by a potential thief remotely via Bluetooth scanning.
“With a $100 Bluetooth antenna I could scan the neighborhood and find these expensive drills within a half-mile radius,” Loveless said.
During his research, it was also discovered that the GPS data used for inventory tracking could be spoofed. “Basically, if I stole your drill, I could fake the GPS data to make it look like another neighbor had the drill in his toolshed,” he said.
The big caveat to his research? “We are talking about a drill. If this were an insulin pump, pacemaker or security alarm these flaws would be a lot more serious,” Loveless confessed.
In all, four vulnerabilities were identified by Duo Security, generating two unique CVEs.
CVE-2017-3214 relates to the fact, “the ONE-KEY app includes master credentials in base-64 encoded format that are needed to obtain a bearer token. The bearer token allows for read-write access to information stored in Milwaukee Tool’s website.”
With CVE-2017-3215, the One-Key app has a bearer token that doesn’t expire and stays stored on the phone. “A typical bearer token has an expiration time of 1-2 hours, these have an expiration time of one year, and are stored on the phone for reuse while the phone is logged in. In the event of a compromised phone, it is possible for an attacker to gain access to the bearer token and use it,” according to the report.
Loveless told Threatpost that he believes the Milwaukee Tool drill is the exception, not the rule, when it comes to IoT security. “As Milwaukee competitors are racing to catch up, they have raised the bar and made security a first thought – not an afterthought.”