TENERIFE, Spain–When it comes to the internet of things, it isn’t Wi-Fi that scares Chris Rouland, it’s the whole wireless spectrum, constantly being updated with new and poorly secured protocols.
Since these protocols can be reverse engineered so easily, he stressed the modern-day equivalent of the Melissa worm, but for IoT devices could be imminent.
Rouland, the founder, chairman and CEO of Bastille, a company that specializes in IoT security, broke down just how easy it can be to hack certain devices during his talk today at the Kaspersky Lab Security Analyst Summit.
At this point, everyone’s cognizant of the numbers that have been thrown around. Namely Gartner’s prediction that by 2020 there will be 50 billion devices connected to the internet, a figure that roughly breaks down to 15 million new devices – many which will be vulnerable – every day.
Rouland attributed many of the vulnerabilities to an increasingly splintered attack surface: Attackers can try to compromise devices through hardware, firmware, wireless, cloud infrastructure – so on and so forth. That’s three to four times as many vectors as there used to be.
At one point he described an earlier job he held at Lehman Brothers on Wall Street in the ’90s and recalled a Network General packet sniffer that cost a pretty penny, roughly $25,000.
Now anyone can get a miniature packet sniffer for as little as $6 on Amazon.
“Many of these devices are implemented or built with homegrown encryption that hasn’t been reviewed,” Rouland said. “Proprietary encryption is always a bad thing, it never works out.”
Rouland named a slew of devices that have been compromised over the last few years, most of them as a result of shoddy security.
Vulnerabilities that surfaced in relatively new protocols such Zigbee, which powers streetlights in New York City and data centers, and Z-Wave, a security layer behind door locks, were brought up, as were issues in wearable devices such as Fitbit and more critical vectors such as smart meters and lighting systems.
“CIOs have no idea, no one does really, what’s in their airspace unless they have the right tools to go looking,” @chris_rouland #TheSAS2016Tweet
“CIOs have no idea, no one does really, what’s in their airspace unless they have the right tools to go looking,” Rouland said.
Rouland discussed another instance of faulty IoT security when he described some research he helped carry out on a smart refrigerator that Samsung donated. For some reason it had a connection to users’ Google calendars, and even worse, failed to validate SSL certificates, making it vulnerable to man-in-the-middle attacks. The vulnerability left login details accessible to anyone who could access the Wi-Fi and was really the root of Rouland’s concerns.
“You need to think far beyond Wi-Fi and about the amount of privacy data being sucked up ad infinitum,” Rouland said, “When you click on the user agreement, you agree to become the product.”