As the security research community (and me) has been saying for years, the Internet of Things is really an Internet of insecurity and researchers have now demonstrated that in a noisy way.
Researchers at the University of Michigan and Microsoft (yes, really, THAT Microsoft) have published a paper that they are going to present at the IEEE Symposium on Security and Privacy this month that demonstrates hacking the Samsung Smarthome IoT hub.
Two hacks that they demonstrated (and there are more) were randomly setting off fire alarms (just think about what that could do in a movie theatre, arena or office building) at any random time and over the Internet and inserting a hidden PIN into a door lock so that they can unlock the door from anywhere in the world on demand.
Obviously, the impact of these hacks depends on what the Smarthome system is controlling. If you turns the lights on and off, that is annoying. If you unlock the door for a burglar, that is more than annoying.
What the researchers figured out how to do was to masquerade as a legitimate user using bugs or poorly designed security.
The result of this, of course, is that the researchers, AKA hackers, can then do anything that a legitimate user can do.
One attack allows the hacker to steal the legitimate user’s credentials and could be implemented in a way to compromise a mass number of systems.
The other three attacks that they found require the user to download a piece of malware, but since users, pretty much, click on anything, that is not really a very high bar.
Samsung says that they have been recently working with the researchers to figure out how to fix the problem, but say that the problem is the fault of developers who don’t follow Samsung’s guidelines. Nice try, but the problem is Samsung’s.
The researchers say that Samsung has not fixed any of the problems that they have found.
To validate that users really will install damn near anything, the researchers asked 22 people and found that the vast majority would be interested in a “battery monitoring app”, whatever that is.
The researchers say the underlying problem is what they call “over privilege”, where the app has more privileges than it really requires. They found that more than half of 499 apps that they tested had more privileges than they should. This, of course, is not limited to the Internet of Things. I talked about this in Windows last month.
And of course, Samsung is one of many, many vendors offering smart home / smart office capabilities. Some may test better than Samsung but others may test worse.
Your mileage WILL vary, so the rule is Caveat Emptor. For right now, you might want to stay away from anything health, safety or security related. For quite a while.
Information for this post came from Wired.