Hacking for fun and profit: How one researcher is making IoT device makers take security seriously
We should all be so lucky to enjoy our work as much as Ken Munro does.
Generally attracted by research that “looks fun” and particularly interested in probing the security of technologies that have yet to be comprehensively investigated by security researchers, for the past few years Munro has been poking and probing consumer Internet of Things devices, and doing things such as denial of service attacks on Wi-Fi-enabled kettles, or showing that you can make a Bluetooth-enabled doll swear and listen in on users.
His “fun” research often leads to better security for all of us. For example, his probing of the Smarter iKettle and public revelation of its security issues has ultimately lead to a secure product.
As he recently shared with the audience at the World Cybersecurity Congress in London, the security of the first iKettle iteration was simply abysmal: a plaintext connection, a guessable default password that could also be found in manuals available on the Internet, the companion app’s use of ancient commands that could allow attackers to easily discover the encryption key of the user’s Wi-Fi network.
After sharing these discoveries with the manufacturer and not getting a response for six months, he went to the BBC. They did a piece on it and, suddenly, the manufacturer got in touch. They dismissed the attacks as too technically advanced for most and needing specialist equipment, but obviously got the message that security is important.
The second iteration of the iKettle sported security improvements but not enough of them, but with the third one they finally got it right.
“I think we need to give the kettle manufacturer some credit, actually. I know those were some very serious flaws, but they’ve been very responsible since the first iteration, and have a really great, secure product now. So, if you want to boil your kettle remotely, look for that version,” Munro concluded.
Vulnerability disclosure
When doing this type of unpaid research, Munro and his colleagues at UK-based Pen Test Partners first share their discoveries with the manufacturer. Depending on how the manufacturer reacts, they decide on the next move.
Their vulnerability disclosure policy is quite clear, though they might decide to deviate from it should they it is required for the protection of public safety or privacy. In the iKettle case, they went public with the information as the manufacturer refused to respond while continuing to sell these products and exposing users to risk. In the end, it was obviously the right choice in that particular situation.
“We have to go through a responsible disclosure process, but when the vendors won’t listen we’re in an ethical dilemma: we need to make sure the market knows about the security flaws and people can make informed decision about buying specific products, but at the same time we don’t want to expose people who got the product already,” Munro notes.
“So it’s always a very difficult decision when the vendor doesn’t want to play ball. I think that’s where you have to try and publish workarounds and draw attention to the issue so that people can take their own actions.”
IoT insecurity affects everybody
We’ve already witnessed how insecure consumer devices can affect infrastructure we all depend on: the Mirai attacks temporarily brought down many widely used Internet services.
The fact that someone could be able to, for example, repeatedly switch off and on a large number of power-guzzling electrical appliances should worry us, he says, as the electrical grid can get destabilized and go down. In the hands of nation state attackers, this capability can be eminently destructive.
The problem with IoT (in)security is that the hardware and firmware is literally in the hands of the customers and potential attackers.
Consumer IoT devices – both new and used – are accessible to most, and the manufacturers often publish specs, manuals, and firmware online. The firmware is also often easy to extract from the device itself, and reverse-engineering it is not that difficult for those who know what they are doing. The same can be said for companion apps. And once attackers have access to that code, they can learn how to take advantage of the bad coding and security practices they find.
In general, though he often points out how certain IoT offerings are effectively pointless, Munro seems optimistic about the future of IoT security.
There is progress, he says. Consumer pressure is ramping up, countries are prohibiting the sale of insecure smart toys, and there are some good standards for manufacturers to follow if they want to get security right. What is missing, though, is regulation and legislation.
“I think we need regulation to stop manufacturers selling us stuff that isn’t secure enough, I think we need legislation to make sure they cannot bring such a product to market and, in the meantime, we need some litigation,” he noted.
About Pen Test Partners
Not all security testing Munro and Pen Test Partners do is for fun, although they lean heavily towards accepting interesting and unusual jobs. In fact, without outright advertising, the company has gained a global reputation for “thinking a bit differently.”
“We’ve always tried to blaze the trail in new technology areas,” he says. “The sort of jobs we tend to turn down tend to be those that are more basic and mundane – that’s not to say we don’t do them, mainly for out larger clients – but our expertise is of more use in those slightly more unusual sectors.”
The company – a partnership with an unusually flat structure that allows good people to float to the top – is always searching for unusual skill combinations.
For example, they’ve been doing a lot of research on maritime shipping security, and they have some former ship crew members on the team who really understand bridge and propulsion systems. An expert penetration tester who understands ships is really unusual and rare, he notes, as not many people move from shipping into pentesting.
“It’s always tough to find people with really good hardware reverse engineering skills, as it’s quite a rare skillset,” he also shared.
Still, they don’t have too much difficulty attracting good people because of the research they do. They can invest funds and resources into interesting projects, buy expensive things just to destroy them, and there’s always people interested in that.