Matthew Garrett, the well-known Linux and security expert who works at CoreOS, was in a London hotel recently where the light switches had been replaced by Android tablets. Garrett, a hacker's hacker, decided to see what they were doing. A few hours later Garrett had access to the electronics in every room.
While Garrett is a security expert, this feat didn't require any elite cracker skills. Garrett explained he unplugged a tablet and put his laptop into the link. He then set up a transparent bridge. That's trivial for any Linux network administrator. He then used the popular network protocol analyzer WireShark to analyze the traffic.
He quickly found that the devices were using the Modbus protocol. This is an, ancient, serial protocol used to control program logic controllers (PLC)s, aka simple electronic devices. "Modbus is a pretty trivial protocol, and notably has no authentication whatsoever," observed Garrett. I'll add that it has no security whatsoever.
Tcpdump revealed that the traffic was being directed to the IPV4 address 172.16.207.14. A little bit later, with pymodbus, an open-source Python implementation, Garrett was happily "controlling my lights, turning the TV on and off and even making my curtains open and close. What fun!"
Then he noticed that his room number was 714 and his IP address ended in 7.14. Could it be? Could it possibly be?
Yes! Yes, it was
"It's basically as bad as it could be - once I'd figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well."
He resisted the temptation to set room lights to full and open curtains at 3AM. And he didn't check to see if he might "open door room 614." Surely, that's on a different, more secure system. ... I hope.
Do you think that Echoes should use programmable wake words? I, and, my fellow ZDNet writer, David Gewirtz do.
What do these episodes have in common? In both cases two early model Internet of Things (IoT) devices showed that they have no security to speak of.
Yes, Garrett is a security professional, but he didn't need any of those skills. Anyone with some network savvy could have done the same. As for the Echo incidents, the gadgets "hacked" themselves.
The Internet of Things has sounded cool to me ever since I saw Star Trek where computers were everywhere and you could work with them by simply speaking into thin air. The reality's not nearly as much fun.
The US Director of National Intelligence James Clapper recently warned us that "Devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and US government systems."
Minimal? Minimal!? We're already living with IoT devices with no built-in security. Unless we require our IoT devices to have real security now -- not tomorrow, today -- we are going to see a crime wave like none we've ever seen before.