The Internet of dangerous, broken things

Security expert Matthew Garrett found himself in a hotel recently with Android tablet based light-switches and a few hours later he could have had control of the electronics in every hotel room.

Matthew Garrett, the well-known Linux and security expert who works at CoreOS, was in a London hotel recently where the light switches had been replaced by Android tablets. Garrett, a hacker's hacker, decided to see what they were doing. A few hours later Garrett had access to the electronics in every room.

Andorid Hotel

Security? In the Internet of Things? Surely you jest!

Matthew Garrett

Oh boy.

While Garrett is a security expert, this feat didn't require any elite cracker skills. Garrett explained he unplugged a tablet and put his laptop into the link. He then set up a transparent bridge. That's trivial for any Linux network administrator. He then used the popular network protocol analyzer WireShark to analyze the traffic.

He quickly found that the devices were using the Modbus protocol. This is an, ancient, serial protocol used to control program logic controllers (PLC)s, aka simple electronic devices. "Modbus is a pretty trivial protocol, and notably has no authentication whatsoever," observed Garrett. I'll add that it has no security whatsoever.

Tcpdump revealed that the traffic was being directed to the IPV4 address 172.16.207.14. A little bit later, with pymodbus, an open-source Python implementation, Garrett was happily "controlling my lights, turning the TV on and off and even making my curtains open and close. What fun!"

Then he noticed that his room number was 714 and his IP address ended in 7.14. Could it be? Could it possibly be?

Yes! Yes, it was

"It's basically as bad as it could be - once I'd figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well."

He resisted the temptation to set room lights to full and open curtains at 3AM. And he didn't check to see if he might "open door room 614." Surely, that's on a different, more secure system. ... I hope.

In a related, but far sillier episode, a recent NPR episode on Amazon Echo caused several Echo devices to start responding to its default attention word "Alexa" during the broadcast.

Do you think that Echoes should use programmable wake words? I, and, my fellow ZDNet writer, David Gewirtz do.

What do these episodes have in common? In both cases two early model Internet of Things (IoT) devices showed that they have no security to speak of.

Internet of things: Sillier and scarier and coming your way

How many software updates does it take to change a light bulb? What happens when a blast furnace gets hacked? Seriously: Security looms as the elephant in all of our IoT rooms.

Yes, Garrett is a security professional, but he didn't need any of those skills. Anyone with some network savvy could have done the same. As for the Echo incidents, the gadgets "hacked" themselves.

This is only the latest of a long series of trivial IoT security exploits. There was the live Internet baby monitor feed and the remotely hackable Nissan Leaf car.

The Internet of Things has sounded cool to me ever since I saw Star Trek where computers were everywhere and you could work with them by simply speaking into thin air. The reality's not nearly as much fun.

The US Director of National Intelligence James Clapper recently warned us that "Devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and US government systems."

Minimal? Minimal!? We're already living with IoT devices with no built-in security. Unless we require our IoT devices to have real security now -- not tomorrow, today -- we are going to see a crime wave like none we've ever seen before.

Related Stories:

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All