Internet of Broken Things

Internet of Broken Things
By (Dr. Neal Krawetz)

I was recently walking though a Best Buy and I saw the strangest thing. They had two different alcohol breath analyzers for sale. My immediate thought was: nothing says “you have a serious problem” like owning your own breathalyzer. Looking online, they have even more makes and models of these devices available.

But then I started thinking… Maybe these are for responsible drinkers who want to make sure they are sober before driving. Or maybe they are court mandated for people who were caught with a DWI/DUI (driving while intoxicated / driving under the influence). (As a non-drinker, this isn’t a concern that I have for myself. I can see this being a real issue for other people.)

So maybe people want or need a personal alcohol breathalyzer. But seriously: some of these devices track your alcohol level throughout the day. (As Celia Rivenbark wrote, “You can’t drink all day if you don’t start in the morning”.) And some automatically post your sobriety level to social media, as if that were a badge of honor.

Then again, these breathalyzers are part of the Internet of Things (IoT). And the IoT is broken.

Boiling Over

Earlier this week, an internet-enabled hot water pot called “iKettle” was found to have a serious security vulnerability.

But let’s back up a moment… Why would anyone want an internet-enabled tea pot? According to the description at Amazon, this device allows you to start boiling water remotely from your smartphone. You can even set the temperature. This way, your tea and crumpets (or Ramen noodles) won’t need to wait those extra few minutes for the water to get hot. (And I must add sarcastically: isn’t the extra five minutes in savings worth the $191 + free shipping?)

The iKettle works by connecting to your wireless network, giving it internet access. This way, your smartphone or other devices can communicate with the iKettle remotely. With the swipe of an app, you can tell your iKettle to start boiling the water so you can have hot water the instant you get home.

Here’s the problem: Your wireless network has a name (the SSID). The iKettle will connect to any wireless network that uses the same name. So an attacker can setup their own wireless network that uses the same name (the same SSID) and the iKettle will connect to it. From there, the attacker can issue a set of commands and the iKettle will reveal the password to your wireless network. This is a very common attack method, called an “Evil Twin” attack.

Of course, the puns related to this device started flowing immediately.

  • iKettle leaks passwords
  • Steep cost for security
  • Let’s hope that the tea isn’t as weak as the security
  • Consumers boil over at iKettle vulnerability
  • This certainly isn’t a cup of excellence
  • iKettle is in hot water over security vulnerability

Inherent Defects in Internet of Things (IDIoT)

Let’s get past whether you think that your teapot or refrigerator or television or treadmill or fish tank should be internet-enabled. Some people think that this is a waste of network resources, while others think that everything should be online.

There’s really two big issues here: security and maintenance. The number of people who know how to put things online dwarfs the number of people who actually understand computer security risks. (Just because you know how to program does not mean you understand computer security.) I bet that the people who developed the iKettle didn’t think twice about network security. Or worse: they thought they knew but really didn’t. (Seriously: revealing the wifi password to anyone on the network is a beginners mistake.) And while some people might think “it’s just a kettle!”, you need to remember that this IoT device can be used to easily compromise the entire home or office network.

Maintenance is another key issue with IoT. The Internet already consists of many obsolete technologies. For example, Microsoft repeatedly tried to obsolete Windows XP, and finally dropped support in 2014. However, according to NetMarketShare, systems running Windows XP still account for over 12% of computers online.
A major problem is that newer operating systems require newer computer hardware. The cost to upgrade hardware, including upgrading any legacy applications, makes it more affordable and desirable to continue running obsolete equipment. Similarly, many smartphones cannot be easily updated; they are considered disposable technologies. Users typically buy a new phone rather than updating an existing device, and that is assuming that upgrading is a viable option — often it is not. In addition, efforts are being made by carriers to keep older devices in service for longer durations even though vendors end their product support.

This issue with legacy devices will also become a problem with IoT. Unless steps are taken today to outline upgrade paths, IoT will result in the widespread use of old, unpatched, and unsupported technologies that will likely pose significant risks to the network and personal privacy.

It’s not “bloat”; it’s a feature!

Preloaded applications and services, commonly called bloatware, pose another significant risk for the IoT. Vendors and manufacturers have an incentive to include these features. Desktop computers, laptops, tablets, and smartphones typically come preloaded with applications. As noted in The New York Times, “Software companies pay hundreds of millions of dollars to PC makers like Hewlett-Packard to install their photo tools, financial programs and other products, usually with some tie-in to a paid service or upgrade.” Some applications require a user to start them. However, other services run automatically, regardless of whether the consumer uses the service. On my own smartphone, Google Maps and Cloud Backup keep starting up, even though I don’t use Google Maps and I never configured the cloud backup service. (In fact, I changed cellphone providers, so the T-Mobile backup app just keeps failing. Yet another reason that T-Mobile sucks.)

Undesirable and unused bloatware typically accounts for a significant drain on the available battery life. They can also pose significant security risks to the device. On many mobile devices, these pre-loaded trial versions of software cannot be deleted from the device and cannot be disabled. When installing an application from iTunes or the Android Store, users can view the necessary access privileges and choose to install the software. In contrast, preloaded applications offer the user no choice and no means to identify the access requirements.

Real Internet of Things Security: RIOTS

While the IoT offers an incredible opportunity to make everything more automated, it also has some serious limitation. Vendors have more opportunity to preload devices with undesirable applications, there is no quality control, and obsolete and unmaintained devices pose serious risks to reliability, personal privacy, and system security. It may sound like fun to put everything online, but it really depends on what you consider “fun”.

October 24, 2015 at 11:24PM
via The Hacker Factor Blog