The Dark Side of the Internet of Things

Recent security research and a high-tech scam point up a disturbing number of vulnerabilities in devices and technologies that people have come to rely on. As more devices get linked together in an Internet of Things, the dark side of all the connectivity must be understood.

Case in point is the security implications that came from one researcher whose original goal was to scan the entire IPv4 address space. To do so, the researcher (who has not disclosed his or her identity), created a small software package for scanning IP addresses that could be remotely installed on unsecured devices. "Playing around" with the Nmap Scripting Engine (NSE) and using several basic username password combos, including "root:root" and "admin:admin" the unidentified researcher was able to log in to 420,000 devices and install the scanning code--in effect creating a botnet that the researcher could use to ping the Internet.

Many of the devices were consumer-grade routers and set-top boxes, according to a story in The Register, but the researcher also netted "Cisco and Juniper hardware, x86 equipment with crypto accelerator cards, industrial control systems, and physical door security systems," according to the story.

In other words, embedded intelligent devices are just as liable as PCs, servers or smartphones to be drafted into botnets or hijacked by attackers. As more companies link up remote sensors, building-automation systems, data-center systems and other industrial machinery, the number of potential points of penetration or points of attack increase as well. Embedded devices pose a particular danger to large, highly automated enterprises as well as any IT operation that uses automated monitoring to keep tabs on its more expensive equipment. Data centers, for example.

Where Am I?

Other research demonstrates the potential exposure in navigation systems. Thanks to the ubiquity of GPS chips in smartphones and turn-by-turn navigation services like those from Google and Waze, hackers could cause real-world traffic jams or send victims off on wild goose chases by compromising those navigation systems, according to a German doctoral student who demonstrated his technique at BlackHat Europe earlier this month.

The protocol used by Google Maps and other services is encrypted using Transport Layer Security (TLS), which operates like a VPN for GPS, theoretically preventing hackers from changing the signals without Google hearing about it.

However, attackers running man-in-the-middle attacks on the end points of TLS connections can insert themselves into the network early enough to be considered a legitimate user by the network's owner, according to Tobias Jeske, a doctoral student at the Institute for Security in Distributed Applications of the Hamburg University of Technology.

Attackers can then alter the GPS data at will, sending victims anywhere but their destinations or misdirecting thousands of vehicles to cause traffic jams.

A far more common use for the exploit, however, would be to compromise the location data of a victim by using smartphone Wi-Fi like ordinary wireless access points, according to Jeske, who also presented a protocol to prevent both exploits and benchmarks for its performance.

Even without a special protocol, Jeske said, it is possible for carriers to limit this vulnerability by linking location information with the one-time authentication data smartphones use to get access to their own networks.

Finally, scam artists in Australia found a way to take control of security cameras inside a casino to cheat at poker. Somehow--it's not clear yet--members of the gang were able to get remote access to cameras in the high-stakes rooms within the Crown Melbourne casino. A member of the gang, posing as a high roller, was invited by the casino to play in the high-stakes room. His confederates used the cameras to spy on opponents and signal him via wireless device the contents of the other players' hands. The gang was able to beat opponents out of Aus$33 million (about US $33.2 million).

What does all of this mean for data center operators? That if you haven't already, it's time to start paying attention to the myriad devices being linked together, from computers to cameras to industrial control systems, and to find out just how open, and vulnerable, they are.