Device manufacturers were quick to capitalize on the rise of the Internet of Things (IoT) and the possibilities of what could be achieved if so-called smart devices could communicate with each other. However, as they strove to bring these devices to market quickly, many hardware manufacturers failed to properly secure them by doing things like not actively encouraging users to change their device's default identification information. According to Security Today, experts estimate that by 2020, 31 billion IoT devices will be installed, which could put businesses and consumers at risk of attacks. A senior security researcher at Tripwire, Craig Young has spent his time and effort protecting these devices, and chances are if he has an IoT device, Craig has studied it. TechRadar Pro spoke with Craig about what led him to become a security researcher and also provided more details on his recent discoveries of a vulnerable smart lock, as well as a location privacy vulnerability in two. of Google's most popular consumer products.
Can you tell us a little more about your work with Tripwire's Exposure and Vulnerability Research (GREEN) team?
My job as a Senior GREEN Security Investigator is incredibly versatile and I often wear multiple hats throughout the week or even day. My job is to stay on top of low-level security trends and be able to switch from one technology or feature to another at any time. In addition to writing numerous remote vulnerability tests for IP360, I am regularly involved in internal security policy guidance, as well as aspects of the secure design of Tripwire products. I also spend a lot of time reading and experimenting. This led to my own research projects, some of which ended up being the subject of presentations or even courses at renowned security conferences such as Black Hat, DEF CON, and SECtor.What led you to go from engineer to security researcher?
Whether exploring the mall's COCOTs as a preteen or showing the high school administrator how easily I could access the grading system, I have always been drawn to the safety aspects of technology and have been fortunate to be. able to make a career out of it.What are the biggest threats to IoT device security today, and how can device manufacturers make their connected products more secure?
There are many risks associated with IoT depending on the application, but overall, the biggest risk from my perspective is the possible destabilization of the Internet as a result of a large IoT provider's commitment. An attacker who gains access to the cloud infrastructure of a popular IoT device could potentially deliver malware to homes and offices around the world. The damage from such a sophisticated attack could outshine Mirai's or even WannaCry or NotPetya.You recently discovered a vulnerability in a popular brand of smart locks. Can you tell us more about what you discovered and what prompted you to investigate smart lock security in the first place?
On this particular smart lock, I found that the seller had left the door open for attackers. Specifically, the message queue agent used did not require a username or password and allowed anyone in the world to exchange messages with any cloud-connected padlock. from the provider. By logging into the provider's cloud anonymously and then unlocking my test lock, I was able to observe a cryptographic token to unlock the door. You could then play this message to open the door. You could also send other messages that prevent someone from opening the door with the keypad or fingerprint reader, or keep your app closed indefinitely. However, the way I found this vulnerability was a bit unusual. Rather than start with a specific product and look for vulnerabilities, I started by looking at the MQTT protocol commonly used in IoT and looking for data exposures. I found this blocking provider by searching data indexed by the internet search engine Shodan for email addresses and terms relevant to IoT. The server came to my attention because Shodan had blocked several hundred email addresses being sent to Shodan as MQTT topic names.How can a hacker exploit a smart speaker to obtain information about its owner? Do you think these devices pose a serious threat to user privacy?
An example is presented in my previous research. In this scenario, the attacker could obtain a precise geographic location of the smart speaker after anyone connected to that network uploads malicious content to a web browser via a direct link or embedded advertisement. Google addressed this problem by adding protections to prevent DNS bind attacks. The other attacks I know of tend to fall into two main categories: malicious apps and sending unauthorized voice commands. In the first category, various research groups have looked at various ways in which a malicious developer can eavesdrop on conversations taking place around the smart speaker. The second category often involves applied physical techniques that allow one to interact with the speaker from outside the home. The most effective technique in this regard appears to be the use of lasers to induce sound directly into the device's microphone. Personally, I'm not too concerned about hackers exploiting smart speakers. It's important to know what third-party content you enable and what access you give the smart speaker, but ultimately, with the current generation of devices, I'm not too concerned about hacking. individualized malicious. I am much more concerned about the likelihood that the sellers themselves will exploit their access to our homes by selling the information they obtain about us to advertisers or even law enforcement.Of all the vulnerabilities you discovered, which was the most interesting and why?
From a technical point of view, my research on cryptographic vulnerabilities has been very interesting. In 2018, I had the opportunity to co-write The Return of Bleichenbacher's Oracle Threat (ROBOT) with Hanno Böck and Dr. Juraj Somorovsky. In addition to the deeply intriguing glitches we uncovered, this investigation required us to identify and coordinate among a long list of affected vendors for disclosure on a scale we hadn't previously been involved with. It also led me to a Pwnie Award at Black Hat that year and gave me the spark to explore other crypto problems like GOLDENDOODLE and Zombie POODLE that I revealed in 2019.What advice would you give a business considering adopting IoT or other connected devices?
As with any technology adoption, companies must weigh the potential benefits against the potential risks. Organizations must also view these investments in the broader context of their business and operational capabilities. Decision makers need to consider the different what-if scenarios to fully understand what they are getting into with IoT. Here are some questions to ask:- What happens if X becomes unavailable?