Inside the 72-hour hacking contest to take over your 'smart' home
The "Internet of Things" is all the rage in the technology space these days, as companies sell light bulbs controlled by your smartphone, thermostats that learn your routine, or door locks that open when you get home.
But unfortunately, many of these products lack basic security features, and that means they can probably be hacked. That point was made quite clear on Wednesday after Independent Security Evaluators shared exclusive results of its IoT hacking competition from the Def Con conference held in early August.
"The average person who is not in technology has probably never even thought of how something is hacked, but now when they realize the lock on the door of their house ... or the baby monitor that they use, there's research saying that someone can hack into the baby monitor," Ted Harrington, Executive Partner at ISE, told Business Insider. "That becomes much more real now for the average person."
ISE hosted the IoT Village at the world's largest hacker conference last month with the goal of bringing together experts to learn, network, and find security vulnerabilities in connected devices so they could be fixed.
Since it was the second year the contest was held, you might think manufacturers would be making it a lot harder for the hackers to find the flaws. Unfortunately, you'd be wrong.
'Bad security practices are still the norm'
Tucked away in a side room on the floor of the Bally's Hotel in Las Vegas, the IoT Village was one of many sections dedicated to a hacking subgroup, such as car hacking or lock-picking. But it may be one of the most important, since some 24 billion IoT devices will be online by 2020.
"The scope of attack surface is expanding," Harrington said, using a term for the different points where a hacker can gain access. "And not just attack surface, but the scope of vulnerable attack surface is expanding exponentially."
In response, the IoT Village was created in 2015 to give hackers, security researchers, and hobbyists alike a platform through which they could find problems and get them corrected. And so far, it's been a big success for the hackers - and a failure for the IoT manufacturers.
"Last year we proved the hypothesis that security vulnerabilities in connected devices is a systemic issue," Harrington said. "This is not isolated to a specific type of manufacturer or specific type of product but rather, all these connected devices are showing issues."
Researchers often found what were egregious flaws: Passwords written directly into the code for anyone to see, built-in backdoors, or devices that allow an attacker to execute malicious code over the Internet.
All told in 2015, the hackers in the village uncovered 66 different "zero-day" vulnerabilities - previously unknown and unfixed security issues - across 28 different device types from 18 manufacturers. This year, they found 47 exploits in 23 devices from 21 different manufacturers.
"This year what we were interested in understanding was, had anything significantly changed?" Harrington said. As it turns out, he said, "bad security practices are still the norm in IoT."
Hackers motivated by the hunt
There were two hacking contests in the village: One lets hackers search for zero-days, while the other pit them head-to-head in a digital "capture the flag" game for points. And once many of them got started, they didn't really stop for the next three days, except for the occasional bathroom break or to go to sleep in their room.
"They were sort of like the people in line when the iPod came out," Harrington said of some hackers who were there even before ISE showed up. "It's the hunt that really motivates them."
Researcher Anthony Rose of Merculite Security had a particular interest in locks: He owned everything from the world's first "smart" bike lock to another lock for the home that opens via a smartphone. As he found, a hacker could unlock these devices - often with minimal effort.
Others found problems with a Samsung smart refrigerator, an undisclosed thermostat, and a device that controls solar panels powering a home.
"I can shut down the equivalent of a small to mid-sized power generation facility," Fred Bret-Mounet told IoT Village organizers. "I can use that device as a Trojan within a target's network to spy on them. It looks very likely that I can remotely physically damage a solar array using this manufacturer's device."
In other words, Bret-Mounet claimed, a hacker could potentially spy on someone in their home through their computer webcam by first hacking the solar panels, since they are often connected to the same network.
The village also hosted workshops where experts guided attendees through hands-on demonstrations, and talks presented the latest research on what's happened over the last year. One researcher showed how he could ruin things inside a smart fridge via the Internet, for example.
"One of the researchers found a ransomware exploit - a way to leverage ransomware on thermostats - which was pretty cool," Harrington said.
While the thought of a criminal holding your fridge or thermostat hostage and asking for cash can be terrifying, Harrington says manufacturers are slowly improving, and the mindset toward research coming out of the village has changed even more.
It's also worth mentioning that a home computer or phone with plenty of personal data and documents is a much bigger target than the light bulb hovering over your kitchen table. The point of research in the IoT Village is less about demonstrating what hackers will do, but what they can do - as the ultimate goal is to influence companies to prioritize security.
"It wasn't that long ago, 10 years ago maybe, when security researchers, the way that companies dealt with them was actually through litigation," Harrington said. "The findings of security research out of places like IoT village, what they're doing is they're starting to make awareness about security issues start to weave its way into mainstream thinking."
Now if you don't mind, I have to go and change the password on my fridge.