Internet of Crappy Things, part 2: RSA conference edition

The annual RSA Conference in San Francisco, California of Internet-of-things insecurity and how no amount of money can fix computer security.

SAN FRANCISCO — It’s an utterly played out platitude that the security industry is largely failing at its mission to protect computers and networks and all the nearly infinite data transiting the Internet.

It’s inarguable that properly securing traditional and general computing devices is a massive challenge. For the better part of the last decade, mobile has presented the industry with a new and similar set of challenges. It’s probably not a stretch to say that the fight to secure traditional and mobile computers is tipped severely in favour of the attackers, ethical, malicious and otherwise.

Walking the show floor at the RSA Conference in San Fransisco’s Moscone Center presents an absurd and ironic reality. There is some unknown number of millions of dollars invested in vendor booths, the purpose of which is to hawk of a multitude of security products and services to an equally multitudinous hoard of security professionals. Meanwhile, despite the vastly larger investments required to develop these products, people like Billy Rios, who famously gave an airport security hacking presentation last year, and David Jacoby are delivering hacking demos in which they wrest total control of home automation systems, networks and consumer devices.

To be fair, much of the business going on here at RSA is the business to business. This is not a consumer security conference by any stretch. Still, recent headlines and the relentless torrent of global security conferences pretty clearly demonstrate that computers are insecure, whether they’re in your home or in your office. Despite this, the broader tech industry is aggressively pursuing the bright idea to connect more and stranger things to the Internet on an exponential scale. This is the so-called “Internet of things,” and it’s not secure either.

Therefore it comes as little surprise that Billy Rios, founder of the security firm Laconicly, exploited a two year old vulnerability in a Vera smart-home automation device, which in turn offered him total access to that device’s network and all the computers attached to it.

Rios exploited a cross-site forgery request vulnerability in the Vera home automation system and forced it to accept a modified firmware update. More specifically, Rios used a phishing scheme in which he compelled his (hypothetical) victim to visit a malicious website with a bit of embedded malvertising.

The Vera device’s firmware update mechanism is then turned off, and Rios uploaded his own firmware, which, in this case, was a playable copy Pac-Man. His “malicious” firmware is fun, but the point is that he could upload whatever he wanted to a device designed to control hundreds of other IoT devices, like smart locks, thermostats, lights, alarm systems and garage doors to name a few.

Kelly Jackson Higgins of Dark Reading is reporting that Vera will fix the bug with a yet to be released firmware update.

One day later, Kaspersky Lab senior security researcher, David Jacoby, deployed a mixture of malicious code, exploits and phishing techniques to compromise a network storage device attached to his home network in Sweden. His presentation is part of a larger home hacking project, which the Kaspersky Daily has documented at length.

Jacoby probably put it best he said that most of the vendors making these products simply do not care about the various security vulnerabilities he reported to them. Network segmentation, he said, is likely the best mitigation for these holes. Unfortunately, network segmentation is a fairly complicated fix for your average users.

About 20 minutes after Jacoby’s talk, Yier Jin, a hardware hacker and assistant professor at the University of Central Florida, showed us a backdoor in Nest’s wildly popular smart thermostat devices.

Jin found a backdoor in Nest devices which allowed him to install malicious firmware on those devices. In addition to that, he found ways to monitor the gobs of data that Nest devices relay to Nest’s cloud servers. This, he explained, is often sensitive data. If properly monitored, an attacker could make all sorts of determinations about when a Nest user is or is not home. On a more principled level, there is no way for the user to opt out of this data collection. If that wasn’t enough, Jien’s root access could allow him to pivot to other devices on the same network, brick the Nest device, see plain-text network credentials and more.

TL;DR — Despite hundreds of billions of dollars in security investment, traditional computers, let-alone the so-called Internet of (crappy) Things, remain hopelessly exposed to attacks.