At Infosecurity ISACA North America Expo and Conference in New York this week Ken Munro, partner at Pen Test Partners, took visitors on what he referred to as a “scary, creepy tour” of IoT-related security issues. Munro explained that a child's doll, marketed as ‘My Friend Cayla,’ is just one example of the growing number of IoT-enabled consumer and commercial products on the market, and the lack of proper security in their designs that leaves many of them vulnerable to attack.
Cayla, for example, is a children’s doll endowed with speech recognition technology that enables it to have a conversation with a child. The big selling point for parents however is Cayla's GPS receiver and wireless module, which allows them to track and listen in on their child. Although Cayla was supposed to be ‘kid-friendly’ and ‘cyber-safe,’ Munroe’s long experience with exploring the vulnerabilities of embedded systems made him suspect otherwise. It wasn't very long before he discovered what he described as “a huge attack surface” that allowed him and his team to bring out another, more sinister, side of Cayla.
Using a simple program that mimicked Cayla's phone app, the Pen Test Partners team were able to access the doll’s web-based portal and change their user status code from 1 to 0, giving them complete administrative access to the doll's features as well as the user information of all the other doll’s owners. From there, they were able to modify the table that prevented Cayla from using 1500 words deemed to be “naughty” which, in Munro's words, “allowed her to swear like a sailor.” Had they chosen to do so, this access would have also allowed them to access other owners’ dolls and listen to or even converse with their children.
Munro noted that the attack he used was only one of Cayla's numerous vulnerabilities, such as poorly-secured wireless links, easily hackable cellular modems, and non-encrypted SIM cards, virtually all of which could be found in a frightening number of “smart” consumer goods, such as thermostats and child tracking devices. There are similar issues with many commercial and industrial products – including web cameras, smart building controllers and other security appliances.
Research conducted by Pen Test Partners has shown that the majority of these problems arise from a handful of highly preventable sources which include:
- Cut-and-paste use of vendor-provided software and hardware reference designs with little or no review for security issues
- Extensive use of third-party web-based services without any evaluation of how secure they were or vulnerable to corruption from other vectors
- Extensive use of offshore vendors throughout the supply chain for engineering, materials, and assembly, without any assessment of their security or integrity
Since we will most likely live in an even more connected future, concluded Munro, manufacturers cannot afford to ignore the need to make their products more resistant to the potential cyber-muggings awaiting them in the IoT.