Ken Munro, partner at Pen Test Partners, opened his talk at RSA Conference 2019 by explaining how easy it was for him to hack a Wi-Fi-enabled tea kettle. In the online manual, he discovered the default password. To find out how it connected to the home router, he used the AT command that the kettle’s internet system used. Buying used kettles on eBay, he reset to the factory settings, but the original owner’s router information was not deleted, and so not only did he have that key, he also had the former owner’s address through the transaction.
That was kettle version 1.0. For a later version, the manufacturers hired security professionals to add security to the newer versions of the kettle.
“The security problems in IoT are systemic because now the vendors are realizing they don’t have the expertise, so they outsource. They outsource to providers of lots of different organizations. Find one vulnerability in that, and you have access to millions of devices,” Munro said.
The concern is that while these vulnerabilities may seem small or easily fixed on one device, the reach of the API can go much further. A front-end vulnerability on a smart hot tub can control the temperature and the jets, but a back-end service provider delivers services to other devices like vehicles and medical equipment.
How do we address these systemic flaws? It requires recognizing where the flaws are coming from, such as default credentials or not separating different clients.
“If you deliver IoT and outsource any of your services, it is critical that you check that those service providers are secure,” Munro said. Even if you don’t develop IoT, you consume it. He recommended finding out who is responsible for handling the security of all of the smart equipment in your office.
“If you take one thing from this talk,” he added, “put IoT security into your service contracts so you can follow-up if they let you down.”