It wouldn't be a very normal week in the tech industry if yet another high-profile example of IoT (Internet of things)-related security risks didn't crop up. Sure enough, this week at the Black Hat conference in London, researchers showed how IoT devices could actually hack into and control users' cell phones, as Network World reports:
Flaws in Belkin WeMo devices - electrical switches, cameras, light bulbs, coffee makers, air purifiers, etc. – enabled Invincea Labs researchers to not only hack into the devices, but to use that access to attack an Android phone running the app that controls the WeMo devices.
“This is the first instance we’ve seen of IoT hacking something else,” says researcher Scott Tenaglia, who pledges to look for other vulnerable devices that might be abused to carry out similar attacks.
To carry out the attack the researchers attached a laptop to the same network that the WeMo device was connected to. They communicated with the device via universal plug and play (UPnP) messages, which are essentially Web requests to particular URLs on the device, Tenaglia says.
One request they sent was for the device to change its name, and they substituted the original name with a malicious string of code.
A customer can control WeMo devices via an Android application that, when it is first turned on, queries the environment for WeMo devices. One of the things the devices respond with is their names. “If the name is a malicious string, as soon as it hits the application the code executes,” Tenaglia says.
As a demonstration of what such a string might do, the researchers had it download all the pictures from the phone’s camera to a remote server. They also had it beacon the phone’s location to the researchers so the phone then acted like a geolocation tracker.
Analysis: Will the Drip of IoT Security Issues Become a Flood?
Belkin has issued a patch for the flaw, but incremental fixes don't amount to a thumb in the dike for IoT security. It's important for the industry to be realistic about how well it has IoT security handled, which today is not very much at all.
"Let's not fool ourselves by pretending each of these stories is evidence of an individual product failure when the reality is that the rules have changed, exposing a huge number of devices to wholly unexpected conditions," says Constellation Research VP and principal analyst Andy Mulholland, who leads Constellation's IoT research. "As little as five years ago, the scale of connectivity that we now refer to as IoT was not foreseen by manufacturers and software providers, so many specifications that seemed commercially adequate are now found to be actual or potential risks."
"We can therefore expect to be subjected to a regular diet of these types of revelations as older devices are subjected to access in ways that were never expected," he adds. "More important will be the efforts now underway to not only ensure new Ddvices are individually protected, but to look at how the routers of the internet itself will start to manage the propagation of inappropriate commands."
24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.