The Internet of Things (IoT) [1] is defined as everyday objects being interconnected and networked. This includes smart-devices such as phones, to appliances like refrigerators that orders groceries online for you when the yoghurt gets low and turns on the oven automatically to get it prepared for you [2].
However, these smart devices are essentially appliances controlled by an on-board computer with various flavours of operating systems. These computers, when exposed to the Internet, will face the exact same issues as all computers on the internet.
In Nitesh Dhanjani paper [0], he demonstrates vulnerabilities in a brand of light systems controlled through popular iOS/Android apps and a web GUI interface. The vulnerability was demonstrated to show how it can be used to create blackouts on that particular lighting system.
According to the paper, the lighting system only allows authorised devices to modify lighting settings through the use of white list tokens. These tokens are however just the MD5 hash of an authorised device's MAC address.
Based on the paper and video released, the attacker will require a foothold on the network, and a means to enumerate the MAC addresses of the authorised devices in order to perform the attack.
References
[1] Internet of Things, Wikipedia.
[2] Smart Fridge? Idiot Fridge, more like, The Guardian. January 2011.
Commentary
Tan Jun Hao: There are currently no industry standards established for smart home devices as they are in an infancy stage, therefore it is no surprise that more security flaws are uncovered as they become more prevalent. However, there is no need to panic, as these attacks often target specific devices. This particular attack is limited in terms of target and damage and therefore would not cause much monetary losses.
Paranoia Level: 2/5
Yang Xu Dong: The protection mechanism implementation resembles Wi-Fi's MAC filtering. But for Wi-Fi there are multiple other security mechanisms such as signal strength reduction, disabling of SSID broadcast and more importantly authentication and encryption protocols like WPA and WPA2.
If such devices are ever to be used in a critical environment, similar defence in depth should be expected. As for exploiting these bulbs in-home use, well, wouldn't it be simpler and more destructive for the attacker to just cut the electricity?
What really worries me is how developers, ever so often de-prioritize security for functionality, interface and connectivity. This leads to a sense of déjà vu when similar past vulnerabilities in PCs are now seen on other platforms such as mobile phones, and control systems.
The impact of these forms of vulnerabilities will increase incrementally, when you consider a smart bulb, when compared to a smart home, and finally a smart grid.
Paranoia Level: 1/5 (for the bulb)
Emil: News is getting interesting as security researchers around the world start targeting various devices in the "Internet of Things". However, I do not feel the life of a security practitioner is getting any tougher.
We still face the same issues as before, vulnerabilities found in “Internet of Things” hit the news because security is not at the top of the mind of developers and users. It reminds me of those days when cloud security is an afterthought and only after all sorts of cloud models and solutions have been out in the market.
Paranoia Level: 2/5 (hacking “Internet of Things” did not throw me off my chair, but it is big enough to generate public awareness).
Final Paranoia Score: 1.6/5 (We should be more concerned about our cholesterol level).
Authors
Producer: Gee Chuan Boh.
Editor: Mike Loh.
Commentators: Tan Jun Hao, Yang Xu Dong, Emil Tan.