Division Zero (Div0). Copyright © 2011-2018

All rights reserved.

Today the Lights, Tomorrow, The World.

23 Aug 2013

The Internet of things [1] is defined as everyday objects being interconnected and networked. This includes smart-devices such as phones, to appliances like refrigerators that orders groceries online for you when the yogurt gets low and turns on the oven automatically to get it prepared for you [2].

 

However, these smart devices are essentially appliances controlled by an on-board computer with various flavours of operating systems. These computers when exposed to the Internet will face the exact same issues as all computers on the internet.

 

In Nitesh Dhanjani paper, he demonstrates vulnerabilities in a brand of light system controlled through popular iOS/Android apps and a web GUI interface. The vulnerability was demonstrated to show how it can be used to create blackouts on that particular lighting system.

 

According to the paper, the lighting system only allows authorised devices to modify lighting settings through the use of white list tokens. These tokens are however just the MD5 hash of an authorised device's MAC address.

 

Based on the paper and video released, the attacker will require a foothold on the network, and a means to enumerate the MAC addresses of the authorised devices in order to perform the attack.

Hacking Lightbulbs [Paper] [Site]
[1] Internet of Things, Wikipedia.
[2] Smart Fridge? Idiot Fridge, more like, The Guardian. January 2011.

Commentary

Jun Hao: There are currently no industry standards established for smart home devices as they are in an infancy stage, therefore it is no surprise that more security flaws are uncovered as they become more prevalent. However, there is no need to panic, as these attacks often target specific devices. This particular attack is limited in terms of target and damage and therefore would not cause much monetary losses.

Paranoia Level: 2/5

 

Xu Dong: The protection mechanism implementation resembles WIFI's MAC filtering. But for WIFI there are multiple other security mechanisms such as signal strength reduction, disabling of SSID broadcast and more importantly authentication and encryption protocols like WPA and WPA2.

If such devices are ever to be used in a critical environment, similar defense in depth should be expected. As for exploiting these bulbs in home use, well, wouldn't it be simpler and more destructive for the attacker to just cut the electricity?

What really worries me is how developers, ever so often de-prioritize security for functionality, interface and connectivity. This leads to a sense of déjà vu when similar past vulnerabilities in PCs are now seen on other platforms such as mobile phones, and control systems.

The impact of these forms of vulnerabilities will increase incrementally, when you consider a smart bulb, when compared to a smart home, and finally a smart grid.

Paranoia Level: 1/5 (for the bulb).

 

Emil: News is getting interesting as security researchers around the world starts targeting various devices in the “internet of things”. However, I do not feel the life of a security practitioner is getting any tougher.

We still face the same issues as before, vulnerabilities found in “internet of things” hit the news because security is not at the top of the mind of developers and users. It reminds me of those days when cloud security is an afterthought and only after all sorts of cloud models and solutions have been out in the market.

Paranoia Level: 2/5 (hacking “internet of things” did not throw me off my chair, but it is big enough to generate public awareness).

 

Final Paranoia Score: 1.6/5 (We should be more concerned about our cholesterol level).

Participating Members of this Issue of Edgis Article Review
  • [Producer] Gee Chuan Boh

  • [Editor] Mike Loh

  • [Commentator] Tan Jun Hao, Yang Xu Dong, Emil Tan

     

     

     

     

     

     

     

     

     

Tags:

Share on Facebook
Share on Twitter
Please reload

RECENT POST

September 5, 2017

Please reload

CATEGORIES
Please reload

TAGS
RSS
RSS Feed