Smart Devices, Dumb Security?
Sep 22, 2011 5:00 AM PT
Right now, you can buy a car that you can unlock by just touching the door handle. No need to struggle with key fobs or keys.
Known by various names, including "Keyless Go" and "Smart Key," this feature is available for a cool grand or so as an option on various cars, including the Mercedes-Benz S-Class, E-Class and SL-Class; the Cadillac STS; and the Nissan Infiniti M.
On the home front, you can today get smart home appliances that connect to your smart meter -- if you've already got one -- and turn themselves on only during off-peak hours when electricity costs less.
And smart devices connected to the Internet, over land lines or wirelessly, for ease of use are available, both for the home and the office. You can leverage the Internet to, for example, turn on your digital video recorder remotely and record a favorite program, or print a document while you're stuck in traffic en route to the office.
Google in May announced the Android@home and Project Tungsten.
The former will let Android apps discover, connect and communicate with a user's home appliances. The latter will give consumers more control over music playback within their Android@home networks. This will all be done over the Internet.
Having Smarts Can Hurt
The downside to having smart devices is that they're about as smart as a dumber-than-average dog -- they can't discriminate between good and bad commands and will do what any human tells them to, regardless of whether or not that human is their master.
That makes them a security threat.
"In many cases, the threats may be even more serious than vulnerabilities on traditional computers because people don't understand what data is stored on them and is at risk," Kevin Brown, a manager of testing at ICSA Labs, told TechNewsWorld.
The situation isn't helped by device manufacturers, who apparently prefer ease of use over all else.
"When it comes to usability versus security, usability tends to win out, and vendors enable functionality by default to ensure that you're aware of it," Michael Sutton, vice president of security research at Zscaler ThreatLabZ, told TechNewsWorld.
That's because device manufacturers want to sell their products.
"Most devices target consumers, and their manufacturers are racing to compete with consumer-oriented features such as integration into social networking services, rather than security features," Tom Kemp, CEO of Centrify, told TechNewsWorld.
Roll Over, Rover
Expensive automobiles might be a target because of their value. Researchers demonstrated at the Black Hat security conference last summer that it's possible to unlock and start someone else's late-model car with a simple text message.
The technology to do this is not new.
It's just that no one showed that criminals can steal someone's car just using a smartphone.
However, the big payoff for cybercriminals could come from smart equipment installed in the office.
"The most exposed devices that we encountered that pose a security risk are photocopiers, scanners, telephone systems and webcams, any of which could be used in either an enterprise or consumer setting, especially for employees that work from home," Zscaler's Sutton said.
"We encountered photocopiers from which documents could be retrieved over the Web, scanners that could be operated remotely, and telephone systems that permitted eavesdropping," Sutton added.
Hacking into a smart office device over the Web is "pretty easy," Brown pointed out. Just use Google's inurl feature to search for the URL string of a commonly-used Web-enabled printer to find one that's accessible from the Internet, then see if you can fire it up.
Where the Dangers Lie
Some of the devices located through an inurl search allow anyone to connect directly to a printer or multifunction device over the Internet without logging in, ICSA's Brown said.
That could let a hostile visitor reconfigure the printer to make it inaccessible, or read documents previously printed, for example, Brown warned.
Web-enabled devices commonly come with embedded Web servers which are enabled. However, they often either have no password or use a default password that can be found in user manuals downloaded from the Internet, Zscaler's Sutton pointed out.
Also, remotely breaking into and taking over smart equipment is apparently not too difficult.
"Any connected device that can be flashed or otherwise altered remotely can be hacked," Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.
Most smart office devices and smart meters are network-attached, so hacking into one means you've accessed its back-end network and so access everything on that network, ICSA's Brown said.
Further, smart office devices and smart meters are easy to hack because tend to run the same operating system and firmware and have limited memory. Hence, there's little or no security software protection, Brown said.
However, your washer and dryer are probably safe, except perhaps from pranksters.
"Yes, some devices are vulnerable, but washing machines aren't," Dmitry Molchanov, a senior research analyst at the Yankee Group, told TechNewsWorld. "They simply don't transmit information that's sensitive enough to merit a security risk."
Possible Solutions for Smartness
Both vendors and users should ensure that smart devices are secure as far as practicable.
Vendors should ship smart devices with a unique password each or with their embedded Web server functionality turned off until users enter a unique password, Zscaler's Sutton recommends.
That could provide a base level of security, but "attackers tend to be one step ahead," Centrify's Kemp said. Hackers will then likely turn to phishing and social engineering, and Kemp's "not sure if protection against that can be built into a device."
Users should think about what they're getting.
"Before installing a new connected device, consider what would happen if a hostile force gets control over it," Enderle suggested.
"Someone remotely flipping channels would be annoying, but an oven set on 'clean' for 48 hours could take out your house," Enderle added.