The Internet of Unsafe Things

Author: Stefan Hager

The Internet of Unsafe Things

Neuroscientist Dean Burnett once tweeted :

Last night my mate asked to use a USB port to charge his cigarette, but I was using it to charge my book.
The future is stupid.

Burnett's thesis is easily confirmed by looking at various products belonging to the "Internet of Things" (IoT).

Cybersecurity experts never grow tired of pointing out the dangers coming from the world of IoT; a lot of devices are not developed or marketed with security in mind, but to execute simple, well-defined functions. Security problems for the consumer arise because accessing the devices or stealing data from them is comparatively easy for unauthorized persons. The devices usually need to be as cheap as possible, and security usually does not come cheap.

It is by far not the only thing wrong with them.

Devices not protecting themselves can be abused with only a small effort. The Lizard Stresser Botnet for example is composed of IoT devices, mainly of web cams, and according to Arbor Networks (manufacturer of Anti-DDoS Appliances) it had an attack bandwidth of 400 GBit. This is a considerable size and a danger for nearly every network that hasn't especially shielded itself against DDoS attacks.

Often enough IoT devices can be taken over without a lot of effort because default passwords haven't been changed after purchase, or because the manufacturer decided that default passwords can't be changed at all. And then there are those devices which store the collected data (camera pictures, geolocations, sleeping patterns) at some unspecified location in the cloud. Most often this just means the data resides on some of the manufacturers' servers, and that in return means that it is likely that the manufacturer and his pals have full access to your data. This is especially interesting when it comes to security cams; have you noticed that the cheaper ones are all manufactured in China? Now take a wild stab in the dark which government might have access to all the interesting pictures collected by those cams, if those store their data on the manufacturers' servers.

Of course not every new product or innovation is a danger; but maybe the reason for this is that not all smart things sell as well as the inventors would like to believe. But maybe I'm wrong - do you own an Egg Minder by chance? The Egg Minder is a smart device with a single purpose: it knows how many eggs are left in your fridge. If you provided the info, it also knows when they are going to go bad. And yes, there's an app for that.

Steve Lord, organizer of Infosec event 44Con, once said that the Egg Minder is a device so smart that even the inventors couldn't find a use case for it.

And why not use a Smart Plate to serve the eggs? That incredible device analyzes (with the help of three cameras and -fasten your seat belts- SCIENCE) the ingredients of the meal that is heaped upon it, how many calories it has, and if you're chugging it in way too fast. How that works? Well, according to the inventor this is being done with the help of science, and it is smart. I am feeling reassured, how about you?

Now and then the Smart Plate will give hints and advice about healthy eating. If you're eating white rice, it might suggest you substitute it with brown rice (science, remember?). Probably the greatest risk hereby is spending money for useless advice.

Some dangers in the world of IoT are undoubtedly real, though. Smart Watches and Fitness Trackers are very useful, of course, but they are introducing their own dangers. Chen Wang and colleagues from the Stevens Institute of technology showed in a test environment that these devices can read your PIN while you enter it. Sensors in those devices are so manifold and precise that the data they collect can be analyzed with sophisticated software and guess your PIN with an 80% accuracy.

At this point it really is just a proof of concept, and Wang does not know any malware actively exploiting this. As a countermeasure he recommends moving the hand to other buttons without pushing them in between the real digits, this drastically lowers the chances of spying the real number. In this test the Smart Watch was worn on the hand that entered the PIN; in a real-world setting the device is often worn on the non-dominant hand whereas the PIN will be entered by the dominant hand, reducing the chances to zero. But it is something to keep in mind, isn't it?

Read more about this here.


Coming back to Burnett, the e-cig and the e-book - maybe a PowerBank or a charger with multiple ports might be a solution. Some of those can be found in public places, and can be used for free. But bear in mind that, unless you're using a special cable or a so-called USB condom, data will flow as freely as power...