01:50 PM
Connect Directly

IoT Flaw Discoveries Not Impactful--Yet

As flaws announced at Black Hat USA and elsewhere highlight IoT weaknesses, the impact of these vulns still remains low in the face of vast distribution. But that could change with market consolidation.

Vulnerabilities in the Internet of Things (IoT) once again will be in the spotlight next month at Black Hat USA.

Over the last few years, researchers have focused their efforts on flaws in devices like smart televisions, home automation systems connected to things like lights and door locks, and even medical devices like pacemakers and insulin pumps. While the results of many of these IoT research projects can often be dramatic, and the lessons device makers are stark—namely avoiding the security mistakes made during the initial Internet boom—some researchers warn that the industry shouldn't succumb to the FUD because the overall impact of many of these vulnerabilities is still pretty minimal.

"I think where the hyperbole comes in is in the impact of these flaws," says Joshua Wright, author of Hacking Exposed Wireless, 3rd Edition and senior technical analyst with Counter Hack. "I think the impact is often overblown because of the limited scale of how they're being exploited."

This year at Black Hat, two marquee IoT talks will focus on firmware and the Zigbee protocol. In "Using Static Binary Analysis to Find Vulnerabilities and Backdoors in Firmware," Christoper Kruegel and Yan Shoshitaishivili will discuss their work at UC Santa Barbara to develop a binary analysis tool called Angr that will make it easier to perform automated vulnerability analysis and find backdoor in firmware used in IoT and other devices.

"Because these devices often receive privacy-sensitive information from their sensors--such as what a user is watching, or how much electricity they are using--or carry out a safety-critical function--such as actuators that lock the front door--errors in the devices firmware, whether present due to an accidental mistake or purposeful malice, can have serious and varying implications in both the digital and physical world," wrote Krugel and Shoshitaishivili.

Meanwhile, Tobias Zillner and Sebastian Strobl of Cognosec, will dive deep into one of the more popular home and office automation protocols in "ZigBee Exploited The Good, The Bad And The Ugly."  

"Due to interoperability and compatibility requirements, as well as the application of legacy security concepts, it is possible to compromise ZigBee networks and take over control of all connected devices," Zillner and Strobl said in their abstract. "For example, it is entirely possible for an external party to gain control over every smart light bulb that supports the ZigBee Light Link profile. This is made possible because the initial key transport is done in an unsecured way, and support of this weak key transport is, in fact, even required by the standard itself."

The firmware and Zigbee talks are, of course, just the start in IoT and industrial automation research highlighted at Black Hat. There'll also be discussions on how to pen test cities, weaknesses in industrial Ethernet switches, and deep-seeded flaws in RFID access control systems used to secure commercial buildings.

As the author of two wireless scanning tools -- one for Zigbee called KillerBee and one for the other common automation protocol, Z-Wave, called KillerZee -- Wright has good visibility into the kinds of flaws researchers are currently uncovering in IoT devices. While he does believe there's potential for hyperbole on the current potential impact of these vulnerabilities, what isn't overblown is the exposure that manufacturers are leaving open in their IoT devices today.

"I was talking to a friend the other day and I told him hacking internet of things is like hacking in the 1990's," Wright says. "I didn't think that I'd be able to use string-based bumper overflow exploits anymore, but no, we can, you just buy an Internet-connected camera. These vulnerabilities exist, but I think they are much more widely distributed and the impact is lower than what we would see in major vulnerabilities like Heartbleed."

However, it may not be like that forever. All it will take is for some market consolidation for that distribution to start to concentrate.

"It will be really interesting to see, when IoT becomes this Google device in millions and millions of homes," he says. "That's when the impact of flaws will no longer be hyperbole and will be a huge deal."

Black Hat USA is next month. Register here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/7/2015 | 8:31:15 PM
A Different Level of Vulnerability
Security at the consumer and corporate levels is going to be critical, but also important will be security at the city and metropolitan level. This article points to ZigBee, among others, as a very hackable technology. As developers increasingly turn an eye to IoT security, maybe options like Symphony Link from Link Labs ( will appear more. They have a more secure long-range protocol -- although, as with any technology, interoperability will be key. 
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.