01:50 PM
Connect Directly

IoT Flaw Discoveries Not Impactful--Yet

As flaws announced at Black Hat USA and elsewhere highlight IoT weaknesses, the impact of these vulns still remains low in the face of vast distribution. But that could change with market consolidation.

Vulnerabilities in the Internet of Things (IoT) once again will be in the spotlight next month at Black Hat USA.

Over the last few years, researchers have focused their efforts on flaws in devices like smart televisions, home automation systems connected to things like lights and door locks, and even medical devices like pacemakers and insulin pumps. While the results of many of these IoT research projects can often be dramatic, and the lessons device makers are stark—namely avoiding the security mistakes made during the initial Internet boom—some researchers warn that the industry shouldn't succumb to the FUD because the overall impact of many of these vulnerabilities is still pretty minimal.

"I think where the hyperbole comes in is in the impact of these flaws," says Joshua Wright, author of Hacking Exposed Wireless, 3rd Edition and senior technical analyst with Counter Hack. "I think the impact is often overblown because of the limited scale of how they're being exploited."

This year at Black Hat, two marquee IoT talks will focus on firmware and the Zigbee protocol. In "Using Static Binary Analysis to Find Vulnerabilities and Backdoors in Firmware," Christoper Kruegel and Yan Shoshitaishivili will discuss their work at UC Santa Barbara to develop a binary analysis tool called Angr that will make it easier to perform automated vulnerability analysis and find backdoor in firmware used in IoT and other devices.

"Because these devices often receive privacy-sensitive information from their sensors--such as what a user is watching, or how much electricity they are using--or carry out a safety-critical function--such as actuators that lock the front door--errors in the devices firmware, whether present due to an accidental mistake or purposeful malice, can have serious and varying implications in both the digital and physical world," wrote Krugel and Shoshitaishivili.

Meanwhile, Tobias Zillner and Sebastian Strobl of Cognosec, will dive deep into one of the more popular home and office automation protocols in "ZigBee Exploited The Good, The Bad And The Ugly."  

"Due to interoperability and compatibility requirements, as well as the application of legacy security concepts, it is possible to compromise ZigBee networks and take over control of all connected devices," Zillner and Strobl said in their abstract. "For example, it is entirely possible for an external party to gain control over every smart light bulb that supports the ZigBee Light Link profile. This is made possible because the initial key transport is done in an unsecured way, and support of this weak key transport is, in fact, even required by the standard itself."

The firmware and Zigbee talks are, of course, just the start in IoT and industrial automation research highlighted at Black Hat. There'll also be discussions on how to pen test cities, weaknesses in industrial Ethernet switches, and deep-seeded flaws in RFID access control systems used to secure commercial buildings.

As the author of two wireless scanning tools -- one for Zigbee called KillerBee and one for the other common automation protocol, Z-Wave, called KillerZee -- Wright has good visibility into the kinds of flaws researchers are currently uncovering in IoT devices. While he does believe there's potential for hyperbole on the current potential impact of these vulnerabilities, what isn't overblown is the exposure that manufacturers are leaving open in their IoT devices today.

"I was talking to a friend the other day and I told him hacking internet of things is like hacking in the 1990's," Wright says. "I didn't think that I'd be able to use string-based bumper overflow exploits anymore, but no, we can, you just buy an Internet-connected camera. These vulnerabilities exist, but I think they are much more widely distributed and the impact is lower than what we would see in major vulnerabilities like Heartbleed."

However, it may not be like that forever. All it will take is for some market consolidation for that distribution to start to concentrate.

"It will be really interesting to see, when IoT becomes this Google device in millions and millions of homes," he says. "That's when the impact of flaws will no longer be hyperbole and will be a huge deal."

Black Hat USA is next month. Register here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/7/2015 | 8:31:15 PM
A Different Level of Vulnerability
Security at the consumer and corporate levels is going to be critical, but also important will be security at the city and metropolitan level. This article points to ZigBee, among others, as a very hackable technology. As developers increasingly turn an eye to IoT security, maybe options like Symphony Link from Link Labs ( will appear more. They have a more secure long-range protocol -- although, as with any technology, interoperability will be key. 
Disappearing Act: Dark Reading Caption Contest Winners
Marilyn Cohodas, Community Editor, Dark Reading,  3/12/2018
Microsoft Report Details Different Forms of Cryptominers
Kelly Sheridan, Staff Editor, Dark Reading,  3/13/2018
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.