IoT Village at DEF CON 24 Uncovers Extensive Security Flaws in Connected DevicesResearchers Discover 47 New Security Vulnerabilities across 23 Devices and 21 Manufacturers; Executive Leadership from FTC and FCC Weigh in.
BALTIMORE, MD – September 14, 2016. New dangers in both home security and municipal power facilities were revealed as the results of the 2nd Annual IoT Village, which was held at DEF CON 24, were released today by Independent Security Evaluators (ISE) who organized the event. More than 47 new vulnerabilities were discovered across 23 different devices from 21 brand name manufacturers.
Amongst many, one of the most unnerving exploits was presented by researcher Fred Bret-Mounet, who showed an attacker could shut down the equivalent of a small to mid-sized power generation facility by accessing the flaw in solar panels manufactured by Tigro Energy.
In another, researcher Anthony Rose discovered that 75% of the smart locks he investigated could be easily compromised, letting an attacker open the lock on a victim’s front door. Another researcher, who goes by the handle “jmaxxz,” discovered a series of vulnerabilities with August locks which, if exploited, would mean that “anyone you've ever let use your phone, or ever given access to your home as a guest via your smart lock could enter your home without your knowledge or permission.” he said. Smart locks are one of the fastest growing consumer products serving the smart home.
Afflicted manufacturers this year included global enterprises such as Samsung, Subaru, and Trane, as well as smaller startups such as QuickLock, Elecycle, and Blossom. Vulnerabilities ranged from fundamental design flaws such as use of plaintext passwords and hard coded passwords, to susceptibility to longstanding attack techniques such as buffer overflows, and command injection.
Between talks, workshops, and onsite hacking contests, IoT Village’s goal is to uncover security vulnerabilities in order to draw attention to the need for greater security considerations in the devices that comprise the Internet of Things (IoT). Since its inception as platform for security research, IoT Village has discovered security flaws in 50 devices from 39 different manufacturers.
“In the past two years, IoT Village has uncovered 113 critical, previously unknown vulnerabilities across both consumer and business products from some of the largest brand names in the world,” said Ted Harrington, Executive Partner at ISE and one of the organizers of IoT Village. “These discoveries are significant contributions to security research but also illustrate the pressing need for security improvements in IoT devices.” IoT Village has proven so successful that it is now held at security events all across the country beyond just DEF CON.
This year, IoT Village caught the attention of the federal government. Rear Admiral (ret.) David Simpson, a Bureau Chief of the Federal Communications Commission, spoke at the event and noted that IoT Village is taking strides towards “making things harder” for attackers, by putting the spotlight on these issues. Terrell McSweeny, commissioner of the Federal Trade Commission, also spoke at IoT Village, discussing the FTC’s law enforcement actions challenging inadequate data security in connected devices. “We believe that improved security is going to be achieved through a synergy between government, manufacturers, and the security community,” added Harrington. “The contributions of both Admiral Simpson and Commissioner McSweeny are invaluable to that effort.”
IoT Village next runs at DerbyCon, from Sept 21-25 in Louisville, KY. More information about IoT Village can be found at the official event website.
About IoT Village
IoT Village is a traveling security event focused on highlighting and resolving security flaws in the connected devices that comprise the Internet of Things (“IoT”). It is composed of talks, workshops, live hacking demos, and an onsite hacking contest. In its 2015 debut, IoT Village served as a platform to publish 66 previously unknown critical security vulnerabilities across 27 different devices types and 18 different manufacturers.
Founded in 2005 out of the PhD program at the Johns Hopkins’ Information Security Institute, ISE is a security consulting firm comprised of hackers, computer scientists, reverse engineers, and cryptographers who help companies defend against sophisticated adversaries through manual, white box security assessments. ISE is widely recognized as being the first company to hack the iPhone.
Ted Harrington Independent Security Evaluators
[email protected] Baltimore, MD, USA