Over the last few years, researchers have focused their efforts on flaws in devices like smart televisions, home automation systems connected to things like lights and door locks, and even medical devices like pacemakers and insulin pumps. While the results of many of these IoT research projects can often be dramatic, and the lessons device makers are stark—namely avoiding the security mistakes made during the initial Internet boom—some researchers warn that the industry shouldn't succumb to the FUD because the overall impact of many of these vulnerabilities is still pretty minimal.
"I think where the hyperbole comes in is in the impact of these flaws," says Joshua Wright, author of Hacking Exposed Wireless, 3rd Edition and senior technical analyst with Counter Hack. "I think the impact is often overblown because of the limited scale of how they're being exploited."
This year at Black Hat, two marquee IoT talks will focus on firmware and the Zigbee protocol. In "Using Static Binary Analysis to Find Vulnerabilities and Backdoors in Firmware," Christoper Kruegel and Yan Shoshitaishivili will discuss their work at UC Santa Barbara to develop a binary analysis tool called Angr that will make it easier to perform automated vulnerability analysis and find backdoor in firmware used in IoT and other devices.
"Because these devices often receive privacy-sensitive information from their sensors--such as what a user is watching, or how much electricity they are using--or carry out a safety-critical function--such as actuators that lock the front door--errors in the devices firmware, whether present due to an accidental mistake or purposeful malice, can have serious and varying implications in both the digital and physical world," wrote Krugel and Shoshitaishivili.
Meanwhile, Tobias Zillner and Sebastian Strobl of Cognosec, will dive deep into one of the more popular home and office automation protocols in "ZigBee Exploited The Good, The Bad And The Ugly."
"Due to interoperability and compatibility requirements, as well as the application of legacy security concepts, it is possible to compromise ZigBee networks and take over control of all connected devices," Zillner and Strobl said in their abstract. "For example, it is entirely possible for an external party to gain control over every smart light bulb that supports the ZigBee Light Link profile. This is made possible because the initial key transport is done in an unsecured way, and support of this weak key transport is, in fact, even required by the standard itself."
The firmware and Zigbee talks are, of course, just the start in IoT and industrial automation research highlighted at Black Hat. There'll also be discussions on how to pen test cities, weaknesses in industrial Ethernet switches, and deep-seeded flaws in RFID access control systems used to secure commercial buildings.
As the author of two wireless scanning tools -- one for Zigbee called KillerBee and one for the other common automation protocol, Z-Wave, called KillerZee -- Wright has good visibility into the kinds of flaws researchers are currently uncovering in IoT devices. While he does believe there's potential for hyperbole on the current potential impact of these vulnerabilities, what isn't overblown is the exposure that manufacturers are leaving open in their IoT devices today.
"I was talking to a friend the other day and I told him hacking internet of things is like hacking in the 1990's," Wright says. "I didn't think that I'd be able to use string-based bumper overflow exploits anymore, but no, we can, you just buy an Internet-connected camera. These vulnerabilities exist, but I think they are much more widely distributed and the impact is lower than what we would see in major vulnerabilities like Heartbleed."
However, it may not be like that forever. All it will take is for some market consolidation for that distribution to start to concentrate.
"It will be really interesting to see, when IoT becomes this Google device in millions and millions of homes," he says. "That's when the impact of flaws will no longer be hyperbole and will be a huge deal."
Black Hat USA is next month. Register here.