informa
4 min read
article

Security Researchers Validate Major Problems with IoT

IoT Village Demonstrates Rampant Security Vulnerabilities in Connected Devices

BALTIMORE , MD –October 12, 2015 – Independent Security Evaluators (ISE), the security consulting and research firm, has announced the findings from the first-ever IoT Village, which debuted at DEF CON 23 in Las Vegas from August 7-9, 2015.  The security research event, which focused on devices that make up the Internet of Things (IoT), waited to release its findings until after the manufacturers whose equipment had been successfully hacked were notified of the vulnerabilities.  The results clearly indicate that connected devices need better security built in before selling to consumers.  Altogether between the Village’s contest, workshops, and talks, eleven researchers uncovered some 60 zero day vulnerabilities within 27 different devices manufactured by 18 companies.

“IoT Village proved that security issues are pervasive across connected devices,” commented Ted Harrington one of the lead organizers of IoT Village and the Executive Partner at ISE. “The event served as a platform that produced an unprecedented number of previously undiscovered security vulnerabilities across a wide array of manufacturers and distinct device types.”

Fourteen of those vulnerabilities were discovered onsite during the hacking contest that occurred during the few days of the event. IoT Village highlighted the fact that security is an industry issue for manufacturers of connected devices, as these issues are not relegated to any particular manufacturer or device type.

“Many of the violations of the underlying secure design principles were repeated across devices and manufacturers,” Harrington added.  “This suggests that manufacturers may not be prioritizing security as a critical function prior to product release.  It is imperative that manufacturers build better security into their products and through security assessment validate that these security measures are effective, before the products are put on the market.”

IoT Village is one of the first security research events focused solely on the rapidly emerging IoT market.  It drew unprecedented attention to the problem and helped attendees collaborate on potential solutions.

“Most of the devices showcased in IoT Village were those that are already found within “smart” homes”, Harrington noted.  “By creating a platform for researchers to highlight security flaws in these connected devices, our aim is to emphasize that security needs to be better baked into products before they are shipped.  While IoT Village investigated only a small portion of available connected devices in the marketplace, the consistency of our findings suggest that the problem is much more widespread.” 

In one of the most dramatic demonstrations during the IoT Village event, one hacker was able to take over a drone and crash it.  Some of the other devices that were hacked included motion sensors for home protection, children’s toys, baby monitors, and a smart refrigerator.  Vulnerable manufacturers include high profile brands, such as Samsung, Phillips, Bose and Fitbit.

Due to the success of the inaugural IoT Village at DEF CON, other conferences have made arrangements to host it at their event as well. Today, Harrington announced that the second IoT Village will be held at the Security B-Sides DC 2015, taking place October 16-18, 2015 at Washington Marriott Metro Center, in Washington, DC .   For more information about IoT Village, visit site www.iotvillage.org.  “

 

About ISE

Founded in 2005 out of the PhD program at the Johns Hopkins’ Information Security Institute, ISE is a security consulting firm comprised of hackers, computer scientists, reverse engineers, and cryptographers who help companies defend against sophisticated adversaries by utilizing a perspective typically perpetrated by the adversary.  ISE is widely recognized for being the first company to hack the iPhone[1], and more recently for the discovery of the vulnerability epidemic in wireless routers[2].

 

Contact:

Ted Harrington                                                                       Independent Security Evaluators

+1-443-270-2296                                                                    4901 Springarden Drive, #200

[email protected]                                       Baltimore, MD 21217 USA