At the security conference DerbyCon 3.0, Daniel Buentello gave a very interesting presentation titled “Weaponizing your coffee pot.” If you are not a morning person, then you might be a bit brain-dead until you have serious doses of caffeine. So if your high-tech coffee pot connected to the Internet of Things had been hijacked by a bad guy, how would you even know if it, or another of your connected appliances, were being used against you?
That’s not really too far-fetched. In March of 2012, Danger Room reported that CIA Director David Petraeus “cannot wait to spy on you” through your smart appliances. That was before the Petraeus scandal, involving Gmail location data, FBI spying and Petraeus’ extramarital affair. By 2020, there are estimates that between 50 billion to 500 billion devices will have mobile connections to the cloud. We’ve previously glimpsed a preview of your life in 2020 thanks to the Internet of Things, but what happens if the bad guys target devices connected to the Internet of Things, and to the cloud, with the Internet of cloud malware?
Buentello explained that connected devices are basically mini-computers, but there’s no antivirus on smart appliances in smart homes; there’s typically no user interface on connected devices, no mouse, no keyboard, no monitor, meaning the Internet of Things (IoT) will be an “attractive avenue for cyber criminals.” Your IoT devices could be used for a man-in-the-middle (MITM) attack. Security is usually tacked on as an afterthought . . . if it’s bolted on at all.
If your connected device was infected with a virus and made “persistent,” then if you removed a virus from your computer, your coffee pot, or your smart thermostat could then attack your computer and give it the virus again. What if all the IoT coffee pots were part of botnet and turned into slaves? Buentello also pointed out that there is multi-stage malware that could move from a computer to a connected thermostat and then to a connected “smart” light bulb.
“Weaponizing your coffee pot” had less to do with coffee or coffee pots than it did with embedded device security and how the Internet of Things will intersect with the Internet of malware (IoM) to become “bad guy heaven.”
He gave an example of a made-up coffee pot product, dubbed FrigidMore, which had "java"-scripts to control the coffee taste, push notifications sent to your smartphone to alert you that your coffee is ready, and was connected to the internet. Would you still be keen on the coffee pot if FrigidMore showed up on the connect-to Wi-Fi available list, since it was broadcasting a rogue Wi-Fi beacon?
Buentello then moved on to real products like the Nest thermostat that uses Wi-Fi. “The Nest Learning Thermostat automatically updates its software over Wi-Fi whenever an update is released.” In an IoM “story of a bad cloud,” he said a cyber crook won’t go after one or two specific devices when he or she can go after the cloud to push out malware to all connected devices and turn them into zombies. Imagine if that malware were a water heater vulnerability and it blew up all connected water heaters. If that seems a bit extreme, then maybe you should see what Buentello previously did to his brother’s Belkin Wemo.
In case you don’t know, anything can be plugged into the Wemo smart electrical socket and then be remotely controlled from a smartphone. Buentello plugged in a lamp and made it blink like it was possessed, with the relay clicking on and off, faster and faster like it might blow up until it had a strobe effect. The unauthenticated freak-out of the Wemo-connected lamp had him thinking, “Wow, this can’t be good.”
You can see Buentello’s video in which he used BackTrack for his remote shell and rapid state change Belkin Wemo exploit. He said his “exploit could be developed into a virus that will scan for WeMo devices. Once these Internet-connected devices are found, it’s easy to turn these devices on and off really fast; something not too dangerous for a desk lamp, but potentially lethal if it’s plugged into a space heater.”
Buentello also talked about how vendors would struggle to regain their appliance cloud. He gave examples of the social sites Facebook or Twitter being hacked and simply resetting their users' passwords. But what if an appliance cloud gets hacked? "The repercussions could be intensified immensely such that remediation could require a total recall of said appliances ($$$) . . . never mind the damage the attacker could do to someone's home," he told me.
Buentello gave a shorter 15-minute version of weaponizing your coffee pot at ToorCon Seattle 2013. You can see the video on his blog where he also explained hardware recon, hardware protocols in a nutshell. The updated DerbyCon version can help you hack your IoT connected devices; it also looks at Zwave and Zigbee . . . which were targeted by several attacking and hacking smart home presentations given at Black Hat and Def Con.
Images courtesy of Daniel Buentello