Vulnerable "Smart" Devices Make an Internet of Insecure Things

Photo: Robyn Beck/AFP/Getty Images

According to recent research [PDF], 70 percent of Americans plan to own, in the next five years, at least one smart appliance like an internet-connected refrigerator or thermostat. That's a skyrocketing adoption rate considering the number of smart appliance owners in the United States today is just four percent. 

Yet backdoors and other insecure channels have been found in many such devices, opening them to possible hacks, botnets, and other cyber mischief. Although the widely touted hack of smart refrigerators earlier this year has since been debunked, there’s still no shortage of vulnerabilities in the emerging, so-called Internet of Things.

Enter, then, one of the world’s top research centers devoted to IT security, boasting 700 students in this growing field, the Horst Görtz Institute for IT Security at Ruhr-University Bochum in Germany. A research group at HGI, led by Christof Paar—professor and chair for embedded security at the Institute—has been discovering and helping manufacturers patch security holes in Internet-of-Things devices like appliances, cars, and the wireless routers they connect with.

Paar, who is also adjunct professor of electrical and computer engineering at the University of Massachusetts at Amherst, says there are good engineering, technological, and even cultural reasons why security of the Internet of Things is a very hard problem.

For starters, it’s hard enough to get people to update their laptops and smartphones with the latest security patches. Imagine, then, a world where everything from your garage door opener, your coffeemaker, your eyeglasses, and even your running shoes have possible vulnerabilities. And the onus is entirely on you to download and install firmware updates—if there are any.

Furthermore, most Internet-connected “things” are net-savvier iterations of designs that have long pre-Internet legacies—legacies in which digital security had previously never been a major concern. But, Paar says, security is not just another new feature to be added onto an Internet-connected device. Internet security requires designers and engineers embrace a different culture altogether.

“There’s essentially no tolerance for error in security engineering,” Paar says. “If you write software, and the software is not quite optimum, you might be ten percent slower. You’re ten percent worse, but you still have pretty decent results. If you make one little mistake in security engineering, and the attacker gets in, the whole system collapses immediately. That’s kind of unique to security and crypto-security in general.”

Paar’s research team, which published some of its latest findings in Internet-of-Things security this summer, spends a lot of time on physical and electrical engineering-based attacks on IoT devices, also called side-channel attacks.

For instance, in 2013 Paar and six colleagues discovered an exploit in an Internet-connected digital lock made by Simons Voss. It involved a predictable, non-random number the lock’s algorithm used when challenging a user for the passcode. And the flaws in the security algorithm were discoverable, they found, via the wireless link between the lock and its remote control.

The way they handled the discovery was how they handle all security exploit discoveries at the Institute, Paar says. They first revealed the weakness to the manufacturers and offered to help patch the error before they publicized the exploit.

“They fixed the system, and the new generation of their tokens is better,” he says. “They had homegrown crypto, which failed. And they had side-channel [security], which failed. So we had two or three vulnerabilities which we could exploit. And we could repair all of them."

Of the scores of papers and research reports the Embedded Security group publishes, Paar says one of the most often overlooked factors behind hacking is not technological vulnerabilities but economic ones.

“There’s a reason that a lot of this hacking happens in countries that are economically not that well off,” Paar says. “I think most people would way prefer having a good job in Silicon Valley or in a well-paying European company—rather than doing illegal stuff and trying to sell their services.”

But as long as there are hackers, whatever their circumstances and countries of origin, Paar says smart engineering and present-day technology can stop most of them in their tracks.

“Our premise is that it’s not that easy to do embedded security right, and that essentially has been confirmed,” he says. “There are very few systems we looked at that we couldn’t break. The shocking thing is the technology is there to get the security right. If you use state of the art technology, you can build systems that are very secure for practical applications.”


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones