A simple project to study compromised security cameras drew a trio of researchers deep into an investigation of the security risks of today’s connected devices. After they figured out how to bypass the camera’s authentication system and access its feed, they wondered what other devices in the growing Internet of Things (IoT) might also be vulnerable to hacking. Their list—which includes drones, children’s toys, and vibrators—raises serious concerns about the security of IoT devices.
“Our initial goal was to see if these systems were protecting the privacy of their users, but as we dug deeper into how these devices worked and how they interacted with their users, we realized that abuse was a new and unexplored possibility,” explains Alvaro Cardenas of the University of California, Santa Cruz.
In one scenario, his team showed that it’s possible to hack a children’s toy, called CogniToys Dino. In this case, an attacker can access sensitive information the child has shared with the toy, or even communicate with the child through the toy.
Under a normal situation, children talk to Dino, which responds with surprisingly realistic answers. To achieve this effect, audio of the child’s voice is transmitted and stored in the cloud.
To assess the toy’s vulnerabilities to hacking, the researchers bought a Dino and began analyzing the encrypted Real-Time Transport Protocol (RTP) traffic, which transmits audio between the Dino device and cloud. They noticed repeated patterns in the encrypted traffic and suspected that these patterns contained information about the key and crypto algorithm used to encrypt the traffic. To confirm this, they bought a second Dino, which exhibited the same patterns.
“Since the traffic was encrypted, that could only mean one thing—the Dino devices were using a weak mode of encryption and the same set of hard-coded keys to encrypt/decrypt traffic,” explains Cardenas. “Since the Dinos used the same keys, we could use one of the Dinos to decrypt the network traffic the other was sending, without us even knowing the keys being used, only their identifiers.”
By doing so, a hacker can access the audio recordings that a child shares with the toy, which could include sensitive information such as the child’s age or address. But Cardenas points to a more severe potential abuse of power—using the encryption keys, a hacker can impose his or her own voice recording into an interaction between a child and the toy, all the while sounding like Dino.
In another series of experiments, the researchers explored ways to hack vibrators. Vibrators that can be controlled remotely by apps are growing in popularity, and can be used, for example, between couples in long-distance relationships.
When attempting to intercept data transmissions between a phone app used to control the vibrator Vibease, the researchers found unencrypted information that allows a hacker to gain the username and password of a trusted partner—which could allow a hacker to impersonate an intimate partner and control the vibrator remotely.
A second type of vibrator the group analyzed, OhMiBod, uses encrypted data; however, it runs on a platform that uses tokens, which are distinct data snippets used to verify users. The researchers were able to infiltrate the settings of the app on a test phone and retrieve the session tokens of any users and their associated usernames. By swapping these tokens and usernames into their own phone with the victim’s token and username, a hacker can presume the identity of any other registered user, including those of a trusted partner.
Among the easiest devices that the team hacked were drones that allow users to remain anonymous. A hacker within Wi-Fi range can simply connect to the drone’s Wi-Fi access point (which do not required passwords), establish a connection, and then access files transferred to and from the drone. With this access, an attacker can also take control of the drone, either to crash it, cause damage to infrastructure, injure bystanders, or spy through the drone’s camera. Details of each of these experiments are highlighted in a study published 2 August in IEEE Security & Privacy.
The researchers alerted the manufacturers of all devices they analyzed to the problems they uncovered, and said that the vibrator-makers were very responsive and have addressed the vulnerabilities. The company that sells CogniToys Dino originally consulted the researchers about the problem with the intent to fix the encryption key vulnerability in their system, but the researchers say the problem had not been patched at the time of their study’s publication, and that all vulnerabilities of the drones remained unaddressed.
Based on these results, Cardenas emphasizes the need for consumers to be aware of IoT vulnerabilities. “We believe (the vulnerabilities in this study) are the tip of the iceberg. New functionalities will always come with new vulnerabilities, and as our society becomes more dependent on automation and IoT, the impact of IoT attacks will grow,” he says.
“Because the impact of these attacks won’t affect the developers of IoT, a pure market-driven solution for fixing the security problem will likely fail,” Cardenas adds. “We need more efforts from governments around the world to help us secure IoT devices by incentivizing companies and investing in research and awareness of this problem.”
Michelle Hampson is a freelance writer based in Halifax. She frequently contributes to Spectrum's Journal Watch coverage, which highlights newsworthy studies published in IEEE journals.