Hacking the Internet of Things for Good


Published on

From your phone to your car to your house, just about everything is connected. Learn what Lookout is doing to protect you and your devices in this new world we're living in.

Published in: Technology
  • You like why know i can back anything car read it Book was call the deat of money
    Are you sure you want to  Yes  No
    Your message goes here
  • work of his companies Scot & fizer company
    Are you sure you want to  Yes  No
    Your message goes here
  • I new need come to my rescue don't don't hell i like if didn't know
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hacking the Internet of Things for Good

  1. 1. HACKING THE INTERNET OF THINGS FOR GOOD By Marc Rogers Principal Security Analyst at Lookout, Inc.
  2. 2.  WE LIVE IN A CONNECTED WORLD     
  3. 3. Everyday objects are being transformed by the addition of sensors that enable them to interact with the world, processors that enable them to think about it, and network interfaces that allow them to to talk about it. 
  4. 4.       The benefits that these intelligent, connected devices bring to our lives are almost too numerous to count.
  5. 5. You can control the temperature in your home from your phone with a programmable thermostat. 
  6. 6. You can ask your car for directions as you drive.
  7. 7.  You can check your email from your game console.
  8. 8. As they connect to each other, sharing what they see, hear, and know, these new intelligent, thinking devices are driving a second Internet Age.  
  9. 9.      But when we give these things intelligence and senses, we also fundamentally change their nature. Mundane objects that were once familiar and unremarkable from a security perspective have suddenly become the keepers of sensitive personal information. 
  10. 10.   For example, the traditional thermostat hanging on the wall held little attraction to cybercriminals. A connected thermostat — that can tell whoever controls it how many people live in a house, what technology connects to their network, and, most seriously, when the house is unoccupied — is an attractive target.  
  11. 11. As we change the nature of things, identifying vulnerabilities and managing updates quickly and efficiently will be paramount.
  12. 12. Connected things need to be thought of as software when it comes to security, and Google Glass is the perfect example.
  13. 13. We found that Google Glass carries out a QR code without you ever having to tell it to.
  14. 14. In theory, this is an awesome idea. In the future, you could buy a cup of coffee just by looking at a menu, or if you were in a foreign country, the menu would automatically translate to your language if you had Glass on.
  15. 15. But it takes control away from you, and opens a window of opportunity for an attacker. Exposing sensitive data or managing important configuration settings should only happen at the wearer’s request.
  16. 16. While it’s useful to configure your Glass QR code and easily connect to wireless networks, it’s not so great when other people can use those same QR codes to tell your Glass to connect to their WiFi Networks or their Bluetooth devices. Unfortunately, this is exactly what we found.
  17. 17. Glass was hacked by the image of a malicious QR code. Both the vulnerability and its method of delivery are unique to Glass as a consequence of it becoming a connected thing.
  18. 18. Lookout recommended that Google limit QR code execution to points where the user has solicited it. We disclosed our findings to Google on May 16.
  19. 19. Everything is OK Google clearly worked quickly to fix the vulnerability as the issue was fixed by version XE6, released on June 4th. Google made changes that reflected this recommendation.
  20. 20. This responsive turnaround indicates the depth of Google’s commitment to privacy and security for this device and set a benchmark for how connected things should be secured going forward. 
  21. 21. Embedded hardware developers should take a page out of Google’s vulnerability management process and approach wearables, connected things and anything with a sensor with the same mindset that Google is currently treating Glass. 
  22. 22. Just as pressing, in our connected world, security and updates must be baked into these new devices from the start. 
  23. 23. Companies with roots in software engineering will understand this, while many others may struggle with the unfamiliar issues and sheer complexity of managing millions of things. Because a wide array of traditionally mundane items are being connected, many companies creating connected devices are unfamiliar with the potential dangers they may be creating for users by failing to act when vulnerabilities arise.
  24. 24. At least four models of insulin pump sold by the manufacturer Medtronic were vulnerable to wireless attack. In 2011, Jerome Radcliffe discovered that
  25. 25. An insulin pump is an intelligent, connected medical device that replaces the more traditional syringe method of delivering insulin. The insulin pump most often works in conjunction with a continuous glucose monitor, a device with multiday sensors that continuously measures blood glucose levels, passing the telemetry on to an insulin pump so it can calculate how much insulin to deliver. This is where the wireless connectivity comes in handy.
  26. 26. Allowing the insulin pump and monitor to talk wirelessly is much more convenient for the wearer, reducing the number of wires and expanding the range of devices that can monitor the patient’s well-being. This is also where the security vulnerability is found. diagram
  27. 27. In designing the way these devices communicate, the only security measure implemented by the manufacturer was the need to use a valid serial number when communicating. This means an attacker who uses radio equipment to monitor the traffic between a patient’s monitor and insulin pump can replay that traffic, disabling the insulin pump or, even worse, fooling the insulin pump into delivering incorrect dosages of medicine. 
  28. 28. As a consequence, two years on, the Medtronic Paradigm 512, 522, 712, and 722 insulin pumps remain vulnerable to wireless attack. Radcliffe disclosed his findings to Medtronic who ultimately denied that they were a major concern due to the fact that there was no sign of the issues being exploited in the wild and due to the fact that they felt it would be technically difficult for a malicious party to carry the attacks out.
  29. 29. In a world where computing is getting closer to our physical selves, companies incorporating sensors into their devices can’t afford a failure of imagination, or a vulnerability management failure. 
  30. 30. The fact is, there’s an existential question when it comes to the connected world: Do you put out something that makes life infinitely easier? OR  Do you hold back and make sure it’s more secure?
  31. 31. It’s going to take a new kind of imagination for every hardware and software company to secure the next generation of devices. We can do this. Read more about our approach to securing the connected world at http://bit.ly/hackingforgood
  32. 32. Keep in touch with @lookout /mylookout blog.lookout.com contact@lookout.com http://bit.ly/connected-world @marcwrogers