Oh, the possibilities that a system of interconnected wireless devices — generally categorized as the Internet of Things (IoT) — can create, like smarter, more efficient offices, homes, vehicles and environments of all kinds, or new ways your business could be compromised by cybercriminals with you perfectly unaware.
At the BlackBerry Security Summit in July, the enterprise security solutions and communications provider had Campbell Murray and Fraser Winterborn, its technical director and head of R&D for encryption, respectively, perform a live hack before an audience into a business' secure wireless network through an electric teakettle. The two "white hat" hackers provide penetration testing services, one of the latest additions to BlackBerry's product and service portfolio.
Such a device is "something you probably haven't thought about much when it comes to security," Chief Security Officer David Kleidermacher understated in introducing the two. Walking the audience step-by-step through the hack, Murray pointed out that it could be done through "literally any device that is not a personal computing device and can be network-connected" that happens to have the right engineering flaws.
"The IoT device we have here is a teakettle. It could be anything — could be a fridge, blender, juicer, physical access control systems, industrial control systems — those all fall into the IoT category as well," Murray said. He narrated while Winterborn performed the hack.
Here's the setup:
The teakettle was connected wirelessly to an Apple iPhone to allow a user to, benignly enough, set up a schedule for it to boil. The iPhone was a BYOD (bring your own device) item an employee would use on the business' WiFi network, which had WK2 encryption. "It's not the best and not the worst enterprise-grade WiFi security you may have for your protection," Murray pointed out, "but for your average home office or small enterprise, this is what you'll most likely find."
Here's how they did it:
1. Get close enough to access the device's wireless connection. "We've got a bit of distance between the attack and the kettle. You can see there are no cables on the kettle, simply a power cord," said Murray. "It's communicating completely wirelessly, so Fraser could sit out in a car park or in the bushes in back of your office to perform all these functions."
2. Create a copy of the IoT device's secure WiFi network. Detecting the wireless network to which the kettle was connected, Winterborn created a copycat network. "It's not an exact copy; it's not a secure network. It's simply got the same name," Murray noted. "We refer to that as an SSID. You probably go home and your wireless network is called 'SmithsHome' or whatever you decided to call it."
3. Disconnect the IoT device from its proper network. "This is a feature, not a hack," Murray stressed. "It's actually how these things work. Quite often, enterprise networks might have multiple devices [connected], and if the phone stops working, you need to tell it to disconnect; if [a device] is not communicating, tell it to disconnect." Winterborn was able to de-authorize the wireless kettle from its network.
4. Connect the IoT device to your phony network. Murray explained the first security engineering flaw in the device: the kettle's wireless simply found a network with seemingly the correct name and a strong signal and reconnected, but had no verification it was the proper network.
"That kettle is now talking to us, not to its original network. That flaw in design, the lack of development-lifecycle assurance as they're putting this device together on the shop floor, means they've not really thought this through," Murray said. "They've not looked at the risks."
5. Get ready to send commands to the IoT device. In what he described as "a real problem" and the second security flaw, Murray noted the kettle had a very low-strength password to its own mechanism to communicate and receive commands.
"Whoever designed this really didn't put any thought into security, because the password is super-simple: It's six zeros," Murray said. "But obviously, it is a computing device, because the smartphone has to be able to communicate with it in some way."
6. Extract the password for the original WiFi network. "Now we have communication — we're now talking to the kettle and we're running one simple command," Murray told the audience. "We've extracted the stored WiFi password for the secure network.
"That's your third flaw: That password should not be stored in a reversible or unencrypted form," he continued. "There is no 'lay approach' to security."
7. Connect to the original secure WiFi network. "At this point, we've created no footprint as an attacker," said Murray. "We have the network key now, and we can pop that in quickly." Projected onto a large screen, the audience could then see data flowing within the secure network.