"White hat" hackers Campbell Murray, at right, and Fraser Winterborn, far left, demonstrate at the BlackBerry Security Summit how engineering flaws and lack of forethought in IoT devices can essentially give cybercriminals a back door into a secure wireless network — and possibly allow them to leave no detectable trace they were ever there.
Oh, the possibilities that a system of interconnected wireless devices — generally categorized as the Internet of Things (IoT) — can create, like smarter, more efficient offices, homes, vehicles and environments of all kinds, or new ways your business could be compromised by cybercriminals with you perfectly unaware.
At the BlackBerry Security Summit in July, the enterprise security solutions and communications provider had Campbell Murray and Fraser Winterborn, its technical director and head of R&D for encryption, respectively, perform a live hack before an audience into a business' secure wireless network through an electric teakettle. The two "white hat" hackers provide penetration testing services, one of the latest additions to the company's product and service portfolio.
Such a device is "something you probably haven't thought about much when it comes to security," BlackBerry Chief Security Officer David Kleidermacher understated in introducing the two. Walking the audience step-by-step through the hack, Murray pointed out that it could be done through "literally any device that is not a personal computing device and can be network-connected" that happens to have the right engineering flaws.
"The IoT device we have here is a teakettle. It could be anything — could be a fridge, blender, juicer, physical access control systems, industrial control systems — those all fall into the IoT category as well," Murray said. He narrated while Winterborn performed the hack.
Here's the setup:
The teakettle was connected wirelessly to an Apple iPhone to allow a user to, benignly enough, set up a schedule for it to boil. The iPhone was a BYOD (bring your own device) item an employee would use on the business' WiFi network, which had WK2 encryption. "It's not the best and not the worst enterprise-grade WiFi security you may have for your protection," Murray pointed out, "but for your average home office or small enterprise, this is what you'll most likely find."
Here's how they did it:
1. Get close enough to access the device's wireless connection. "We've got a bit of distance between the attack and the kettle. You can see there are no cables on the kettle, simply a power cord," said Murray. "It's communicating completely wirelessly, so Fraser could sit out in a car park or in the bushes in back of your office to perform all these functions."
2. Create a copy of the IoT device's secure WiFi network. Detecting the wireless network to which the kettle was connected, Winterborn created a copycat network. "It's not an exact copy; it's not a secure network. It's simply got the same name," Murray noted. "We refer to that as an SSID. You probably go home and your wireless network is called 'SmithsHome' or whatever you decided to call it."
3. Disconnect the IoT device from its proper network. "This is a feature, not a hack," Murray stressed. "It's actually how these things work. Quite often, enterprise networks might have multiple devices [connected], and if the phone stops working, you need to tell it to disconnect; if [a device] is not communicating, tell it to disconnect." Winterborn was able to de-authorize the wireless kettle from its network.
4. Connect the IoT device to your phony network. Murray explained the first security engineering flaw in the device: the kettle's wireless simply found a network with seemingly the correct name and a strong signal and reconnected, but had no verification it was the proper network.
"That kettle is now talking to us, not to its original network. That flaw in design, the lack of development-lifecycle assurance as they're putting this device together on the shop floor, means they've not really thought this through," Murray said. "They've not looked at the risks."
5. Get ready to send commands to the IoT device. In what he described as "a real problem" and the second security flaw, Murray noted the kettle had a very low-strength password to its own mechanism to communicate and receive commands.
"Whoever designed this really didn't put any thought into security, because the password is super-simple: It's six zeros," Murray said. "But obviously, it is a computing device, because the smartphone has to be able to communicate with it in some way."
6. Extract the password for the original WiFi network. "Now we have communication — we're now talking to the kettle and we're running one simple command," Murray told the audience. "We've extracted the stored WiFi password for the secure network.
"That's your third flaw: That password should not be stored in a reversible or unencrypted form," he continued. "There is no 'lay approach' to security."
7. Connect to the original secure WiFi network. "At this point, we've created no footprint as an attacker," said Murray. "We have the network key now, and we can pop that in quickly." Projected onto a large screen, the audience could then see data flowing within the secure network.
"What was previously encrypted to us and secure in that office network — people are using it, and you've got a strong key — we can now see as standard network traffic," he added. "It's visible as plain text to us."
8. Grab some data and do your dirtiest. Now able to connect to the original secure WiFi network, Winterborn captured a packet of email, which was unencrypted beyond the network password gateway.
"That's collection of email from a bring-your-own-device now for me as your average office worker," Murray noted. "I've simply connected to the secure network at my office — of course it's okay." The "email" the two collected in the demo, however, showed sensitive business information.
"This is the real flaw: if we compromise any communications across that wireless network, there is no forensic team in the world who are going to be able to discover how we did it," he explained. "We've only compromised the kettle; if we turn it off and back on again, it has no memory.
"So we'll just turn it off. Any trace of what we've done is now lost forever."
Murray put the hack — which took only a matter of minutes — into sobering context.
"Fraser has sat in a car park out in back of your office. He's compromised your office's secure network untraceably — he's not logged on to the network, he's not created any footprint and he's collected those secure communications," Murray said.
And it had all been done via an unassuming IoT device few would give a second — or even first — thought to in terms of cybersecurity. "As I said, it doesn't have to be a kettle — could be anything," Murray emphasized.
He advised businesses first to be cautious of what devices they allow to be brought into their networks, but also said a lack of appropriate security engineering is a larger industry problem. "As we become increasingly technical and increasingly involved in putting technology into things like mundane household devices," Murray said, "we've really got to start thinking about these things."