Aaron Marsh/Fleet Owner
quotWhite hatquot hackers Campbell Murray at right and Fraser Winterborn far left demonstrate at the BlackBerry Security Summit how engineering flaws and lack of forethought in IoT devices can essentially give cybercriminals a back door into a secure wireless network mdash and possibly allow them to leave no detectable trace they were ever there

From teakettles to trucks: Breaking in through the IoT

Aug. 5, 2016
Oh, the possibilities that a system of interconnected wireless devices—generally categorized as the Internet of Things—can create, like smarter, more efficient offices, vehicles and environments of all kinds, or new ways your business could be compromised by cybercriminals with you perfectly unaware.

Oh, the possibilities that a system of interconnected wireless devices — generally categorized as the Internet of Things (IoT) — can create, like smarter, more efficient offices, homes, vehicles and environments of all kinds, or new ways your business could be compromised by cybercriminals with you perfectly unaware.

At the BlackBerry Security Summit in July, the enterprise security solutions and communications provider had Campbell Murray and Fraser Winterborn, its technical director and head of R&D for encryption, respectively, perform a live hack before an audience into a business' secure wireless network through an electric teakettle. The two "white hat" hackers provide penetration testing services, one of the latest additions to the company's product and service portfolio.

Such a device is "something you probably haven't thought about much when it comes to security," BlackBerry Chief Security Officer David Kleidermacher understated in introducing the two. Walking the audience step-by-step through the hack, Murray pointed out that it could be done through "literally any device that is not a personal computing device and can be network-connected" that happens to have the right engineering flaws.

"The IoT device we have here is a teakettle. It could be anything — could be a fridge, blender, juicer, physical access control systems, industrial control systems — those all fall into the IoT category as well," Murray said. He narrated while Winterborn performed the hack.

Here's the setup:

It's just an electric teakettle with WiFi capability — could it instead be an IoT device in your trucks or back office? (click to enlarge - Aaron Marsh/Fleet Owner)

The teakettle was connected wirelessly to an Apple iPhone to allow a user to, benignly enough, set up a schedule for it to boil. The iPhone was a BYOD (bring your own device) item an employee would use on the business' WiFi network, which had WK2 encryption. "It's not the best and not the worst enterprise-grade WiFi security you may have for your protection," Murray pointed out, "but for your average home office or small enterprise, this is what you'll most likely find."

Here's how they did it:

1. Get close enough to access the device's wireless connection. "We've got a bit of distance between the attack and the kettle. You can see there are no cables on the kettle, simply a power cord," said Murray. "It's communicating completely wirelessly, so Fraser could sit out in a car park or in the bushes in back of your office to perform all these functions."

2. Create a copy of the IoT device's secure WiFi network. Detecting the wireless network to which the kettle was connected, Winterborn created a copycat network. "It's not an exact copy; it's not a secure network. It's simply got the same name," Murray noted. "We refer to that as an SSID. You probably go home and your wireless network is called 'SmithsHome' or whatever you decided to call it."

3. Disconnect the IoT device from its proper network. "This is a feature, not a hack," Murray stressed. "It's actually how these things work. Quite often, enterprise networks might have multiple devices [connected], and if the phone stops working, you need to tell it to disconnect; if [a device] is not communicating, tell it to disconnect." Winterborn was able to de-authorize the wireless kettle from its network.

4. Connect the IoT device to your phony network. Murray explained the first security engineering flaw in the device: the kettle's wireless simply found a network with seemingly the correct name and a strong signal and reconnected, but had no verification it was the proper network.

"That kettle is now talking to us, not to its original network. That flaw in design, the lack of development-lifecycle assurance as they're putting this device together on the shop floor, means they've not really thought this through," Murray said. "They've not looked at the risks."

5. Get ready to send commands to the IoT device. In what he described as "a real problem" and the second security flaw, Murray noted the kettle had a very low-strength password to its own mechanism to communicate and receive commands.

"Whoever designed this really didn't put any thought into security, because the password is super-simple: It's six zeros," Murray said. "But obviously, it is a computing device, because the smartphone has to be able to communicate with it in some way."

6. Extract the password for the original WiFi network. "Now we have communication — we're now talking to the kettle and we're running one simple command," Murray told the audience. "We've extracted the stored WiFi password for the secure network.

"That's your third flaw: That password should not be stored in a reversible or unencrypted form," he continued. "There is no 'lay approach' to security."

7. Connect to the original secure WiFi network. "At this point, we've created no footprint as an attacker," said Murray. "We have the network key now, and we can pop that in quickly." Projected onto a large screen, the audience could then see data flowing within the secure network.

"What was previously encrypted to us and secure in that office network — people are using it, and you've got a strong key — we can now see as standard network traffic," he added. "It's visible as plain text to us."

The IoT device's failure to encrypt its stored network password properly — one of the engineering flaws showcased — could allow hackers access to communications on the secure WiFi network. (click to enlarge - Aaron Marsh/Fleet Owner)

8. Grab some data and do your dirtiest. Now able to connect to the original secure WiFi network, Winterborn captured a packet of email, which was unencrypted beyond the network password gateway.

"That's collection of email from a bring-your-own-device now for me as your average office worker," Murray noted. "I've simply connected to the secure network at my office — of course it's okay." The "email" the two collected in the demo, however, showed sensitive business information.

"This is the real flaw: if we compromise any communications across that wireless network, there is no forensic team in the world who are going to be able to discover how we did it," he explained. "We've only compromised the kettle; if we turn it off and back on again, it has no memory.

"So we'll just turn it off. Any trace of what we've done is now lost forever."

Murray put the hack — which took only a matter of minutes — into sobering context.

"Fraser has sat in a car park out in back of your office. He's compromised your office's secure network untraceably — he's not logged on to the network, he's not created any footprint and he's collected those secure communications," Murray said.

And it had all been done via an unassuming IoT device few would give a second — or even first — thought to in terms of cybersecurity. "As I said, it doesn't have to be a kettle — could be anything," Murray emphasized.

He advised businesses first to be cautious of what devices they allow to be brought into their networks, but also said a lack of appropriate security engineering is a larger industry problem. "As we become increasingly technical and increasingly involved in putting technology into things like mundane household devices," Murray said, "we've really got to start thinking about these things."

About the Author

Aaron Marsh

Before computerization had fully taken hold and automotive work took someone who speaks engine, Aaron grew up in Upstate New York taking cars apart and fixing and rewiring them, keeping more than a few great jalopies (classics) on the road that probably didn't deserve to be. He spent a decade inside the Beltway covering Congress and the intricacies of the health care system before a stint in local New England news, picking up awards for both pen and camera.

He wrote about you-name-it, from transportation and law and the courts to events of all kinds and telecommunications, and landed in trucking when he joined FleetOwner in July 2015. Long an editorial leader, he was a keeper of knowledge at FleetOwner ready to dive in on the technical and the topical inside and all-around trucking—and still turned a wrench or two. Or three. 

Aaron previously wrote for FleetOwner. 

Voice your opinion!

To join the conversation, and become an exclusive member of FleetOwner, create an account today!

Sponsored Recommendations

Streamline Compliance, Ensure Safety and Maximize Driver's Time

Truck weight isn’t the first thing that comes to mind when considering operational efficiency, hours-of-service regulations, and safety ratings, but it can affect all three.

Improve Safety and Reduce Risk with Data from Route Scores

Route Scores help fleets navigate the risk factors they encounter in the lanes they travel, helping to keep costs down.

Celebrating Your Drivers Can Prove to be Rewarding For Your Business

Learn how to jumpstart your driver retention efforts by celebrating your drivers with a thoughtful, uniform-led benefits program by Red Kap®. Uniforms that offer greater comfort...

Guide To Boosting Technician Efficiency

Learn about the bottom line and team building benefits of increasing the efficiency of your technicians in your repair shop.