The Internet of Things is talked about a lot and many people are unsure what it really is, but at DEF CON 23 this summer in Las Vegas, that should become a lot more clear as attendees compete to hack IoT devices.
“Pwning IoT via Hardware Attacks” is a competition starting this year as part of IoT Village, a new sector of the conference focusing on security of proliferating device such as sensors, meters, industrial controls and smart appliances.
As part of the village attendees can enter their successful compromises against IoT devices in an attempt to win prizes. The entries will be judged on the severity of the compromise – how thoroughly a machine is taken over – and how it can be accessed, such as remotely or without being detectable, says Chase Schultz, a security researcher for Independent Security Evaluators (ISE), which is organizing the competition.
Chase Schultz
The hope is that the competition will promote more consideration being given to security in the design of IoT devices, he says. “There’s still a lot of work to be doing before consumers go full on with adoption of IoT devices,” Schultz says.
The competition has tried to compile a range of device types, from routers to toys to storage devices. The list of specific devices is: ASUS RT-AC3200 and Zyxel AC1750 routers, Netgear VMS3130 Security Camera System, Foscam FI9821W V2 Camera/Monitor, Samsung Smart Cam IP Baby Monitor, Chamberlain Myq-G0201 Garage Door Opener, ZKSoftware T4-C Time and Attendance Reader, Blipcare Wi-Fi Blood Pressure Monitor, Fitbit Aria Wi-Fi Smart Scale, i-spy HappyCow Tank w/ Camera, Apple Time Capsule 3TB Network Storage, LockState LS-500i-L-RB Remote Wi-Fi Lock and Hysoon Network Enabled Biometric Lock.
The competition will all be conducted under principles of responsible disclosure under which vendors will be notified of the vulnerabilities that are exploited to give them a chance to fix them before they are publicly revealed.
Schultz entered a similar competition at DEF CON last year called SOHOplessly Broken and did well enough hacking wireless routers that he caught the eye of ISE, which offered him a job. SOHOpelessly Broken was directed at SOHO routers for which 56 zero-day vulnerabilities were already known. The competition turned up 15 more, says Ted Harrington, executive director of ISE.
He says security of IoT devices should be a great concern because there is so much enthusiasm for the devices, but so little focus on securing them. “Security is not a priority. It glosses over the fact that IoT brings with it tremendous security impact, and health, safety and privacy issues,” Harrington says. “This is a tsunami that’s going to come crashing down soon.”