IoT: When my Home's Thermostat Becomes a Weapon
A Look at the Internet of Things (IoT). Exploring Existing Threats and a Few New Ones.
January 23, 2017
As
I consider the Internet of Things (IoT), I think of things like
smart-watches, internet baby cameras, home thermostats, and other neat
technologies. I recently pondered a broad range of security concerns and
thought it might be fun to explore these questions a bit further and
share some thoughts and suggestions.
What's the security situation with all my cool gadgets?
My
home's thermostat is smart and connected to the Internet. This gadget
is a wonderful innovation and part of the virally expanding portfolio of
Internet of Things (or IoT) devices. You all know about these, and
likely have one or many in your own home or apartment. In fact, industry
studies suggest that each person on the planet will own at least five
IoT gadgets by 2020.
My
thermostat allows me to alter my home's temperature and check the
current settings from the convenience of my cell phone. All cool (pun
intended), right? Well, this convenience raises some secondary important
concerns and a completely new set questions. But, hold these particular
thoughts for a minute. A smart thermostat is technically a system,
complete with an operating system, a wireless network interface, ability
to control another system, and it offers configurable settings
(schedule, override, notifications, etc).
With an operating system; one
must safeguard the OS against unauthorized access, root kits and
malware infiltration which can infect the system and alter its intended
behavior.
With a wireless network interface; one
must deny access to outsiders or bad actors. In the case of a wireless
network, let us not forget that a bad actor could hijack your thermostat
from the seat of their car parked outside your house. However, a bad
actor would more likely gain access via the internet, either through a
poorly configured firewall (or no firewall), or via open insecure ports
on an internet router. Quick question, when was the last time you logged
into your Internet Router and checked its settings? Thought
so. Regardless of the method a bad-guy may use to get into your local
area network (LAN), he or she being there is not good. Once on your LAN
the bad actor can and will discover every vulnerable device and shared
file on the LAN including any VPN connections to your employer, for
which the latter raises some distinct problems and liabilities for both
the employee and the employer.
With a device that can control another device; one
must understand the downstream devices that can be controlled by the
IoT device (aka, the furnace/AC controlled by the thermostat) and that
compromising the controlling device (aka, the thermostat) gains
immediate access to control any downstream controlled-device (aka, the
furnace/AC system).
With a device that has alterable settings (a configuration table, so to speak); one
must safeguard the table from unauthorized alteration. But there's one
challenge with safeguarding these settings on many IoT devices. The last
time I checked my thermostat there was no password protection. Thus
once I connect to the thermostat, I can change any setting without
challenge.
Now,
let's come back to the point I asked you to hold onto: the cell phone
app that allows me to control my thermostat from afar. Yes, there is a
third-party involved between me (my cellphone) and my thermostat. It's
the thermostat manufacturer's service that connects us. In principle, my
thermostat connects to the manufacturer, and my cell phone app connects
to the same place, and we're matched by a lookup code that associates
us.
What about the thermostat manufacturer?
The
manufacturer's security infrastructure surrounding this "meeting place"
becomes one of the most critical components in the mix. I guess I
really need to trust my thermostat manufacturer, right? Have they
designed reasonable security into the product? Do they have security
personnel dedicated to the job and constantly monitoring and testing the
environment? Have they secured their product development networks and
customer-portal networks? Lots of questions, few answers come to mind.
A
commercial product manufacturer's network will likely be more secure
than most home wireless networks. But, it's important you know that we
as consumers become completely and immediately reliant upon the security
that the manufacturer has designed their products, and that they
implemented and applied appropriate layers of security within their
networks to protect their thermostat (or whatever product) from being
infiltrated by an outsider.
I
don't think very many consumers pay much attention to this aspect of
certain IoT devices, likely because coolness sometimes overrides the
messy topic of security. If you think about how rapidly brand new IoT
technologies and start-ups come onto the scene, you have to wonder: have
they really implemented a secure infrastructure and hardened their
products and services to adequately protect your data and your
network? I don't know about you, but this makes me wonder.
So What Could a Hacked Thermostat Do Anyway?
What
if my thermostat manufacturer's system or network is hacked? Millions
of subscribers' thermostats (or worse, the downstream controlled
furnace) could all be compromised as a result. What if a bad actor were
to alter the temperature in every smart thermostat to the maximum
possible setting (say, 99 degrees) and leave it there until you pay the
ransom? A team at DEF CON demonstrated this very scenario just this past
summer. Or, what if a bad actor compromised all thermostats to initiate
a massive distributed denial of service attack on another victim,
perhaps a targeted business, or Internet DNS servers (which actually
occurred very recently)?
If
this attack was for the purpose of a ransomware scenario, then the
sure-fire home solution is to simply shut off the thermostat and replace
it with a different device or a non-tech variant. This eliminates the
problem entirely. But this fix is not as easily accomplished in
commercial businesses or hospitals, where the complexity and impact is
far greater.
What
if all the smart thermostats turned on all furnaces at the same time?
Could this cause a significant measurable drain on our electrical power
grids? Perhaps, not so much at the present time, because not every home
has a smart thermostat, nor are they all the same brand of smart
thermostat. But given the time and the motive, the capability definitely
exists for a bad actor to infiltrate a broad range of smart thermostat
brands, business HVAC systems, and other targets, and create a
coordinated attack through exploitation of many brands of thermostats
and smart devices. This would become a new type of attack, and certainly
one that could be categorized as being among the aspirations of nation
state bad actors rather than being attributed an individual bad actor.
There are things about things that we just don't yet know.
All these "what-ifs" could actually occur. And, over time, they will in one form or another.
So, Could My Thermostat Steal My Data? Actually, yes.
There
are additional concerns beside using thermostats as a ransomeware
devices, or as "mules" in a distributed denial of service botnet attack
against a 3rd party. What if a bad actor hacked the thermostat
manufacturer's network and introduced a malicious thermostat OS update
with the ability to steal data from devices on your LAN, or the ability
to spread malware to them?
Perhaps
a bad actor configures the hacked thermostat to function normally but
with an additional malicious feature. What if a hacked thermostat were
to become a data leakage device sitting inside your LAN with the
sustained ability to forward every piece of electronic data from every
device on your LAN (your PCs, your file shares, your media devices,
etc.) sending it all to a malicious site somewhere in the ether. This
type of attack may not need to steal data very quickly, but go
undetected for weeks or perhaps months or years without being detected
as it siphons data in bits and pieces in a sustained attack. While the
latter type of attack is a bit more sophisticated in its approach, the
operating system and technology present in many small micro-controlled
systems (e.g. Linux and Java) could make the smart thermostat a
formidable place for such an attack to begin.
In
a similar manner to the hacked thermostat, what if the bad-actor
infiltrated the respective cell phone app with a malicious version, with
the ability harvest all your contacts, credit card info, and other
sensitive data stored in your cell phone?
When you think about this, and use your imagination, the possibilities along with the potential nightmares are endless.
My Home's LAN is not that interesting to a "bad actor", Right? Wrong.
Actually,
your home network is pretty interesting to bad actors. Home local area
networks are changing in many ways. With more connected devices such as
IoT devices, increased data storage devices (local and cloud connected),
and media sharing devices, your network is a very interesting place.
Home network Internet connection speeds have dramatically increased to
impressive levels, thanks to powerful fiber optics and advanced consumer
bandwidth plans that rival many commercial business networks. Most home
networks today boast extremely fast download connection speed (in many
cases greater than 100Mb). More importantly to the aspect of data theft,
these also boast the same high-capacity bandwidth for uploads as
well. Thus, the home owner's local area network may have 100Mb or
greater down/up with very little security beyond the Internet
router. Unlike commercial business networks, the home network typically
does not employ advanced security perimeter controls such as intrusion
detection systems, data leakage prevention, enforced access control
policy mechanisms. This is why it is an attractive place for bad actors.
In other words, once a bad actor gets access past your cable router,
they would potentially have access to a wide open network, complete with
an extremely fast Internet connection by which they could establish as
a beachhead to launch other attacks, and attack you.
Think
of the many hundreds of millions of home networks out there for a bad
actor to choose from, most of which are wide open territory. Now think
of the volume of IoT gadgets out there. Early predictions regarding IoT
growth reveals that the number of IoT gadgets will reach 20.8 billion devices by 2020 (reference: Gartner, 2015). Intel Security predicted the number to be in the range of 20 to 30 billion devices by 2020.
That's a lot of IoT devices spanning perhaps billions of relatively
insecure home networks across the globe. Most recently, security firms
have adjusted their predictions to nearly 50 billion IoT devices by
2020. This leads me to wonder: do we really know the prolific potential
of global IoT sprawl?
A Few Good Steps You Can Take...
Using
just the above examples we could fill many whiteboards with attack
profiles and scenarios, line diagrams, and pathways to potentially
catastrophic damage. And we need to conduct this type of out-of-box
thinking to get inside the heads of bad-actors to anticipate what they
are thinking, in order to understand how they operate and adapt. While
it is unreasonable to think that home users will implement advanced
security technology found in commercial business networks, there are
some very good basic steps that everyone can and should consider to
ensure their security.
A good first step that home users should consider is locking down your internet gateway (the router) by restricting access with a complex password, disabling external remote management ports, disabling the DMZ function if you don't need one, applying the latest security firmware updates, and restricting inbound ports to only those that you really need. Also, disable inbound ICMP requests (we
call these ping requests) so that your router doesn't respond to pings
from the outside. This will provide a level of stealth since your router
won't answer to pings. Incidentally, a ping request is among the first
steps a bad actor takes to determine which IP addresses are responsive
or not. You should also buy and install a good anti-virus/anti-malware
software for all of your PCs, and keep it enabled and always up to date.
You should also consider configuring a password on your devices that
share files (e.g. media, file servers, home PCs, etc).
Lastly,
it is important to try to maintain a current and reasonable awareness
about emerging potential security threats and what you can do to
minimize them. For example, news of recent examples of phishing attacks
have been shared on the internet, local news and mainstream
media. Remember to not click on links contained
in messages from people you don't know. Even when someone you know
sends an obscure message containing a link or attachment, think twice
about clicking it since their PC could be compromised and potentially
trying to spread malware to you and others.
With
respect to security and the Internet of Things, I consider myself a
"cautious IoT embracer" which means, I try to understand and answer as
many of the questions presented here to understand the risks, and adapt
my security countermeasures to manage them. Good security and IoT can
and will coexist. We just need to think creatively and thoroughly as we
embrace both.
I hope you enjoyed this article and hope it was helpful.
Stay tuned, and stay safe.
Ed