Security Embedded is 15+ years of experience in building secure systems. Learn more about how we can help you by exploring Phil's blog or contacting us.

Breaking Bad(ly designed hardware)

Phil Vachon
Miscellany

Hardware is magic. Software is scary. Together they are a horrifying monster. This monster will bend to the will of whoever has the magic incantation to control it.

Ten years ago most people carried a simple candy bar phone. Texting was awkward (or magnificent, depending on perspective), relying T9 word recognition, limiting us to short messages. Ten years ago Facebook was for students enrolled in college only.

Ten years ago you'd only hear about geeks automating their homes.

It's 2016. Now we write eloquent soliloquies in text messages. Smart phones give high-end PCs of a decade ago a run for their money. Instagram, Twitter, Facebook all have jammed culture to the point that they even show up in art. 'Swiping right' is now the parlance of our times. Connectivity is no longer a luxury, it's mandatory.

But I digress... this is a blog about the Internet of Things. This isn't an IoT lifestyle blog, nor a how to blog. This is not a blog seeking to espouse some kind of vision about the IoT. No, this blog is about security. Now hold on, before you reach for that back button, hear me out...

The IoT has modest roots, in industrial control. Would one argue that the Prodac 50 controller for the Westinghouse Sign in Pittsburgh was IoT? The pedants in the crowd would (correctly, by my count) argue not. But think of it this way: it's an ancestor of the modern PLCs. PLCs today control signs, lighting, factories, power plants and other infrastructure. Many of them connect to IP networks, enabling complex decision making, continuous monitoring and sophisticated control of the physical systems involved. PLCs are expensive though, and complex to use.

Time for a Gedankenexperiment. What if the Westinghouse Prodac could report its status and accept basic commands via an RS232 or 20mA current loop interface? And say, some enterprising engineer in the 2010's opted to connect that interface to an IP gateway, that allows external apps to periodically get status updates and inject commands into the computer? This sounds like a piece of the IoT puzzle.

IoT is about more than industrial systems. Smart control of light fixtures, heating, cooling, appliances, sprinkler controllers, etc., are all available now in your home. Your smart phone is a hub allowing for setting policy. When should lights turn on/off (and what color should they be), how hot/cold your home should be (hell, make it a curve so it ramps over the course of the day)... all the power you could want, at your fingertips. Be your very own Home Despot!

Guess who else benefits from this? Let's call them 'malfeasant actors' -- hackers in the media lexicon. Policy wonks are focusing on securing control infrastructure for dams, the power grid and nuclear power plants. But for your home, vendors are regularly adding new features to your connected LED light bulbs and remote controlled power plugs in your home. Maybe your IP-connected plug doesn't control anything mission critical (depends on how one views their Hitachi Magic Wand), but today everything is a vector.

Maybe your power plug controller becomes a part of a bot net. Evildoers in my sprinkler controller?! Denial of service attacks from my home using my wireless light bulbs? Welcome to the hazard of ubiquitous connectivity -- bad people get it, too.

But this isn't critical infrastructure, right? No, this is just your home -- attacking critical infrastructure.

Principia Securitas: How to Mitigate Threats