Checkmarx Launches Infrastructure as Code Scanning Solution to Secure Cloud-Native Applications: KICS

Internet of Things (IoT) – Hack My Home

Once a luxury reserved exclusively for the uber-technical or super-rich, the Internet of Things (IoT) phenomenon is invading our private dwellings at an astonishing pace. This revolution has basically connected all commonly used home appliances to the internet. Tech giants worldwide are investing a lot of resources in creating their own Internet of Things (IoT) eco-systems. Unfortunately a lot of this is happening in an unprotected manner, putting millions of people and homes at risk.


InfoSec expert Samy Kamkar has years of experience in exposing vulnerabilities and in websites, smart appliances and gadgetry. He burst onto the AppSec scene with his Samy Worm, the world’s first self-propagating cross-site scripting (XSS) worm, which was planted in the MySpace portal in 2005. There was no looking back after that. He also created Evercookie, JavaScript-based malware that produced zombie cookies in web browsers.


“If a hacker can upload new firmware onto the scale via the scale’s website, that means they can pivot from the scale on my internal network to other computers or devices on my network,” Kamkar told Checkmarx in an exclusive Q&A.


The Smart TV – The Primary Vulnerable Home Device


The most common internet-connected home device today is the smart TV.  These gadgets are like tiny computers, with complete WiFi access and applications that require the inputting of sensitive private information (email IDs, phone numbers, names and more). This sensitive data is often unprotected and can be harvested easily.


Unlike the dedicated smartphone app-stores (Google Play, App Store, etc), there are no regulations whatsoever for Smart TV apps. Not only are security protocols absent, manufactures give developers the SDKs with no real security policy. Hackers can hence easily gain access to innards including the file I/O and the screen/app control API.


In other words, all Smart TV apps today are running with complete “root” access. If the installed app has application layer flaws, not much can be done to prevent data and identity theft. Smart TV can also be infected via their vulnerable built-in web browsers. This is because they typically use insecure webkit and flash with a wide range of old libraries.


The Outer Limits: Hacking the Samsung Smart TV. Courtesy: HackersOnBoard


Hacked Smart TVs can lead to the following compromises:


  • Identity theft and harvesting of sensitive account information.
  • Commercial espionage – monitoring of usage behavior and patterns.
  • Hacking into the built-in camera and microphone on the Smart TV to record footage.
  • Key-logging and capturing of sensitive screenshots.
  • Hijacking of TV programs.


Smart Home IoT Extends into the Kitchen and the Bedroom


Refrigerators also have gotten smarter. Users can not only control all aspects of their functioning, but now can use the screens of the devices to surf the web, read emails and stream video. Many models can be controlled remotely with smartphones. The bad news is that the apps used in these systems are not always developed securely.


Proofpoint uncovered a high scale Internet of Things (IoT) attack that included no less than 750,000 phishing and spam emails that were hurled from a wide range of smart devices, mainly smart refrigerators and ovens. The exploited smart devices were unable to provide and resistance and most owners had no idea about being targeted.


The bad news is that more and more kitchen appliances are getting smarter. Smart ovens can be connected today to the internet and controlled remotely using smartphones from miles away. The apps used in these systems are simply not developed securely. Software with malicious payloads often find their way onto the devices to create havoc.


Hackers Crack Smart Door Lock via Insecure WiFi. Source: ALS Security Solutions


While offering high levels of functionality and customization options, the security levels in the IoT space are far from satisfactory. Many smart devices are not password-protected and the transferred data is rarely safeguarded with adequate encrypting measures. To make matters worse, sensitive private data is stored unsafely on the devices.


Implementing the OWASP Top 10 in IoT Application Development


Smart usage of the IoT devices is important and helps fight off hacking attempts. Some of the basic of user-end security steps we all should take include:


1 – Changing the default passwords commonly used by IoT devices (1111, 0000 or 1234).
2 – Using strong/complex passwords and changing them on a regular basis.
3 – Keeping an eye on the devices and looking for irregular behavior patterns.
4 – Using a minimal number of device access ports, such as USB and network ports.
5 – Using only a secure local WiFi network and staying away from open public hotspots.


Some of the OWASP based security measures that all IoT application developers must take are:


1 – Prevent Brute Forcing – Malicious attackers can use a wide variety of automated methods to guess passwords and hack into systems. The IoT application should simply be able to block malicious access after a predefined number of login attempts are made.


2 – Disable Use of Default Password – All IoT hardware should be programmed to enforce a “default password change” during the initial setup process. Developers should also enforce the use of strong passwords and implement password expiry dates.


3 – Store Credentials Securely – All private data should be encrypted and stored in a secure manner. These credentials should also not be exposed over the network traffic. Strong transports encryption should be used where cloud systems are involved.


4 – Secure Updating Mechanisms – IoT devices need to be updated constantly (new features, security patches, etc). The software should be able to process update files in an encrypted manner, after they are validated before implementation using signed files.


But these steps won’t help much if the application has bad code integrity. Real IoT security can be achieved only when secure application code has been developed, keeping away dangerous vulnerabilities that appear in the OWASP Top 10. These include vulnerabilities such as SQL injections, Cross-Site Scripting (XSS) and more.


This can be achieved by developing applications in a secure Software Development Life Cycle (sSDLC). Security can be implemented in the form of Static Code Analysis (SCA), a SAST methodology. This solution usually sits directly in the developer IDEs, allowing the automating of the security process and enabling the early elimination of application-layer vulnerabilities.


As evident in the infographic below, the organization saves a lot of money, time and resources when vulnerabilities are detected and eliminated in the development stage.


Static Code Analysis (SCA) and IoT



Smart Home Technology Has To Be Secure


American Information Technology firm Gartner estimates that over 25 billion smart devices will be in use by 2020. This means that malicious attackers will have infinite hacking opportunities unless a pro-active security approach is adopted by the all leading manufacturers. The war against cybercrime starts with secure application code.


“IoT security is going to require some new solutions. It’s a new area that will become ubiquitous in people’s homes and will carry its own set of risks along with features.” Kamkar stresses. “I’m all for new features but as we implement these, it’s important to pay attention to the security implications. This is not really happening right now.”


A good example for secure IoT development can be found with Apple’s proprietary IoT platform, HomeKit. Apple aims to make all home devices work with its mobile software (iOS 9 and above). For full Apple compatibility, manufacturers with have to use certified chipsets and specialized firmware that has been developed with security in mind.


The grey area has to be minimized. Once applications are developed securely and have high code integrity, smart devices will become safer to use. The Internet of Things (IoT) revolution is nothing to be feared from as it offers numerous operational benefits, but vulnerabilities have to be eliminated from the root – the application code.


To read our OWASP Top 10 for IoT Explained whitepaper – Click Here



Jump to Category