Internet Of Things Security Reaches Tipping Point

Billy Rios at Black Hat USA discusses TSA checkpoint systems he found exposed on the public Internet. Photo Credit: Sarah Sawyer

Public safety issues bubble to the top in security flaw revelations.

It all began more than four years ago with HD Moore’s groundbreaking research in embedded device security — VoIP, DSL, SCADA, printers, videoconferencing, and switching equipment — found exposed on the public Internet and sporting diagnostics backdoors put in place by developers.

The holes could allow an attacker access to read and write memory and power-cycle the device in order to steal data, sabotage the firmware, and take control of the device, Moore, chief security officer at Rapid7 and creator of Metasploit, found. “This feature shouldn’t be enabled” in production mode but instead deactivated, he told Dark Reading in a 2010 interview on his research on the widespread vulnerability in VxWorks-based devices.

Fast forward to Black Hat USA and DEF CON 22 last week in Las Vegas, where the dominant and overarching theme was the discovery of, yes, intentional backdoors, hardcoded credentials, unencrypted traffic, and critical systems lumped on the same network as noncritical functions, in today’s increasingly networked and automated commercial systems. And those embedded hardware weaknesses were on display by researchers who found them in cars, TSA checkpoint systems, satellite ground terminals, cell phones and networks, home automation and security systems — and even baby monitors. […]