In this week’s IoT cyber security and cyber hygiene podcast, we had the pleasure of interviewing Omer Shwartz, a Ph.D student at the prestigious Information Systems Engineering Department at Ben Gurion University of the Negev, and an active member of the Implementation Security and Side-Channel Lab under Dr. Yossi Oren.
His latest published paper is titled, Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices, in which him and his team analyzed the practical security level of 16 popular IoT devices and discuss how to improve their security without significantly increasing their cost.
This interview is <20 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!
Could you explain a bit about the work being done at the Implementation Security and Side-Channel Lab at Ben-Gurion University?
We are a relatively new lab, but with very exciting work: investigating all kinds of side channel leakage models and implementing security. My field is mainly around hardware security, but we research and work on all kinds of metrics to get information in and out of devices that are not meant to broadcast information. Some research I’ve done under Dr. Yossi Oren include a phone case that can exfiltrate phone data (location and conversations) while the user is unaware, and a project on how replacement touch-screens could be malicious and used to harm or spy on users.
How did you first get involved in cyber security and hacking, were you always breaking things?
Yeah, actually (laughing) since I was little I liked looking into things and figuring out how they work. I’ve been in the hacking community for around 15 years and always had an interest in hacking and cyber security before it became a really big and known issue as it is today. Cyber security always interested me, it’s like a hidden thing that really affects our world, and nobody really talked about it until recently, and it has a long way to go. There are so many threats that we have not seen yet, and that’s why I’m a part of this lab and studying towards a PhD, because I think there is so much to discover.
If cyber security has a long way to go, it’s probably because of the exponential growth of IoT devices, right?
IoT devices are a really big part of it. Nobody cared about cyber security before, but now that we have all these phones and IoT devices, everybody suddenly realizes that these things were never designed to be secure -they use infrastructure that was not designed to be secure.
It’s a really good place to be, from an Academic point of view, because there is so much to invest and research everywhere.
Share with us some details behind the research you conducted with Asaf Shabtai, Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices, what was the thought process that went into it?
A friend of mine had hundreds of IoT devices for some cyber security research he was conducting and, out of curiosity he asked me if I could find any vulnerabilities in them, we didn’t think of writing a paper about it.
We began taking devices apart and looking inside and noticed that all the devices were really insecure. Many, if not most, IoT devices sold today can be accessed remotely with a default password, which is usually really simple.
But we also looked into what happens when an attacker has one of your networked devices, using it as a gateway to get network information and access. So we wrote a really comprehensive analysis of the devices’ vulnerabilities and compiled a large array of techniques used, some of them already known, but gathered in such a way as to allow other people to try them and see if their devices are secure.
Other than easily and cheaply cracking the passwords stored in these devices’ hash and creating our own Mirai botnet with them, we found vulnerabilities such as devices holding private communication key in the file system. Anyone that gets that key can listen to the device’s communication. It’s really bad security practice, but it seems that in IoT the most important thing is getting a product to market and not securing it properly.
What would be your recommendations for IoT manufacturers?
I’d start with not having hard-coded easy passwords and completely disabling remote-access. Also, nobody considers attackers with access to your device, but devices should be built in a way that make it harder to reverse-engineer -this is a difficult problem, but at least it shouldn’t be so easy to reverse-engineer. All the devices we used were really easy to reverse-engineer, they have special ports in the board that allows us to connect and communicate with the console quite easily, and that’s something that shouldn’t be on a production board, just on a development board. We were actually able to get all of our information because most of the devices’ debug ports were open, which combined with weak passwords, gave us full access to install our own software. So my recommendation is to disable the debug and WRT ports, and strong passwords hashed with strong algorithms.
What would be your cyber hygiene recommendations for technology consumers?
You know, they always say that humans are the weakest link in the cyber security chain, and this is correct in a way. I would recommend strong passwords, because the current way people use them today is incorrect, they should be long and hard to crack – and one should never reuse passwords to avoid bigger problems.
When it comes to IoT devices, I would recommend staying away from unknown manufacturers. I hope some of my research will lead to consumers and researchers using our techniques to inspect their own devices and realize what is in there, and whether they are secure or not, giving power to the consumers to understand what is being sold.