Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts
by Nitesh Dhanjani
ISBN 978-1-491-90233-2 .
Reviewed by Richard Austin 9/18/2015
We've gotten de-sensitized to software vulnerabilities - they're out there, they get exploited and eventually they get patched. Nitesh asks a very good question: Will we be quite so blasé when software vulnerabilities start to maim and kill people? It got my attention and he follows it with an extensive examination of just how immature the world of Internet of Things (IoT) security currently is. The beauty of this book is that he doesn't treat us to a rehash of media reports but walks through detailed examples based on light bulbs, door locks, baby monitors, "smart" TV's and even automobiles.
You'll likely be struck with an extreme case of déjà vu as you see many of the perennial favorites (buffer overflows with strcpy, hardcoded credentials, passwords stored in clear-text, poor crypto implementations, etc.) that you may have hoped we were so very much past.
A complicating fact is that the "Things" in IOT hardware and may, for example, lack the capability for accepting software (actually firmware) updates so that remediating a vulnerability may require replacing the device itself.
Nitesh makes the important and disturbing point that these issues are arising not because of a lack of engineering capability or talent but a basic lack of understanding of what is involved in deploying a product with some hope of surviving in a hostile world.
After six unsettling chapters illustrating how bad things are today, he presents an excellent chapter on "Secure Prototyping" using the "littleBits" and "cloudBit" platforms. This would be an excellent technique for engaging with engineers responsible for design and development of IoT products to illustrate security issues. For those involved in academia, it would be a good basis for introducing students to IoT security (even if they have minimal hardware skills).
Chapter 8, "Two Scenarios - Intentions and Outcomes", should not be ignored as it presents a clear object lesson for cyber security professionals when talking technology and associated risks with the "business side" of the house.
Though our profession is still trying to digest "BYOD", we cannot afford to ignore the potentials and risks of the IoT. We are moving to a world where everything is potentially capable of connecting and communicating with everything else. Very bright people are focused on vision and functionality and it is our challenge to temper that exuberance with consideration of security. And that consideration of security will require innovation on our part - requiring a password to adjust the output of a drug pump in real time seems like security 101, unless adjusting that dosage RIGHT NOW is required to save a life and delaying the adjustment due to the health care professional not knowing the password is unthinkable. Nitesh's book is a wake-up call to both the designers of IoT environments and the security professionals who must work with them to overcome the challenges in this brave new world.
Buy the book. Read the book. Bring the same creativity to designing security into the IoT as is going into building it.