Butt plugs are safe to use

Worst mistakes in IoT and what product developers can learn from them

Mirko Ross June 5th, 2018

This joke is already a classic: "That S. in the abbreviation IoT stands forsecurity. "The Internet of Things, or IoT for short, is a relatively young discipline that has unfortunately already acquired a dubious reputation for security. That this is the case is literally in the nature of" things ". The Internet of Things have a high degree of complexity, with many pitfalls for experienced and inexperienced developers. In addition, the vertical range of manufacture of the products requires the cooperation of many technical experts, suppliers and service providers. Errors at the expense of security and data protection are virtually inevitable in this complex discipline. But developers and companies can learn from spectacular mistakes in the past in order to build better and safer products in the future, so it pays to take a look at spectacular mistakes.

Why many smart locks are especially smart for burglars

There is a need for smart locking systems for certain applications. For example, if customers of a bike sharing provider should be able to unlock the booked bike using an app. In fact, the smart bike lock is an essential component for the success of bike sharing. And yet smart lock systems are by far the most unsuitable IoT product that one can develop and purchase as a customer. The reason for this is the basic product property of a lock. Safe mechanical locking requires sophisticated technology and a lot of knowledge. At the same time as the 1st drop bolt lock in the 3rd millennium BC, the desire to crack locking systems arose. Secure locking systems are based on the experience of over 5,000 years of human cultural and engineering history. Today's secure mechanical locking systems are a masterpiece of technology and materials science, with a complex and sophisticated technology. Building a reasonably secure lock is a masterpiece. Making such a lock "smart" adds another complex property to a complex mechanical system: radio technology, electronics, transmission protocols, embedded software, app software and cloud stacks. A task that is in principle complicated in nature is increased in complexity by the Internet of Things. Difficult when the smart thing is basically supposed to provide security for the purpose.

At the Defcon 2016 hacker conference, security researchers showed that 12 out of 16 smart locks could be opened via weak points in the Bluetooth implementation: that is three quarters of the products examined. Frequent weaknesses: the radio communication between the lock and the mobile phone app was either not encrypted at all, incorrectly or insufficiently encrypted. With the help of common Bluetooth sniffers, it was possible to eavesdrop on the communication while the app was being operated, and passwords and procedures for opening the lock could be extracted. Click. Lock open. In addition to these errors in the software implementation, mechanical weak points add up as additional security gaps. A high-priced smart padlock for 120 euros can be cracked within a few seconds with two pieces of tinplate from a cola can for 0.79 cents. Like the Bluetooth attack, this method leaves no traces and is even faster. Secure, smart locks are therefore part of the supreme discipline of products in the Internet of Things, as both hardware and software development require an extremely high level of security knowledge.

The eavesdropping bug in the nursery

The combination of app and toys enables completely new play worlds. Video gaming and physical gaming combine to create an augmented gaming experience that creates added value and makes gaming fun. That is why there are increasingly smart toys in children's rooms. Essential features of smart toys include built-in cameras and microphones to create an audio-visual interaction above or with the toy. With this, for example, the addressed doll can answer questions. In addition, more or less sophisticated speech analysis via cloud services is used. This means that the smart toy exchanges data in the background with a large number of linked services. The protocols and interfaces used are mostly based on common REST interfaces to cloud stack architectures, which in turn offer a variety of standardized attack options. In addition, the smartphone serves as a gateway to the cloud service for communication, with Bluetooth being used to transfer data between the smartphone and the toy - with the pitfalls of Bluetooth connections that are already known from smart locks.

The smart networked toy thus becomes a complex application with numerous services that have to be secured. A loophole or incorrect implementation in one part of the chain leads to uncertainty in the entire application. Since we are dealing with microphones and cameras in private rooms, there is a risk that the smart toy could turn into a bug through unauthorized data access and thus seriously infringe on privacy. In 2016, the American Consumer Protection Agency issued an official warning about connected toys. The reason for this was a series of spectacular hacks of toys and their networked cloud services.

  • Data sets of over 6.4 million children and 4.8 million adults were captured by hackers while breaking into the cloud databases of a leading toy manufacturer from Hong Kong. The weak points here were classic SQL injections, paired with insecure API connections without transport encryption.
  • Hackers captured over two million voice messages between parents and children on the servers of an Australian manufacturer of cuddly toys. Here too, the sensitive data was saved unencrypted in a cloud database that could be accessed without authentication. For the data hack, the attackers only had to analyze the unencrypted communication between the smartphone app and the cloud service via HTTP in the network. A lack of encryption when handling sensitive data leads to serious security gaps and data protection violations.

Privacy with smart love toys

The security risk in data protection and privacy is even more sensitive in the case of products that are primarily intended to enrich the love life. Basically, there is a demand for connected, smart sex toys that can be controlled by app, alone or collaboratively with a partner. Built-in microphones and cameras are designed to enrich this augmented love life.

Basically, such products are complex application systems that not only literally but also practically penetrate deep into the privacy of the user. The hardware of smart sex toys is mostly supplied by manufacturers in the Far East, enriched with apps and cloud services by companies in America and then also delivered to consumers in Europe. Numerous security problems arise: starting with insecure WiFi passwords in the built-in hardware, unsecured wireless connections via Bluetooth and the unencrypted sending and storage of sensitive data in cloud systems.

An example of a lax approach to safety is the case of a "butt plug" - let's call the product a neutral "plug" - from a Chinese manufacturer who also sells in Germany. This sex toy uses a Bluetooth connection to the smartphone to exchange data. The intensity of the vibration on the product can be set with the help of an app. In addition, the app and the user can exchange messages via a chat. The smart plug should become a shared experience. Bad luck that the manufacturer has significant security problems in several places in the application system. First, let's start with the Bluetooth pairing routine between the plug and smartphone. The sex toy can be paired, i.e. connected, from any end device without authentication. For example, instead of the smartphone app, the hardware connects to a computer that establishes the Bluetooth connection. So anyone with a laptop within ten to fifteen meters can establish communication with the plug. The Bluetooth protocol is implemented completely unencrypted between the plug and smartphone at this point. With the knowledge of the appropriate Bluetooth classes, commands, for example to start or to increase the vibration, can be sent. Attackers can control the device externally. The app's sex chat function, in turn, is based on an unsecured Internet connection using the Jabber protocol and is susceptible to man-in-the-middle attacks. Attackers can not only read in plain text, but also receive meta information such as the email address and product number of the user.

Conclusion: what can developers and companies learn?

Internet of Things products are complex. If you pay attention to a few basic issues, you can avoid the worst mistakes in terms of security. These include:

  • Protect the hardware from unauthorized access and misuse. This is mostly a task that needs to be solved in the physical product design.
  • Only save encrypted passwords in the Embedded Controller.
  • Establish radio connections only with authentication.
  • Always exchange encrypted data via radio links - WiFi or Bluetooth.
  • Always save data on smartphone apps in encrypted form.
  • Connections to cloud services only ever via authentications, e.g. B. OAuth.
  • Always store data in cloud services in encrypted form.
  • Only collect and save data that is really needed for the application.

And last but not least: Think three times whether the product really needs a connection to the Internet.

Mirko Ross

Mirko Ross is an internationally recognized activist, expert, public speaker, publicist and researcher in the field of cybersecurity and Internet of Things.
>> Read more
You might also be interested in