Earlier this month, internet-of-things security once again became a big issue after researchers demonstrated how to jailbreak a Nest learning thermostat.
By plugging a USB into the thermostat, the hackers were able to upload custom code and software onto the device in seconds. The internet exploded with speculation that Nest thermostats could now be used to spy on people in their homes.
The jailbreak has its limitations. First, a hacker would need to gain physical access to the device. Theoretically, one could jailbreak the thermostat and resell the compromised device, but it doesn't mean a thief could simply break into a thermostat remotely by sitting outside a person's home. Nest also said the penetration can't impact the company's servers or its connections to the device.
But it was just one of many recent hacks of keyless cars, DVRs and connected refrigerators -- leaving consumers wondering how vulnerable they truly are.
So how real is the threat to individuals and businesses? We sat down with Eric Cornelius, director of critical infrastructure at the security firm Cylance, to put these hacks in context. Cornelius was also formerly a chief technical analyst (what he calls a "cyberninja") at the Department of Homeland Security.
While the connected home remains a potential target for hackers, Cornelius said that the threat is far more real today for big companies and utilities.
Greentech Media: After the Nest thermostat jailbreak, people are now asking how safe these devices are. What would you tell them?
Eric Cornelius: "Safe" is a bit of a nebulous word in the sense that, in my opinion, risk is a function of consequence. If we consider that when we talk about these devices, we can ask the question whether the devices are vulnerable.
Sure, they're vulnerable. I think we've seen across all types of devices -- especially new and novel ones -- that security is almost always an afterthought. I would say invariably there are vulnerabilities present and that as these devices become more popular, they're low-cost or easy to obtain. As a consequence, hackers will certainly obtain the devices and perform various security tests on them. Undoubtedly, they will fall.
[The question is] what level of consequence there is. I think there are two ways to look at the problem. The first is the consequence to the individual consumer, which, in my opinion, is not terribly high. Now, of course, as the home becomes more interconnected and more types of critical systems within the home are ultimately controlled in an automated fashion, there will be increasing consequence.
But the attack factor that worries me most is the fact that as the individual devices -- your refrigerator or your hot water heater -- start to interact with your electrical meter...they will actually provide an [avenue of] attack back into the utility, where more widespread consequences can start to happen.
I'd say at this stage in the game, it's not really clear what the long-term consequences would be, but that's what worries me the most.
GTM: How exactly would you envision an attack like that working?
EC: Essentially, there are two types of communications mechanisms in the smart grid. There is the meter infrastructure operated by the utility that enables it to automate and gather usage statistics from their consumer base. Then there's the in-home automation piece, where we're talking about Nest thermostats and smart appliances. Those two systems have to be connected because one must report data into the other.
My fear is that a Nest thermostat that was compromised by an attacker -- that thermostat must talk to the meter in order to report usage. There could be a cascading chain of vulnerabilities. Now, this is predicated on the assumption that the meters will ultimately fall victim the same way that individual devices will.
Again, if you look at the "law of large numbers" and the things we see, many devices will inevitably fall. There's research to show that some of the smart meters do, in fact, have vulnerabilities.
It just stands to reason that a vulnerability in any device that's communicating with the smart meter could be leveraged so that the attacker can put communications onto the network back to the utility where ultimately more vulnerabilities may be discovered.
GTM: A lot of the hacks have involved uploading new firmware, so hackers would need to have physical access to the device. Are there limitations to this, and what can be done with these devices given the need to be in physical contact?
EC: In most cases, you don't actually have to have physical access to the device to upload new firmware. You do have to have a presence on the same network as that device, and a vulnerability that allows you to upload firmware must be present in the device.
That being said, the types of devices we're talking about in the home automation scheme tend to have a very short physical distance. They're using a very low-power communications infrastructure, which would require the attacker to have very powerful communications medium.
So, at this point in the game, it is still a game of physical proximity. It's definitely measured in meters, not in miles. But if you look back to the days of wardriving, it's realistic to think someone could find a certain type of vulnerability in a device that had a wide consumer base just by driving down the road.
I think mostly at this point in time, attacks on home automation systems are still largely proofs of concept.
Listen to the Energy Gang's take on internet-of-things security below:
GTM: Last May, Cylance found holes in Tridium's Niagara building management system at a Google office in Australia. Then we saw speculation that hackers used an HVAC management system to hack Target and steal millions of credit card numbers. It turned out it was like a billing management system. How common are problems like that in the commercial space, particularly at very large companies?
EC: Essentially every large office building -- even every medium-sized office building -- has a semi-automated HVAC system. It's not just HVAC. There are all types of building management systems. You've got the energy management systems that help control the lights. You've got the elevators. There is a whole bunch of different systems.
The problem here is that a lot of companies dedicate tremendous amounts of resources to what they would consider their traditional corporate environment, and they simply overlook these IP-enabled systems on their network like their HVAC, their CCTV cameras or elevator control.
These devices are more and more commonly adopting ubiquitous protocols like TCP/IP and just being interconnected to the network -- without the awareness of security teams in a lot of cases. That provides an attractive attack factor. If you're a threat actor seeking to gain a corporate foothold, why not target one of these systems that's overlooked and has no security protections in place?
That's not necessarily a vulnerability. That's just a deployment issue and a lack of security awareness by whoever either a) integrated the system or b) whoever is currently operating the system. Is it a bad practice to have an unprotected IP-enabled device hooked directly to your network and directly to the internet?
In my mind, it's unjustifiable that security measures haven't been taken. There is some responsibility on the parts of the integrator and the asset-owner-operator. The big vulnerability often isn't that there is an actual software vulnerability present. It's that there is a configuration portal that was attached directly to the internet.
I don't want to make it sound like it's the HVAC vendors or it's the building automation vendors. Security is a ubiquitous problem, and [these issues] tend to be most common in smaller vendors who don't necessarily have the resources or haven't ever had necessary training. I know that sounds like a poor excuse -- anyone making devices that are network-connected should be at least vaguely aware of this little thing called "security."
The way I look at it -- and I tell all my clients this -- is that you can't have a piece of security. You can't have just a part of it. It's a very holistic solution.
GTM: Have you seen any specific security vulnerabilities from connected LED lighting systems, building energy management systems or sub-metering systems?
EC: I haven't identified any particular vulnerabilities with the adoption of those technologies; but again, they are all, essentially, IP-enabled devices on the network. A lot of times, it doesn't even require a vulnerability. The management of these devices is open to anyone with a presence on the network.
That could provide a vulnerability if someone has the ability to communicate on the network. Then they can control anything -- be it the lighting, the heating, whatever. That, in and of itself, is a vulnerability in the sense that there's a lack of adoption of security technologies on a lot of these newer building automation systems.
Nowadays, "hacking" your way through a network is a very difficult task. It's far easier to utilize things like watering-hole attacks or phishing emails. It essentially attacks the personnel who are operating the network.
GTM: Who are the threat actors these days? It's not just teenagers playing around. It's very sophisticated crime syndicates, in some cases.
EC: Well, I think every threat actor on the whole scale is active in their own realm. If you look at the gamut of threat actors as ranked by their capability, you have, as you mentioned, the 15-year-old who we refer to as a "script kiddie" who has no real capability of her own but is able to leverage tools written by more sophisticated hackers. They're going to be active, undoubtedly. But they shouldn't represent much of a threat.
Again, if you look at risk in terms of consequence, any industry that has a high level of security or an adequate security team should not feel threatened by 15-year-olds. Those 15-year-olds will stay interested in computer security, perhaps go to college, become politically motivated, and join what we call a "hacktivist" group. They'll do things like web defacements.
They're politically motivated -- so maybe if you're a drilling company or a mining company, maybe you'd be the target of these guys. Again, if they continue on the security path, they may join a more sophisticated crime syndicate that has its own goals. And then there's always the government-level attackers, which seem to be in the news quite a lot these days. But I would argue that every threat actor on the entire spectrum is active.
To hear how utilities and software vendors are thinking about security, come join us at GTM's Soft Grid conference in Menlo Park, California on September 10-11.