As humans we are unique on this small planet we live on. We’ve been blessed with an intellect that soars above that possessed by any other creature on earth (don’t tell the dolphins) and a curiosity that drives us forward on a path of continual discovery and self-improvement.
But, like a young Peter Parker, we still struggle with the most basic rule that should be applied to our obsession with progress – the need to match our growing technological prowess with a similar level of responsibility.
This is an important lesson in the case of the Internet of Things (IoT) and the security – or lack thereof – that appears to surround it at this time.
While thoughts of cops running around trying to find a six-foot-tall refrigerator in connection with the latest spam run may be a source of amusement for some, other implementations of the IoT are more Orwellian in nature – think about fitness apps and what happens with the data they collect – or downright dangerous, such as the recent Jeep Cherokee hack demonstrated by security researchers Charlie Miller and Chris Valasek.
The IoT is already here, and there’s only one place for it to go: mass market.
As more and more devices connect to the ultra-networked world we are rapidly moving into, we will likely see a rise in mismanaged security practices surrounding an ever-growing list of household appliances, gadgets, vehicles and even recreational items.
Take, for instance, the humble skateboard.
Back in my youth just about every young person I knew who came out of the theatre after watching “Back to the Future” shared dreams of Marty McFly’s hoverboarding future as they hopped onto their trusty skateboards, wishing away the years until their current mode of transport could be both self-propelled and capable of hovering in the air.
Fast forward to today and both of those wishes have just about come true in the form of the Lexus hoverboard. But those of you with more modest means may have settled upon a non-liquid-nitrogen, electric version of the skateboard.
And that, for the time being at least, may have been a mistake.
As Wired reports, massive flaws exist that allow Bluetooth-enabled skateboards to be hacked.
Security researchers Mike Ryan and Richard ‘Richo’ Healey became interested in hacking skateboards after Healey lost control of his own board in Melbourne, Australia, last year. Riding toward an intersection, Healey was unceremoniously dumped from his board when it came to an unexpected hard stop.
When the board was found to be mechanically sound, Healey began to investigate. Initially suspecting a hack, he subsequently discovered that the culprit was actually Bluetooth saturation – the area he was in was well known for radio interference due to the number of devices in operation in the vicinity.
After learning that he had fallen victim to what could be described as an accidental denial-of-service attack, Healey and Ryan decided to take what they had learned and create a real threat.
Dubbed ‘Faceplant,’ the resulting exploit is capable of disrupting and then controlling the Bluetooth Low Energy connection between a board and its handheld remote control, affording the hijacker the ability to control the speed and direction of the board, as well as apply the brakes:
Wired explained how the attack works, crucially noting how Bluetooth communication between the board and the rider’s “dead man’s” switch (a kill switch that shuts off the board when the rider releases) was neither encrypted nor authenticated:
Because the Bluetooth communication is not encrypted or authenticated, a nearby attacker can easily insert himself between the remote and the app, forcing the board to connect to his laptop. Once he achieves this, he can stop the skateboard abruptly, ejecting the rider, send a malicious exploit that causes the wheels to suddenly alter direction and go in reverse at top speed, or disable the brakes. An attacker can also simply jam the communication between the remote and the board while a driver is on a steep hill, causing the brakes to disengage.
So far, the researchers have discovered at least one critical vulnerability in boards manufactured by Boosted, Revo and Yuneec and are working on a second exploit, dubbed ‘Road Rash’ for the latter’s E-Go skateboard.
Do skateboard-owning Naked Security readers need to be concerned about this attack?
Probably not – the chances of running into a skateboard hacker appear to be extremely small at this time, though the consequences of doing so could be quite painful at top speeds approaching 22 mph.
But what it does show, yet again, is how technology can sometimes appear to be running away from us.
Or at least from those companies responsible for giving it to us.
As a race, we have this desire for new, cool things all the time and that’s what drives us to innovate and advance. But where is the security to go with these new devices?
Until the companies selling these interconnected devices develop security from the start, we shall remain at the mercy of those who would attack us, steal our information or invade our privacy.
For now at least, the physical risks posed by the IoT are real but unlikely – Jeep Cherokees and easily-opened Range Rovers have been swiftly recalled and patched.
But who knows where things will go in the future.
Maybe one day, horror of horrors, we will see something really scary like, I don’t know, a sniper rifle that can be hacked to change target?
Oh. Too late!
Image of skateboarder courtesy of Shutterstock.com
IguessyouloggedmyIPanyway
Sooo 2014 :-) You should have come to kiwicon last December … the guys demonstrated their hack there & made snare flying across stage
Paul Ducklin
Note to readers: “Snare” is a chap’s name.
Cody
‘As humans we are unique on this small planet we live on. We’ve been blessed with an intellect that soars above that possessed by any other creature on earth (don’t tell the dolphins)’
Typical human arrogance in the inherent belief that humans are the smartest of every creature on this forsaken planet. Yet often enough new species are discovered. Ironically only fools will call themselves wise unchecked but so many humans seem to think that their species is above all others.
That out of the way, thanks for the reference to ‘So long and thanks for all the fish’.
And yes, IoT is a dangerous problem that unfortunately won’t be eliminated.
WSagaberd
Here’s a an idea. Don’t look at it from the user’s point of view, but look at from the manufacturer’s fiscal perspective – price, cost, and profit margin. Profit margin is what is creating most of these problems. Until digital safety becomes as important as physical safety digital safety will continue to be ignored, sacrificed, and deemed unnecessary when cutting costs to raise profit margin of an interconnected device.
“Get it to market for black friday/Christmas shopping season, we’ll fix the bugs later.”