SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

How Many Lightbulbs Does It Take to Change the Internet?

Posted on September 13, 2017

We know that an unsecured Internet of Things (IoT) thing like a light bulb or a web-connected picture frame can become part of a botnet or a dedicated denial of service attack. And we know this because everybody says it’s so. But how does that happen? That’s the topic of today’s show.

We did an Internet of Things episode. I know that an Internet of Things thing that is not secured can wreak havoc but what I don’t understand, is how. So, I guess, first go through the part where my light bulb can destroy the universe.

To start with an attacker will need to get access to your light bulb – provided the light bulb is plugged in, turned on, and has a known vulnerability (be it private or public knowledge that a security researcher or hacker has discovered such a vulnerability). What’s more, you would have left it at its default settings. Often you need at least a username and password combination to make changes on these devices. When the authentication details are known, a hacker could get further than just turning the lights in your house on and off. They can take over the light bulb and make it do stuff that it was never intended to do. What’s more, they need to know that you have said light bulb in your house.

Finding Vulnerabilities

That’s right! So how do they gain that knowledge? If they are not coming into my house and checking my light bulbs – how do they know? Well, if I don’t know that I have an unsecured Internet of Things thing, how does somebody else find that out?

Basically, there is software out there that will run through the IP addresses (Internet Protocol addresses) of anything connected to the Internet. And depending on the complexity of the software, such a search of all devices connected to the Internet can happen in an incredibly short time. They’ll scan specifically looking for the fingerprint of that light bulb. There are certain ports that are open or a particular response that the software will get back, that can indicate that it is this or that light bulb.

There are people running these scans every day all around the world. If you have a look at your firewall’s log, you’ll generally see that it is blocking a lot of the scan attempts from all around the world. It’s not just one person doing it; there are hundreds, thousands of people or automated systems doing this on a daily basis to find holes such as our light bulb.

And they’ve even built search engines for things like this – for example, Shodan – it’s like Google for vulnerable systems.
There was a lot of talk a few years back of industrial systems such as power plants and water filtration systems that are all connected to the internet. The search engine allows you to specify what kind of system that is connected to the internet you want to find. So, people could find for example power plants with vulnerability. It means it’s really easy to locate such a system without having to scan for it yourself.

When you open the website, it says:
“The search engine for power plants” and then it rotates through Internet of Things, refrigerators, security, webcams, basically anything that is connected to the internet that they could build signatures on.

So, let’s consider two issues here:
1. How can a light bulb do other things?
2. Is the issue the light bulb or the general security? Is it because I haven’t updated my light bulb? Shouldn’t it be that if my router is secure, my light bulb should be secure?

It’s the chicken and egg scenario.

How secure is secure?

A lot of companies who sell these devices don’t care about security – either because they just don’t or because they can’t afford to care about security. In essence, it might not be possible for you to secure the device. You would have to find and install any available updates – they would probably not be pushed to your device.

If you do have a secure router that will only accept connections from your local network, you’ve greatly increased your security. The downside is that some devices are not set by default to only connect to your own network. There were some webcams some years back that were set to connect to a peer-to-peer network of webcams so you could see other webcams around the world. What’s more, it didn’t really tell you that it was going to set up that way. Therefore, your webcam was by default setup to connect to the outside world, giving a convenient foothold for the bad guys.

The other possibility would be if your router has a vulnerability.

Updates

And when is the last time that you logged into your router to check and see if there is new firmware for it? Do you think that your cable provider is doing updates?

They do – but of course not all of them. All the major providers are. The modem has the ability to automatically check for updates and install it on its own. If you are talking about a local Mom and Pop kind of ISP the possibility is greater that it is not set-up for an automatic system update.

Think of smart TVs, once your model is outdated, they are not updating the firmware for it anymore. They are saying to you that they hope it will still connect to the APIs that you want to work with the device but no longer give you any guarantees. And it’s only when your apps stop working that you start asking questions.

The only incentive that the major providers have to keep your router up to date is probably because you are paying them a subscription. Beyond that, there is not much incentive for the hardware manufacturer to keep a device up-to-date.

Of course, there is the human element of the consumer as well. Perhaps, you’ve configured your device to not accept remote admin services or updates, because you felt you want to be in control of that and will remember to do the relevant updates.

A matter of choice

There is another issue in that for most people there is not much choice when it comes to cable providers. Often there is just one provider in your area, think of Yahoo. Even though they knew about the hacks (of as much as a billion records!), they did not say “boo” to their clients. We don’t know if that was because they figured it’s not important or if they wanted to avoid the bad press, yet they are big enough that they’ve survived the subsequent fallout. Their reputation may have taken a hit, and they may not be as good as they used to be, but if you switch over to say (I’ll use a fake ISP name here because I don’t want to name a specific company) Giant City Cable. If there is a security issue, you may be able to switch to another provider, but our choices are really limited.

There is a certain amount of trust that we place in these ISPs – even though we have limited choice and our decision is driven by cost and other factors as well.

I use a Mac and an iPhone that are good at letting you know when they need updates. The question with a light bulb, however, is that it has no screen where it could flash a message to say that it needs an update. So, does it become my responsibility to find out where these updates are kept and go there once a month to download them?

It’s not as if you interact directly with the light bulb – you are probably using third party software to interact with the device such as homepod or the manufacturer’s app. Some companies that sell security cameras, for example, offer the option of an email alert service, but they use the same list to spam you with their ads. Thus, it’s a mailing list that you will no doubt unsubscribe to in a hurry. For the marketing people, it seems too easy to not use the list of names while the security guys are probably going; ‘but that won’t work.’ That’s why it’s so important to have segmented lists for your customers.

Most of these devices have their own apps to interact with the things. One of the light bulbs I use will let you know that there is an update and you have to push the update to the light bulb via your wi-fi network.

Presumably, there is another possible vulnerability in the app itself. You certainly need something to interact with the light bulb. Otherwise you would just screw in a normal light bulb and flick the switch like a caveman.

If you buy a $10 light bulb from say Walgreens, and I hate to use a real name, as I don’t want anybody to say; “oh those light bulbs at Walgreens are terrible”. I don’t know anything about the light bulbs they sell or indeed if they sell smart light bulbs. But, should you buy a $10 light bulb and say, “hey, go download our app”, you will probably do that. But that is exactly where the issue comes in, you will be downloading an app from a company that you don’t really know and should probably not trust, even though it’s been through the iStore review process. But you still don’t know exactly what is happening with that app.

Add a level of compliance

What I am suggesting is, that you use an alternative such as HomeKit. I have many Apple devices, and in my experience, they are a company that I can trust. They sell HomeKit. There are certain hoops that companies have to jump through to be HomeKit certified. Is HomeKit enough for me? I mean can I stop worrying if all my smart devices play well with HomeKit? Does that mean I can breathe a sigh of relief and live like a Jetson?

I wouldn’t say you could totally relax until there is some way to say that this device has passed the regulations of so and so governing body. And of course, there is no such governing body or central consortium that is making sure that everybody is playing by the rules. That’s why something like HomeKit is the best we have. You will at least know that the companies that went to the trouble to meet the HomeKit standards have already shown that they care enough about security to bother becoming certified. That would certainly make me feel more secure.

There’s a whole other side of this conversation that we need to have.

But it’s only a light bulb

That’s how I keep my light bulb secure. But my light bulb lights my room, or if I have a fancy one, my light bulb changes the color of the light in my room. And that is still what I think of my light bulb as doing. How is it that my light bulb can become part of a dedicated denial of service attack? How is my light bulb sending SPAM email to people? It’s a light bulb!

But it’s connected to the internet.

So what though? Yes, it’s connected to the internet, but it’s still a light bulb. I mean what is the hidden power there where it goes from illumination to world domination, let’s say?

The hidden power is that your smart light bulb is not just a light bulb. It’s a little computer. It has a little chipset in there, to run it and make the different colors happen. It can, however, do a lot more, and that is because of the way things work with mass production.

Mass production

You are a company, and you want to build a smart light bulb, what’s the cheapest way to source my parts. Creating your own chipset for the light bulb will be prohibitively expensive unless you are a really big company unless you’re the Nest of light bulbs who can say I am doing this from A to B – it’s all in-house. So, if you are just a small company, you will buy a general use chipset that can do what you want to do but can also do other stuff because it’s made for general purpose use. It’s also really cheap because it’s been made in massive quantities and is available at wholesale pricing.

So are you saying that the same chip that powers my Android tablet or burner phone could be cheap enough that, that is what is powering my light bulb? So, while it’s only being used to power your light bulb, it could, in theory, do much more.

It’s probably not likely that the chipset for a phone or tablet would be used for something like a light bulb, but it’s certainly true that many IoT devices share the same chipset. That’s why, for instance, when a vulnerability hit a webcam manufacturer many other cameras were affected as well because they all use the same suppliers’ chipset. Thus, you can have multiple devices from multiple brands using the same chipset.

As far as how it makes the jump from the ability to change light color to sending SPAM, that’s where the vulnerability in programming comes in. The software that is running on your light bulb is meant to turn on the light, change the color, maybe run a timer… or what you choose to make it do.

Another side of the coin – let’s say your iPhone. Your iPhone software that comes from Apple is built to make calls, download apps from the App Store, surf the web, check your email. When people jailbreak their iPhones, they do it to allow them to run apps that Apple didn’t authorize. I want my phone to be able to do all sorts of things; I don’t like the way the home screen is set-up, I want the ability to customize it.

So, you could think of it as jailbreaking your light bulb. So, the bad guy hacking your light bulb to do stuff it’s not supposed to do is kind of the same as you jailbreaking your phone. Exploiting a vulnerability, to install some software, that was not meant to necessarily run on that device. And make it do things it wasn’t meant to do by the manufacturer.

That’s a really interesting way to think about it. So basically, what you’re saying is it’s like side-loading an app onto your light bulb. I mean, I think the thing that befuddles me is it just never occurred to me that there was enough processing power besides turning on the light, turning off the light, dimming, changing the color. It never occurred to me that there would be excess processing power, but of course, if somebody’s got a barrel of chips…

It’s just what the manufacturer wanted to program it to do, but the actual power of what it could do, could be much more. They are just using the functionality to run their functions on top of it.

More power than you need

At the end of the day, if you only check email, check Facebook and surf the internet – I would argue that you only need a tablet, but many people still buy a computer, so they buy a lot more power than they really need to do these simple things. The same is true for these companies, they buy a lot more power than they need, not because they want more power, but because it’s cheaper to do it that way than what it is to design something that does less.

Another element to remember is that when we are talking about buying more processing power than you need. The internet as we know it, all the networking code, all the stuff that makes the internet work the way it does was developed years and years ago. In the sixties or seventies – this stuff is old code, relatively speaking. The processing power back then was minuscule compared to what we have now in our pockets with iPhones and iPads. It was really minuscule – it’s insane – just think about the fact that the general smart phone has more processing power than the Lander for the moon mission.

The networking code that was written back then didn’t have the hardware or processing speed that we have today, so it’s very robust code that uses very little resources. When we are talking having extra processing power available, it doesn’t take a whole lot when you think about it to add a network stack and being able to do stuff like “hey, I want my device to be sending SPAM”, or “I want my device to be participating in a denial of service attack”. Or in that case, it would be a hacker saying, “I want this device to”- you are unlikely to want to hack your own device.

It doesn’t take that much to add an ability to a device, as long as it meets the minimum threshold of requirements.

It’s a numbers game

I’m guessing then that it’s really just a numbers game. In other words, if you hack my light bulb, it’s only one light bulb, there’s only so much it can do. But if my light bulb is vulnerable there’s a good chance that my neighbor’s light bulb is vulnerable as well, as well as a guy living half way across the world. So, if you find one vulnerable light bulb you may find fifty thousand such light bulbs – it’s not about my light bulb, it’s about all of them.

And beyond that, it’s not just the light bulbs; it’s the webcams, it’s the smart refrigerators, the smart coffee makers. Any smart thing that we want to connect to the Internet, and yes there are millions of such devices around the world. And as you say, it adds up.

And, it’s not just SPAM, it could be to give further access to your network. There is so much you could do with all these devices. What’s been fascinating about this conversation we had to day: we’ve talked about the cloud before, and I understand completely, and it’s been driven home to me by doing this show this past year. When you are storing something in the cloud, you are not storing something in the cloud; you’re storing it on someone’s computer.

Ok, your smart light bulb… yes, it’s a light bulb, but it’s a light bulb with a computer attached. And I think that’s where the disconnect is. I think of my light bulb as a light bulb, and a light bulb is a light bulb unless it’s a smart light bulb, in which case it’s a computer that can do fun things with light. Or you know, a teddy bear is a teddy bear, but if it’s a smart teddy bear, then it’s a computer with stuffing all around it in a cute little kid-friendly face. And that’s the thing – the Internet of Things is really the Internet of Computers Attached to Things.

Can you hack a light bulb to start mining Bitcoin? Let’s not talk about that today because my head is almost full of what we got.

Do you have a topic you’d like to see us cover in a future episode, or a security question in need of an answer? If you have anything to ask us, send us an email at checklist@securemac.com!

Join our mailing list for the latest security news and deals