Security researchers have been talking a lot lately about the Internet of Things: the refrigerator that was unfairly suspected of sending spam, the light bulbs that display your WiFi network password, and so on. There were some fine examples of this at Black Hat and Defcon this year.
Jesus Molina was staying in a luxury hotel in China where each room had an iPad with an app that controlled the light, air conditioning, blinds and so on. As he explained in a presentation at Black Hat, with a little research and effort he was able to take control of almost every other room in the hotel from that one iPad. However, his research involved changing rooms several times to try to map the network. He had to keep making excuses to the hotel explaining why he did not like the room he was in. In desperation they eventually moved him to a two story luxury suite – the only suite in the hotel that was not iPad controlled, so he had find a reason why he didn’t like that one either.
On the other hand, devices do not have to be connected to the Internet to be hacked, and hacks do not have to be implemented in software. Defcon presenter Maggie Jauregui discovered that using a walkie talkie close to her hair drier would permanently break the ground fault interrupt (GFI) on the drier. Joking that anything that interfered with her ability to blow dry her hair in the morning was a serious vulnerability, she set out to investigate the impact of radio waves on GFIs. She found that newer models were generally more resistant to the effects, but in older ones a solenoid inside would act as a radio antenna and could be destroyed. It turns out that the older models are still in production and are by far the most popular forms of GFI. In a live demo she got an assistant to point a two foot long antenna at a hair drier GFI, and got a round of applause as it first started to give off smoke, and finally died with a bang and a spark visible from the back of the room.
In the last presentation at Defcon, Deviant Ollam and Howard Payne dealt with elevator hacking. While they talked about some exotic and dangerous attacks such as riding on top of an elevator car, the most basic way of compromising an elevator is to get hold of the fire department key for your region (typically an entire state). By law these keys will override any key or card based security measures on an elevator. While these keys are supposed to be restricted to first responders, it turns out that they are easy enough to either obtain by buying a key and lock combination, or obtaining the lock and reverse engineering the key that fits. Payne has a collection covering the entire country. Full control of the elevator allowed the penetration testers access to any floor, and also gave them to ability to park an elevator with the doors closed, and hide out in it till after business hours. When one manager was shown video of Ollan and Payne using a fire department key to enter via an elevator that was supposed to be used for exit only, his response was, “But we were told that elevator doesn’t go up!”
That talk was a useful reminder that good systems security is predicated on good physical security, and it’s easy to overlook physical vulnerabilities.