A hacker at CES: An analysis of security at the Consumer Electronics Show


  •  
  •  
  •  
  •  

I recently attended the world’s largest consumer technology show in the world: CES. It was my first time at the show and I was excited to not only see the latest gadgets, but also attend some of the sessions. Of course, as a hacker I couldn’t help but apply the “how to break in” filter to everything I saw, especially with the growth of IoT as an attack vector in the last couple of years. I didn’t go it alone: my friend and colleague Daniel Miessler joined me. Daniel is the Director of Advisory Services at IOActive and project leader for the OWASP IoT project.

Together we covered 6 million square feet (and we only made it to three quarters of the show). The four biggest themes were: AR and VR, autonomous cars and sensors (radar, CO2, gyroscopes, video and audio), home automation, and wearables.

From a security perspective, all four of these areas pose a major challenge. IoT has gone unregulated and largely unsecured, and given the rapid growth of IoT devices it’s no surprise that these devices represent a major threat (and a major opportunity for adversaries.)

 

Key takeaways:

  1. Wear comfortable shoes! (Seriously, this show is massive!)
  2. Autonomous cars have made headlines, but the challenges of securing them will keep fully autonomous cars from becoming a reality anytime soon.
  3. Drones are taking over and as a result anti-drone technology is something we’re starting to see more of with countermeasures representing a market as big as the drones themselves.
  4. AR and VR are still early, but we’ll be keeping our eye on this technology as the market consolidates.
  5. Sensors are everywhere and represent some of the biggest security challenges especially as they become more connected.
  6. Represented in a growing number of homes, IoT hubs pose serious security considerations right now.

Listen to Jason and Daniel’s analysis in our latest podcast.

Subscribe to our Bugcrowd Podcast RSS feed here: 

Automotive

In his CES presentation (and this Wired article) Nissan R&D Chief Maarten Sierhuis outlines why we’re not likely to see fully autonomous cars anytime soon. Namely, he notes that a massive portion of the economy is based on drivers hauling and taxis — this represents a massive infrastructure. There are a lot of scenarios where autonomy won’t be able to handle it. He proposes the idea of control centers that can bridge the gap between man and machine. We’ve now gone from trying to absolutely limit remote access to automobiles to actively allowing it as a feature. Woof.

In addition to the limitations of autonomy, is the need to create a whole new ecosystems of sensors. Traditionally cars have two sets of networks: everything to do with cars driving and the media portion of the car. But where do these sensors connect? They will need their own network. This opens up a whole new threat landscape where adversaries can manipulate the sensors and the network where data is shared.

AR/VR

Though it’s still a bit early, it’s likely that (like most other IoT devices) there will be security implications to AR and VR technology. We saw about 100 headsets and they all had their own hardware and software. That will need to collapse down before we start really seeing adoption, which will lead to the use cases and subsequently the abuse cases. Most likely the issues will be in disclosure of information, a result of the devices having too much access to content.  Maybe the object itself didn’t want you to see because you got it from another source. But it’s still early.

Drones

What was most interesting about the drones at the show were actually the countermeasures we saw popping up. As drones keep getting smaller (there’s now a selfie drone!), popular and cheap, we’ll see increased adoption and a greater need for countermeasures. Most of these technologies are small enough to fit in your pocket and can break the communication signal from many kilometers away, causing the drone to either crash or fly back “home”. The military already has these systems that fry the tech itself with microwave systems. We didn’t see these type of devices at CES, but we did see one anti-drone booth demonstrating Thor (a jamming device the military uses to block communication with an IED). In the field these are large devices that are worn by soldiers, but what we saw at CES could fit in the palm of your hand.

It’s a strange world where you can be attacked or monitored at any point from above and there has to be a counter to that. There was a drone hacking contest at the last DEFCon where we saw just how vulnerable they are. We will likely see more of this antidrone technology in the years to come. Drone security is not just consumer anymore either. As drone technology augments delivery and municipal work, the conversation around securing this equipment is magnified 10x.

The IoT Hub

Be it Echo or Google Home, a growing number of households now have an IoT hub, any device that takes the place of or attaches to your wireless router and has permissions to do things on your behalf. The problem we’re finding (and Daniel has a great blog on this) is the latter part. If your device is setup to purchase things on  your behalf (and we’ve seen very real examples of this) there is nothing to stop someone else within the microphone’s listening range (even on your TV or radio) from commanding “Alexa” to buy something for you.

Sensors

What is interesting about sensor technology is that it is providing a new way to look at input devices. For decades we’ve been mostly limited to light sensors, essentially a camera. You take this snapshot and feed it to a computer and it figures out what the image is. Today, this sensor technology has expanded to audio, CO2, etc. At CES we got a glimpse at the promise of connecting algorithms to sensor data in a 24/7 stream. Imagine input data from visual, audio, CO2, accelerometers constantly running through algorithms. Continuous evaluation of sensor data by deep learning and AI will no doubt produce better outcomes, but there are a lot of security connotations in all of the data and information sharing and how this data is stored and shared across networks will be important to ensuring its security.

The net net

The narrative for IoT security is pretty bad in general. When we asked vendors questions about security, the answer was almost always “we’re still in beta.” My overwhelming sense was that these vendors are just barely hanging on trying to beat their competition (the rush to market is real). Security is the last thing they’re thinking about.

The OWASP IoT logging project has been asking vendors what they are logging and is finding that even with the amount of really vital data that is being held, not much consideration is going into the security of this data. The most progressive vendors we’ve seen are car manufacturers because of the physical safety involved in driving a car, but if you look at Mirai botnet that took out half the Internet this fall, it’s pretty clear that security is very low on the priority list for most vendors.

Wrapup

Daniel and I tried to see as many technologies as possible while at the show and while a majority of them are in infancy and had little to no security we did find a few standout vendors who cared about security. There were also a few companies trying to solve the connected home IoT problem in specific (Norton, Bitdefender, and a few others). Overall, we left with mixed feelings. Because of how rapidly technology is evolving, the application and device security market will continue to thrive. As security professionals this is great for job security, but as consumers Daniel and I really just want a more secure world.

The week before the show the the FTC issued a bug bounty of it’s own in an effort to address some of the problem (see: https://www.ftc.gov/iot-home-inspector-challenge) and I am happy to work for a company who is moving the needle forward for several IoT vendors. I feel passionately that bug bounty and managed responsible disclosure programs can help the speed of some of these companies by augmenting both their security and engineering teams. It may not be a panacea, but I have seen first hand how much of a force multiplier the crowd can be for companies looking to simultaneously shorten time to market and create secure products.