SlideShare a Scribd company logo
1 of 32
Download to read offline
HACKING THE
INTERNET OF THINGS
FOR GOOD
By Marc Rogers
Principal Security Analyst at Lookout, Inc.

WE LIVE IN A CONNECTED WORLD





Everyday objects are being transformed by the addition of
sensors that enable them to interact with the world,
processors that enable them to think about it,
and network interfaces that allow them to to talk about it.







The benefits that these intelligent, connected devices bring to
our lives are almost too numerous to count.
You can control the temperature in your home from your phone
with a programmable thermostat.

You can ask your car for directions as you drive.

You can check your email from your game console.
As they connect to each other, sharing what they see, hear, and know,
these new intelligent, thinking devices are driving a second Internet Age.
 





But when we give these things intelligence and senses,
we also fundamentally change their nature.
Mundane objects that were once familiar and unremarkable from a security
perspective have suddenly become the keepers of sensitive personal information.



For example, the traditional thermostat hanging on the wall held little attraction to
cybercriminals. A connected thermostat — that can tell whoever controls it how many
people live in a house, what technology connects to their network, and, most seriously,
when the house is unoccupied — is an attractive target.


As we change the nature of things, identifying
vulnerabilities and managing updates quickly and
efficiently will be paramount.
Connected things need to be thought of as software when it comes
to security, and Google Glass is the perfect example.
We found that Google Glass
carries out a QR code without
you ever having to tell it to.
In theory, this is an awesome idea.
In the future, you could buy a
cup of coffee just by looking
at a menu, or if you were in a
foreign country, the menu
would automatically translate
to your language if you had
Glass on.
But it takes control away from you, and opens a
window of opportunity for an attacker.
Exposing sensitive data or
managing important
configuration settings should
only happen at the wearer’s
request.
While it’s useful to configure your Glass QR code and easily connect to wireless networks, it’s
not so great when other people can use those same QR codes to tell your Glass to connect to
their WiFi Networks or their Bluetooth devices.
Unfortunately,
this is exactly
what we found.
Glass was hacked by the image of a malicious QR code. Both the vulnerability and its method
of delivery are unique to Glass as a consequence of it becoming a connected thing.
Lookout recommended that Google limit QR code execution to
points where the user has solicited it.
We disclosed our findings to Google on May 16.
Everything is OK
Google clearly worked quickly to fix the vulnerability as
the issue was fixed by version XE6, released on June 4th.
Google made changes that reflected this recommendation.
This responsive turnaround indicates the depth of
Google’s commitment to privacy and security for
this device and set a benchmark for how connected
things should be secured going forward.

Embedded hardware developers should take a page out of
Google’s vulnerability management process and approach
wearables, connected things and anything with a sensor with the
same mindset that Google is currently treating Glass.

Just as pressing, in our connected world, security and updates
must be baked into these new devices from the start.

Companies with roots in software engineering will understand
this, while many others may struggle with the unfamiliar issues
and sheer complexity of managing millions of things.
Because a wide array of traditionally mundane items are being connected, many
companies creating connected devices are unfamiliar with the potential dangers they
may be creating for users by failing to act when vulnerabilities arise.
At least four models of insulin pump sold by the manufacturer
Medtronic were vulnerable to wireless attack.
In 2011, Jerome Radcliffe discovered that
An insulin pump is an intelligent, connected medical device that
replaces the more traditional syringe method of delivering insulin.
The insulin pump most often works in conjunction with a continuous glucose monitor, a
device with multiday sensors that continuously measures blood glucose levels, passing the
telemetry on to an insulin pump so it can calculate how much insulin to deliver.
This is where the wireless connectivity comes in handy.
Allowing the insulin pump and monitor to talk wirelessly is much more
convenient for the wearer, reducing the number of wires and expanding the
range of devices that can monitor the patient’s well-being.
This is also where the security vulnerability is found.
diagram
In designing the way these devices communicate, the only security measure implemented
by the manufacturer was the need to use a valid serial number when communicating. This
means an attacker who uses radio equipment to monitor the traffic between a patient’s
monitor and insulin pump can replay that traffic, disabling the insulin pump or, even
worse, fooling the insulin pump into delivering incorrect dosages of medicine.

As a consequence, two years on, the Medtronic
Paradigm 512, 522, 712, and 722 insulin pumps
remain vulnerable to wireless attack.
Radcliffe disclosed his findings to Medtronic who ultimately denied that
they were a major concern due to the fact that there was no sign of the
issues being exploited in the wild and due to the fact that they felt it would
be technically difficult for a malicious party to carry the attacks out.
In a world where computing is getting closer to our physical
selves, companies incorporating sensors into their devices
can’t afford a failure of imagination, or a vulnerability
management failure.

The fact is, there’s an existential question when it
comes to the connected world:
Do you put out
something that makes
life infinitely easier?
OR
 Do you hold back
and make sure it’s
more secure?
It’s going to take a new kind of imagination for every
hardware and software company to secure the next
generation of devices. We can do this.
Read more about our approach to securing the connected world at
http://bit.ly/hackingforgood
Keep in touch with
@lookout
/mylookout
blog.lookout.com
contact@lookout.com
http://bit.ly/connected-world
@marcwrogers

More Related Content

What's hot

Sixth sense technology documentation
Sixth sense technology documentationSixth sense technology documentation
Sixth sense technology documentationPrashanthBeemanathi
 
Internet of Things -Indoor Environmental Monitoring And Control System
Internet of Things -Indoor Environmental Monitoring And Control SystemInternet of Things -Indoor Environmental Monitoring And Control System
Internet of Things -Indoor Environmental Monitoring And Control Systemsalim lakade
 
Internet of Things: Challenges and Issues
Internet of Things: Challenges and IssuesInternet of Things: Challenges and Issues
Internet of Things: Challenges and Issuesrjain51
 
Internet of things –
Internet of things –Internet of things –
Internet of things –Mathews Job
 
Ai and Robotics in Healthcare
Ai and Robotics in HealthcareAi and Robotics in Healthcare
Ai and Robotics in HealthcareSubhendu Dey
 
Disrupting and Enhancing Healthcare with the Internet of Things
Disrupting and Enhancing Healthcare with the Internet of ThingsDisrupting and Enhancing Healthcare with the Internet of Things
Disrupting and Enhancing Healthcare with the Internet of Thingstodbotdotcom
 
CD Spring 2018 - Wearables (SAP)
CD Spring 2018 - Wearables (SAP)CD Spring 2018 - Wearables (SAP)
CD Spring 2018 - Wearables (SAP)Comit Projects Ltd
 
Green droid automated diagnosis of energy inefficiency for smartphone applica...
Green droid automated diagnosis of energy inefficiency for smartphone applica...Green droid automated diagnosis of energy inefficiency for smartphone applica...
Green droid automated diagnosis of energy inefficiency for smartphone applica...JPINFOTECH JAYAPRAKASH
 
Hacking Internet of Things (IoT)
Hacking Internet of Things (IoT)Hacking Internet of Things (IoT)
Hacking Internet of Things (IoT)SecPod Technologies
 
SF IoT Meetup - Decentralized Identifiers & Verifiable Claims
SF IoT Meetup - Decentralized Identifiers & Verifiable ClaimsSF IoT Meetup - Decentralized Identifiers & Verifiable Claims
SF IoT Meetup - Decentralized Identifiers & Verifiable ClaimsMrinal Wadhwa
 
Bio catch
Bio catchBio catch
Bio catchYanivt
 
IoT Mobility Forensics
IoT Mobility ForensicsIoT Mobility Forensics
IoT Mobility ForensicsSabidur Rahman
 

What's hot (18)

Sixth sense technology documentation
Sixth sense technology documentationSixth sense technology documentation
Sixth sense technology documentation
 
internet of things
internet of thingsinternet of things
internet of things
 
M phasis
M phasis M phasis
M phasis
 
Internet of Things -Indoor Environmental Monitoring And Control System
Internet of Things -Indoor Environmental Monitoring And Control SystemInternet of Things -Indoor Environmental Monitoring And Control System
Internet of Things -Indoor Environmental Monitoring And Control System
 
Internet of Things: Challenges and Issues
Internet of Things: Challenges and IssuesInternet of Things: Challenges and Issues
Internet of Things: Challenges and Issues
 
Kaspersky 2017 Thailand Launch
Kaspersky 2017 Thailand LaunchKaspersky 2017 Thailand Launch
Kaspersky 2017 Thailand Launch
 
Internet of things –
Internet of things –Internet of things –
Internet of things –
 
Ai and Robotics in Healthcare
Ai and Robotics in HealthcareAi and Robotics in Healthcare
Ai and Robotics in Healthcare
 
Disrupting and Enhancing Healthcare with the Internet of Things
Disrupting and Enhancing Healthcare with the Internet of ThingsDisrupting and Enhancing Healthcare with the Internet of Things
Disrupting and Enhancing Healthcare with the Internet of Things
 
CD Spring 2018 - Wearables (SAP)
CD Spring 2018 - Wearables (SAP)CD Spring 2018 - Wearables (SAP)
CD Spring 2018 - Wearables (SAP)
 
Green droid automated diagnosis of energy inefficiency for smartphone applica...
Green droid automated diagnosis of energy inefficiency for smartphone applica...Green droid automated diagnosis of energy inefficiency for smartphone applica...
Green droid automated diagnosis of energy inefficiency for smartphone applica...
 
Mobile and IoT testing
Mobile and IoT testingMobile and IoT testing
Mobile and IoT testing
 
IBM Xforce Q4 2014
IBM Xforce Q4 2014IBM Xforce Q4 2014
IBM Xforce Q4 2014
 
Mage industries
Mage industriesMage industries
Mage industries
 
Hacking Internet of Things (IoT)
Hacking Internet of Things (IoT)Hacking Internet of Things (IoT)
Hacking Internet of Things (IoT)
 
SF IoT Meetup - Decentralized Identifiers & Verifiable Claims
SF IoT Meetup - Decentralized Identifiers & Verifiable ClaimsSF IoT Meetup - Decentralized Identifiers & Verifiable Claims
SF IoT Meetup - Decentralized Identifiers & Verifiable Claims
 
Bio catch
Bio catchBio catch
Bio catch
 
IoT Mobility Forensics
IoT Mobility ForensicsIoT Mobility Forensics
IoT Mobility Forensics
 

Similar to Hacking the Internet of Things for Good

SMART HOMES
SMART HOMES SMART HOMES
SMART HOMES Ibratu70
 
Project glass ieee document
Project glass ieee documentProject glass ieee document
Project glass ieee documentbhavyakishore
 
Threats & Benefits of Internet of Things
Threats & Benefits of Internet of ThingsThreats & Benefits of Internet of Things
Threats & Benefits of Internet of ThingsTyrone Systems
 
Internet of Things: manage the complexity, seize the opportunity
Internet of Things: manage the complexity, seize the opportunityInternet of Things: manage the complexity, seize the opportunity
Internet of Things: manage the complexity, seize the opportunityThe Marketing Distillery
 
Techvorm com-android-security-issues-solutions
Techvorm com-android-security-issues-solutionsTechvorm com-android-security-issues-solutions
Techvorm com-android-security-issues-solutionsSaad Ahmad
 
The voice march
The voice march The voice march
The voice march Jade Mayer
 
6 Insane Challenges of Smart Home App Development & How To Solve Them
6 Insane Challenges of Smart Home App Development & How To Solve Them6 Insane Challenges of Smart Home App Development & How To Solve Them
6 Insane Challenges of Smart Home App Development & How To Solve ThemInnofied Solution
 
Internet of Things (IoT): The Third Wave?
Internet of Things (IoT): The Third Wave?Internet of Things (IoT): The Third Wave?
Internet of Things (IoT): The Third Wave?Ahmed Banafa
 
Internet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisInternet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisDaksh Raj Chopra
 
Internet of things(iot)
Internet of things(iot)Internet of things(iot)
Internet of things(iot)devapriyas1
 

Similar to Hacking the Internet of Things for Good (20)

IBMiX: Ready-To-Wear The Future
IBMiX: Ready-To-Wear The FutureIBMiX: Ready-To-Wear The Future
IBMiX: Ready-To-Wear The Future
 
SMART HOMES
SMART HOMES SMART HOMES
SMART HOMES
 
Project glass ieee document
Project glass ieee documentProject glass ieee document
Project glass ieee document
 
Threats & Benefits of Internet of Things
Threats & Benefits of Internet of ThingsThreats & Benefits of Internet of Things
Threats & Benefits of Internet of Things
 
Google glass
Google glassGoogle glass
Google glass
 
ITNOW WiFi Enabled Babies
ITNOW WiFi Enabled BabiesITNOW WiFi Enabled Babies
ITNOW WiFi Enabled Babies
 
Internet of Things: manage the complexity, seize the opportunity
Internet of Things: manage the complexity, seize the opportunityInternet of Things: manage the complexity, seize the opportunity
Internet of Things: manage the complexity, seize the opportunity
 
Techvorm com-android-security-issues-solutions
Techvorm com-android-security-issues-solutionsTechvorm com-android-security-issues-solutions
Techvorm com-android-security-issues-solutions
 
The Voice
The Voice The Voice
The Voice
 
The voice march
The voice march The voice march
The voice march
 
finalgoogle
finalgooglefinalgoogle
finalgoogle
 
6 Insane Challenges of Smart Home App Development & How To Solve Them
6 Insane Challenges of Smart Home App Development & How To Solve Them6 Insane Challenges of Smart Home App Development & How To Solve Them
6 Insane Challenges of Smart Home App Development & How To Solve Them
 
The Internet of Things to 2020 (GSA white paper, October 2015)
The Internet of Things to 2020 (GSA white paper, October 2015)The Internet of Things to 2020 (GSA white paper, October 2015)
The Internet of Things to 2020 (GSA white paper, October 2015)
 
Internet of Things (IoT): The Third Wave?
Internet of Things (IoT): The Third Wave?Internet of Things (IoT): The Third Wave?
Internet of Things (IoT): The Third Wave?
 
Internet of Things
Internet of ThingsInternet of Things
Internet of Things
 
123456.pptx
123456.pptx123456.pptx
123456.pptx
 
Internet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security AnalysisInternet of things (IoT) Architecture Security Analysis
Internet of things (IoT) Architecture Security Analysis
 
Iot new
Iot newIot new
Iot new
 
AreWePreparedForIoT
AreWePreparedForIoTAreWePreparedForIoT
AreWePreparedForIoT
 
Internet of things(iot)
Internet of things(iot)Internet of things(iot)
Internet of things(iot)
 

More from Lookout

The New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
The New Assembly Line: 3 Best Practices for Building (Secure) Connected CarsThe New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
The New Assembly Line: 3 Best Practices for Building (Secure) Connected CarsLookout
 
Looking Forward and Looking Back: Lookout's Cybersecurity Predictions
Looking Forward and Looking Back: Lookout's Cybersecurity PredictionsLooking Forward and Looking Back: Lookout's Cybersecurity Predictions
Looking Forward and Looking Back: Lookout's Cybersecurity PredictionsLookout
 
5 Ways to Protect your Mobile Security
5 Ways to Protect your Mobile Security5 Ways to Protect your Mobile Security
5 Ways to Protect your Mobile SecurityLookout
 
Feds: You have a BYOD program whether you like it or not
Feds: You have a BYOD program whether you like it or notFeds: You have a BYOD program whether you like it or not
Feds: You have a BYOD program whether you like it or notLookout
 
What Is Spyware?
What Is Spyware?What Is Spyware?
What Is Spyware?Lookout
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingLookout
 
2015 Cybersecurity Predictions
2015 Cybersecurity Predictions2015 Cybersecurity Predictions
2015 Cybersecurity PredictionsLookout
 
The New NotCompatible
The New NotCompatibleThe New NotCompatible
The New NotCompatibleLookout
 
Relentless Mobile Threats to Avoid
Relentless Mobile Threats to AvoidRelentless Mobile Threats to Avoid
Relentless Mobile Threats to AvoidLookout
 
When Android Apps Go Evil
When Android Apps Go EvilWhen Android Apps Go Evil
When Android Apps Go EvilLookout
 
Scaling Mobile Development
Scaling Mobile DevelopmentScaling Mobile Development
Scaling Mobile DevelopmentLookout
 
Visualizing Privacy
Visualizing PrivacyVisualizing Privacy
Visualizing PrivacyLookout
 
Hiring Hackers
Hiring HackersHiring Hackers
Hiring HackersLookout
 
How to (Safely) Cut the Cord With Your Old iPhone
How to (Safely) Cut the Cord With Your Old iPhoneHow to (Safely) Cut the Cord With Your Old iPhone
How to (Safely) Cut the Cord With Your Old iPhoneLookout
 
3 Ways to Protect the Data in Your Google Account
3 Ways to Protect the Data in Your Google Account3 Ways to Protect the Data in Your Google Account
3 Ways to Protect the Data in Your Google AccountLookout
 
3 Ways to Protect the Data in Your Apple Account
3 Ways to Protect the Data in Your Apple Account3 Ways to Protect the Data in Your Apple Account
3 Ways to Protect the Data in Your Apple AccountLookout
 
The Back to School Smartphone Guide
The Back to School Smartphone GuideThe Back to School Smartphone Guide
The Back to School Smartphone GuideLookout
 
Mobile Security at the World Cup
Mobile Security at the World CupMobile Security at the World Cup
Mobile Security at the World CupLookout
 
Spring Cleaning for Your Smartphone
Spring Cleaning for Your SmartphoneSpring Cleaning for Your Smartphone
Spring Cleaning for Your SmartphoneLookout
 
Mobile Threats, Made to Measure
Mobile Threats, Made to MeasureMobile Threats, Made to Measure
Mobile Threats, Made to MeasureLookout
 

More from Lookout (20)

The New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
The New Assembly Line: 3 Best Practices for Building (Secure) Connected CarsThe New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
The New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
 
Looking Forward and Looking Back: Lookout's Cybersecurity Predictions
Looking Forward and Looking Back: Lookout's Cybersecurity PredictionsLooking Forward and Looking Back: Lookout's Cybersecurity Predictions
Looking Forward and Looking Back: Lookout's Cybersecurity Predictions
 
5 Ways to Protect your Mobile Security
5 Ways to Protect your Mobile Security5 Ways to Protect your Mobile Security
5 Ways to Protect your Mobile Security
 
Feds: You have a BYOD program whether you like it or not
Feds: You have a BYOD program whether you like it or notFeds: You have a BYOD program whether you like it or not
Feds: You have a BYOD program whether you like it or not
 
What Is Spyware?
What Is Spyware?What Is Spyware?
What Is Spyware?
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
 
2015 Cybersecurity Predictions
2015 Cybersecurity Predictions2015 Cybersecurity Predictions
2015 Cybersecurity Predictions
 
The New NotCompatible
The New NotCompatibleThe New NotCompatible
The New NotCompatible
 
Relentless Mobile Threats to Avoid
Relentless Mobile Threats to AvoidRelentless Mobile Threats to Avoid
Relentless Mobile Threats to Avoid
 
When Android Apps Go Evil
When Android Apps Go EvilWhen Android Apps Go Evil
When Android Apps Go Evil
 
Scaling Mobile Development
Scaling Mobile DevelopmentScaling Mobile Development
Scaling Mobile Development
 
Visualizing Privacy
Visualizing PrivacyVisualizing Privacy
Visualizing Privacy
 
Hiring Hackers
Hiring HackersHiring Hackers
Hiring Hackers
 
How to (Safely) Cut the Cord With Your Old iPhone
How to (Safely) Cut the Cord With Your Old iPhoneHow to (Safely) Cut the Cord With Your Old iPhone
How to (Safely) Cut the Cord With Your Old iPhone
 
3 Ways to Protect the Data in Your Google Account
3 Ways to Protect the Data in Your Google Account3 Ways to Protect the Data in Your Google Account
3 Ways to Protect the Data in Your Google Account
 
3 Ways to Protect the Data in Your Apple Account
3 Ways to Protect the Data in Your Apple Account3 Ways to Protect the Data in Your Apple Account
3 Ways to Protect the Data in Your Apple Account
 
The Back to School Smartphone Guide
The Back to School Smartphone GuideThe Back to School Smartphone Guide
The Back to School Smartphone Guide
 
Mobile Security at the World Cup
Mobile Security at the World CupMobile Security at the World Cup
Mobile Security at the World Cup
 
Spring Cleaning for Your Smartphone
Spring Cleaning for Your SmartphoneSpring Cleaning for Your Smartphone
Spring Cleaning for Your Smartphone
 
Mobile Threats, Made to Measure
Mobile Threats, Made to MeasureMobile Threats, Made to Measure
Mobile Threats, Made to Measure
 

Recently uploaded

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 

Recently uploaded (20)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 

Hacking the Internet of Things for Good

  • 1. HACKING THE INTERNET OF THINGS FOR GOOD By Marc Rogers Principal Security Analyst at Lookout, Inc.
  • 2.  WE LIVE IN A CONNECTED WORLD     
  • 3. Everyday objects are being transformed by the addition of sensors that enable them to interact with the world, processors that enable them to think about it, and network interfaces that allow them to to talk about it. 
  • 4.       The benefits that these intelligent, connected devices bring to our lives are almost too numerous to count.
  • 5. You can control the temperature in your home from your phone with a programmable thermostat. 
  • 6. You can ask your car for directions as you drive.
  • 7.  You can check your email from your game console.
  • 8. As they connect to each other, sharing what they see, hear, and know, these new intelligent, thinking devices are driving a second Internet Age.  
  • 9.      But when we give these things intelligence and senses, we also fundamentally change their nature. Mundane objects that were once familiar and unremarkable from a security perspective have suddenly become the keepers of sensitive personal information. 
  • 10.   For example, the traditional thermostat hanging on the wall held little attraction to cybercriminals. A connected thermostat — that can tell whoever controls it how many people live in a house, what technology connects to their network, and, most seriously, when the house is unoccupied — is an attractive target.  
  • 11. As we change the nature of things, identifying vulnerabilities and managing updates quickly and efficiently will be paramount.
  • 12. Connected things need to be thought of as software when it comes to security, and Google Glass is the perfect example.
  • 13. We found that Google Glass carries out a QR code without you ever having to tell it to.
  • 14. In theory, this is an awesome idea. In the future, you could buy a cup of coffee just by looking at a menu, or if you were in a foreign country, the menu would automatically translate to your language if you had Glass on.
  • 15. But it takes control away from you, and opens a window of opportunity for an attacker. Exposing sensitive data or managing important configuration settings should only happen at the wearer’s request.
  • 16. While it’s useful to configure your Glass QR code and easily connect to wireless networks, it’s not so great when other people can use those same QR codes to tell your Glass to connect to their WiFi Networks or their Bluetooth devices. Unfortunately, this is exactly what we found.
  • 17. Glass was hacked by the image of a malicious QR code. Both the vulnerability and its method of delivery are unique to Glass as a consequence of it becoming a connected thing.
  • 18. Lookout recommended that Google limit QR code execution to points where the user has solicited it. We disclosed our findings to Google on May 16.
  • 19. Everything is OK Google clearly worked quickly to fix the vulnerability as the issue was fixed by version XE6, released on June 4th. Google made changes that reflected this recommendation.
  • 20. This responsive turnaround indicates the depth of Google’s commitment to privacy and security for this device and set a benchmark for how connected things should be secured going forward. 
  • 21. Embedded hardware developers should take a page out of Google’s vulnerability management process and approach wearables, connected things and anything with a sensor with the same mindset that Google is currently treating Glass. 
  • 22. Just as pressing, in our connected world, security and updates must be baked into these new devices from the start. 
  • 23. Companies with roots in software engineering will understand this, while many others may struggle with the unfamiliar issues and sheer complexity of managing millions of things. Because a wide array of traditionally mundane items are being connected, many companies creating connected devices are unfamiliar with the potential dangers they may be creating for users by failing to act when vulnerabilities arise.
  • 24. At least four models of insulin pump sold by the manufacturer Medtronic were vulnerable to wireless attack. In 2011, Jerome Radcliffe discovered that
  • 25. An insulin pump is an intelligent, connected medical device that replaces the more traditional syringe method of delivering insulin. The insulin pump most often works in conjunction with a continuous glucose monitor, a device with multiday sensors that continuously measures blood glucose levels, passing the telemetry on to an insulin pump so it can calculate how much insulin to deliver. This is where the wireless connectivity comes in handy.
  • 26. Allowing the insulin pump and monitor to talk wirelessly is much more convenient for the wearer, reducing the number of wires and expanding the range of devices that can monitor the patient’s well-being. This is also where the security vulnerability is found. diagram
  • 27. In designing the way these devices communicate, the only security measure implemented by the manufacturer was the need to use a valid serial number when communicating. This means an attacker who uses radio equipment to monitor the traffic between a patient’s monitor and insulin pump can replay that traffic, disabling the insulin pump or, even worse, fooling the insulin pump into delivering incorrect dosages of medicine. 
  • 28. As a consequence, two years on, the Medtronic Paradigm 512, 522, 712, and 722 insulin pumps remain vulnerable to wireless attack. Radcliffe disclosed his findings to Medtronic who ultimately denied that they were a major concern due to the fact that there was no sign of the issues being exploited in the wild and due to the fact that they felt it would be technically difficult for a malicious party to carry the attacks out.
  • 29. In a world where computing is getting closer to our physical selves, companies incorporating sensors into their devices can’t afford a failure of imagination, or a vulnerability management failure. 
  • 30. The fact is, there’s an existential question when it comes to the connected world: Do you put out something that makes life infinitely easier? OR  Do you hold back and make sure it’s more secure?
  • 31. It’s going to take a new kind of imagination for every hardware and software company to secure the next generation of devices. We can do this. Read more about our approach to securing the connected world at http://bit.ly/hackingforgood
  • 32. Keep in touch with @lookout /mylookout blog.lookout.com contact@lookout.com http://bit.ly/connected-world @marcwrogers