Know your IoT attacker

Andrew Tierney 12 Feb 2016

I’ve done a fair amount of work on IoT security devices; security alarms, cameras, locks, and access control systems for example. Along the way I’ve noticed a worrying trend in how people view threat in these systems. These systems are primarily designed to prevent physical attacks- burglary, theft, violence. The problem is that people get stuck in a rut thinking the perpetrators of those sorts of crime will be the only types of people wanting to attack those systems.

When a vulnerability in a system or device is published, the assumption in our industry is that a burglar won’t have the comprehension, or skill, or interest to exploit it. The outcome is that a vulnerability in a house alarm, for example, is downplayed purely because it’s not seen as being “burglar-friendly”.

It’s not just burglars

The assumption is that the only attacker in this scenario is a burglar, which is both incorrect and dangerous. There are many other attackers, many other sorts of people with various motivations, who can and will exploit vulnerabilities- vulnerabilities which might be seen as unrelated to their goals.

Sun Tzu said “If you know your enemies and know yourself, you will not be imperiled in a hundred battles”. Wise words Sun, but we’re dealing with the Internet here. There’s billions of attackers out there, and you cannot know them all. You can’t understand their motivations. It helps to try, but you cannot rely on it.

There are entire classes of attacker that are forgotten about, here are a few:

  • Mischief maker – they just want to mess with stuff for the fun of it.
  • Bored teenager – don’t underestimate the drive and persistence of a bored teenager on the LAN.
  • Pervert – if you have cameras inside home this has to be a real concern.
  • Journalist – phone hacking was morally “OK” for some of them, why not CCTV images from inside a house?
  • Jilted lover – rejected partners go to incredible lengths to intimidate and invade the privacy of their ex.

Even considering these and other sorts of attacker, it’s not wise to ignore perceived low-skilled attackers like burglars.

Car thieves are another good example of “low-skilled” attackers. Hundreds of cars are stolen a year using technical electronic attacks. Do the guys on the street know how a Megamos vehicle transponder works? Unlikely.

They have a box, they press a button on that box and they can steal a car. No technical skill needed.

The victim disconnect

It’s easy to misunderstand how a victim thinks. If you work in infosec, you need to step away from this. Most people are not nearly so technically adept. They don’t get security. They rely on others to model threat and advise on risk.

Let’s look at the the jilted lover attacker scenario. They are irrational, can be determined to the point of obsession, have inside knowledge, have had physical access in the past. If you put yourself in the shoes of the ex who could be their target victim, someone saying “this vulnerable home alarm is nothing to worry about” is clearly talking toot.

Also, think about famous and high-net worth individuals. The journalist attacker can become a real threat, “Hmm, why did those two celebs go into the house and spend 3 hours in the bedroom?”.

Imagine beyond your own experience

I recommend thinking a lot more deeply about IoT and how it can affect and undermine security.

…and remember, more than ever before, the security of an IoT system not only places business at risk, but also individuals and society in general.