Black Hat 2014: Security experts hack home alarms, smart cars and more

As hackers gather in Las Vegas for the Black Hat cybersecurity conference, challenging the security of the Internet of Things seems to be this year's hottest topic.

And no wonder. According to a study HP released last week, a review of ten of popular "smart" devices -- including TVs, webcams, home thermostats, remote power outlets, sprinkler controls and automatic door locks -- found 70 percent had security vulnerabilities.

One of the Black Hat speakers recently discovered a major security flaw at a hotel where he was staying. Telling CBS News that he was just curious, Jesus Molina says he accidentally discovered that he could have taken over communications at the St. Regis Shenzhen Hotel.

Molina, who explained details of the hack to WIRED in advance of the conference, discovered that the hotel had been using an older, unencrypted communications protocol known as KNX. It was designed for hard-wired systems but then put to use for wireless. Molina said he could have taken control of it and "changed every channel in every room so everyone could watch soccer with me." But he didn't. Instead, he notified the hotel about the system's insecurities, and they acknowledged that they had been working to fix it.

Molina told CBS News that the insecure KNX protocol is increasingly being used for "smart home" automation systems -- with potentially disastrous consequences, he warned.

"Privacy and physical security is a big concern," Molina said in an email. "The risk in case of a successful penetration heavily depends on the type of devices attached to the home automation network, from mild if lights only are attached, to severe if cameras and key locks are part of it."

Several other presentations at Black Hat also focus on weaknesses in the cybersecurity and physical security of popular devices. Twitter security engineer Charlie Miller and IOActive's Christopher Valasek explore whether some cars are more vulnerable to remote compromise than others. Security researcher Silvio Cesare demonstrates how home alarm systems and keyless entry systems for cars are not as secure as most people think.

"Over time we have started to see a wider group of people attacking physical hardware and many low-end hobbyist hardware hacking tools are now becoming available. This is changing the scenario of having hardware hacking only available to well resourced attackers," Cesare told CBS News in an email.

It will be up to device makers to make sure they protect the physical security of their products, in addition to the software that runs them, he said. "If an attacker physically tampered with a device to extract the firmware software, then security problems could potentially be discovered leaving other devices open to attack," Cesare told CBS News. "This shows that physical attacks are not necessarily the only technique that is used in a successful attack of a device, but is a useful tool for compromising physical devices."

That's why security experts like Molina stress the importance of the recently announced Internet of Things alliances -- the AllSeen Alliance, Open Interconnect Consortium, and Thread Group -- to help establish security guidelines.

"We are living in different times, where openness and cybersecurity matter as much as convenience. All these groups should take this into account while making decisions moving forward, by providing clear open standards and involving security specialists in the process," he said.

After all, if someone whose goal is to enhance cybersecurity can hack your home alarm, car door or hotel room, what can stop a malicious hacker from doing the same?

Comments

CBSN Live

pop-out
Live Video

Watch CBSN Live

Watch CBS News anytime, anywhere with the new 24/7 digital news network. Stream CBSN live or on demand for FREE on your TV, computer, tablet, or smartphone.