It’s easy to pile on the issue of weak or laughable security in Internet of Things devices. God knows this blog has done it – and we’re hardly alone out there. Indeed, a whole Twitter feed has been devoted to all the low-quality stuff that’s turning up on the Internet these days. That account? @InternetofS**t.
So when I got a heads up from the folks at DUO that one of their researchers, the storied Mark Loveless (aka Simple Nomad) had put together a report on a smart power drill (PDF), I started to write the story in my mind: the unencrypted communications containing user names and passwords, the balky mobile application rife for compromise, the dodgy, web-based back-end full of SQL injection holes.
Alas, that story was destined to stay unwritten. As it turned out, the Milwaukee-brand power drill stood up to prodding better than anyone imagined, least of all Nomad himself.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
“It was a much better than average device,” Loveless told me in a phone interview. “It’s like they did threat modeling with their application, or something. That’s impressive and extraordinarily rare.”
Lets remember how this typically goes. When security researchers decide to ‘peek under the hood’ of a popular connected consumer products – and even medical and industrial devices – security vulnerabilities of all kinds typically jump out at them. In a recent survey of implantable heart devices conducted by the firm Whitescope, for example, security researcher Billy Rios, working with a partner, discovered more than 8,000 security holes across four different makes of devices.
Among other things, home monitoring devices do not validate the source of firmware updates, creating the potential for a s0-called “man- in-the-middle attack” that could send counterfeit firmware to a home monitoring devices. None of the vendors studied digitally signed the firmware to ensure that it is official and to limit the ability of non-authorized firmware to run on devices.
And large tech vendors aren’t immune, either. An analysis of electronics giant Samsung’s embedded operating system, Tizen, found a raft of security issues that make it “a hacker’s dream,” according to one researcher.
Drills should well be considered lower-priority devices than, say, implantable heart defibrillators, but Nomad notes that Milwaukee’s drills are no ordinary power drills. These are expensive and high quality tools. In fact, their value is one of the factors driving the smart features, many of which are targeted at tool recovery in the event that they’re lost, using wireless proximity sensing akin to what is used by products like Tile and smart locks.
In contrast with the medical device makers, however, the folks at Milwaukee locking down their product. All communications to and from the drill are encrypted using a robust (if not cutting edge) encryption algorithm. Similarly, interactions between the tool, mobile application and Milwaukee’s web site which collects and manages device information were designed to anticipate and prevent common web-based attack methods such as cross site scripting and clickjacking. There is an effort to enforce strong and (relatively) complex passwords, as well.
The smart drill allows an owner to push standard drill profiles to the device. (Think of a contractor with many workmen and women using tools in common across different sites) But Nomad said he was unable to manipulate those profiles in ways that caused the drill to turn on or off unexpectedly, or to somehow violate its safe operating limits. Efforts to get the drill to exceed safety limits were simply overwritten, he said.
To be sure, there were issues – albeit minor issues. Nomad found that the method Milwaukee used to identify its drills could lead to Bluetooth sniffing attacks that allowed an attacker to identify whether smart drills were nearby. Session-specific “bearer” tokens that permitted an associated mobile phone to authenticate to a drill were set with one year life spans, while most session-specific tokens last for an hour or two, at most, Loveless said.
An even bigger problem: Milwaukee had no easy way to accept and respond to security reports from researchers like Loveless. After first reporting his findings to Milwaukee on February 2nd, Loveless made multiple attempts to contact Milwaukee directly and via the Carnegie Mellon CERT, with only limited response, prior to publication of the report. The company did not respond to a request for comment prior to publication.
Loveless said that kind of non-response is common among connected product makers, many of which have no experience working with security researchers.
“Vendors are really not used to or prepared for this,” he said. “It’s like dealing with Microsoft two decades ago.”
In this case, he observed, the news was not that bad. “It could have been a lot worse.”