Craig discusses IoT hardware and how these gaget-y devices can put your business at risk. Listen in to find out why?
For more tech tips, news, and updates visit – CraigPeterson.com
Automated Machine-Generated Transcript:
Craig Peterson: [00:00:00] Sometimes it seems like the easier things are the tougher they are. And man is that true according to this new study we’re going to talk about right now when it comes to these wonderful little appliances we have.
Hello everybody. Craig Peterson here. Thanks for joining me. I enjoy being here on the radio answering questions. I got a lot this week. I got dozens of them, so that’s wonderful. Keep them coming in. I pick the best ones for what we call our newsletter. That typically goes out Saturday mornings. Again, it depends on what our weeks are like. Getting those out and I try and answer them there.
That’s part of what we’re going to be doing. Midweek starting next week. We’re going to be sending out these little emails, a long tail thing, explaining a specific topic. Something you can read and just a few minutes and get something out of.
We want it really to be transformational. If you can do that in three minutes. We have been transforming our lives in a lot of ways. Many ways of us, of course, have been using computers for decades now. We’ve been using these smart devices for at least a decade. Before I had my first Android smartphone and my first iPhone, I had the Palm pilot phones and just what I could do with my Palm. It was just absolutely amazing.
Do you remember handspring and some of these other guys there are just so many wonderful things we could do with them that the Apple Newton, which never really hit it off, it was very expensive? All of these devices were designed to make our lives a little bit easier and they all required a lot of intelligence.
Now we have devices pretty much everywhere. I was going to say, come out of our ears, but that’s true too. When it comes to hearing AIDS, these extremely small devices that have embedded computers, a whole computer system. Now when you’re trying to manufacturer something like a light bulb that has smarts in it, it might be smart to be able to change colors. It might be smart to get on a network and accept a remote control code. It might be some smarts that are just designed to make the whole house easier. you turn on. A movie and automatically the lights in the room. Dim, the surround sound turns on. Just everything happens for you automatically.
These are all being done with these various small, hopefully, easy to use and install devices. But the problem that we’ve been noticing is that, wow, wait a minute. Now, none of these devices were really designed with security in mind, and in order to keep the costs down, they have to really strip those operating systems bare.
So there are versions of Linux, many of them now that are just very stripped down. The same thing’s true with BSD Unixes or units are used in a lot of this internet of things, devices, and the idea is to get it small, get it simple. So that we don’t have to provide them with a big computer or a bunch of computing power.
We can just do it simply. Get that information together, put it out there for the people to use. So what’s that information as I said, it can be almost anything. It’s about the internet of things. Now, because they have cost reduced all of these devices all the way to just out saving a fraction of a penny on each board. Remember they’re making these things by the tens of thousands and ultimately by the millions and billions at least that’s the plan, that’s what five G is been designed to help handle. They have a whole problem when it comes to what we in the industry might call root-level access.
We’ve got a security researcher out there who presented over at the Octas virtual disclosure security conference last week that most of this internet of things hardware is dangerously easy to crack and completely take control of. Then they use it for malicious purposes.
The federal government has really cracked down now on anybody that’s not just a direct contractor with them, but a subcontractor. We’re seeing this all of the time. We’re helping businesses. These enterprises that are making things, everything from a cable harness through power supplies, through control systems and control circuits. That now as of mid-August, this year, have to get rid of everything that’s in their buildings that do not meet these new CMMC and other standards.
So things like the security cameras that you might have right there. Weren’t they real cheap, like the Hikvision stuff, right? Heck, you could just go to any big-box retailer and buyHikvision. Hikvision is illegal to have in the building. You used to be able to separate the network. So you could say, yeah, my Hikvision security cameras on a different network than my Chinese made telephone voice over IP system, which is on a different network than my computer systems. You can’t do that anymore. It has to all be gone. Why? It’s because none of those systems meet the minimum security requirements.
If we go into a place that is just, for instance, we just picked up another client that’s a pizza shop. They’re doing really well because of the COVID thing, because people are ordering pizzas, they are being delivered to people’s homes and they’re just raking in the dough and they were having some problems. So they had us come in.
What was the problem? In their case, they found out that they were about to be audited by our PCI friends. PCI, that’s the payment card industry folks. So if you accept credit cards, you now have PCI obligations. What are those obligations or what do you do? How do you deal with those in their case? It turned out okay. That for whatever reason, their credit cards had been stolen, the credit card information. It could have been a skimmer. We walked into and did a security audit on this chain of restaurants. Pretty big chain here in my home state. We had to poke around. I could not believe it, they had for all of the waitstaff, Android tablets. The Android tablets were all in developer mode, full access to everything on the tablet, including the card reader, that PCI non-compliant card reader. It’s great for the servers because they come up, they take the order on this Android tablet, and then at the end of the meal, they just swipe the card in the side of the tablet. Wow. Isn’t this just wonderful? Because of the way the software was being run and being used, anything malicious could be installed on that unit that was being carried around by the wait staff. All the wait staff had to do was put something on there that just the read the credit card numbers as they were being scanned or copied all the information from the transactions and TaDa they now have money in their pocket that happened here in my home state again and it’s happening in yours.
Believe me, Wendy’s is where this one was and they ended up having people go to jail over that one. This pizza shop. We went in there, they had credit cards, apparently stolen, and that’s why they were getting a PCI audit. They brought us in a week before the audit was supposed to happen. We had a look and yes, indeed their equipment had been compromised. It’s like I say, all of the time. We never have gone into a business and found that their security is up to date. Every machine we’ve looked at has had severe security problems and in every case where we’ve gone in and it’s a government subcontractor of some sort. Every case we have found Chinese back doors and other, very malicious software on it. What does that mean to you a regular, a home person, right? Home user. What does it mean to you as an enterprise business, an organization, tax-free whatever you might be?
It means that this internet of things, hardware, whether it’s things like the Hikvision cameras that can’t be used anymore, legally anyways, for DOD subcontractors on any network on any piece of equipment or our voiceover IP phones that are being hacked or the pizza shop whose POS system had been hacked. What are you doing?
It’s across the board for everybody? So Mark Rogers is this white-hat hacker who presented at the Okta virtual disclosure security conference. He was saying that these devices were hooking up to our networks have weak to no protections at all against attacks. Against the firmware on the devices against the software that’s running on the devices, et cetera.
He claimed he’s able to gain complete route access, route level access means that he can do anything he wants on the machines, including the ability to reflash firmware. In other words, put his own software on the device on 1,012 devices that he’s tested.
And going back to this chain restaurant that we tried to help out and they decided no we’re all set. Na-Na right fingers in the ears. We could have easily and so could their waitstaff have completely hacked any of these devices. None of them, none of it was probably protected. It’s just shocking to me. It is shocking to me just continually.
The issue with all of these systems, and this is true of almost every internet of thing device out there is that most of the proprietary information about the devices, including their certificates or keys, the communication program or protocols it’s stored in poorly secured flash memory.
You think of your flash memory like a hard disc drive, but there are no moving parts in it. Anyone with access to these devices, anybody with some basic knowledge of hardware hacking, even basic software hacking can access the firmware, look for data, including vulnerabilities. We’ve seen that happen before where security cameras are being used to launch attacks against the rest of the business and it includes DOD contractors, and it includes restaurants. We’re seeing that every week.
Be very careful. I’m not getting into the details of how they’re using Uart and J tag routes to get into them. But. This is a real problem, everybody.
So again, be careful the best stuff out there right now when it comes to the internet of things to smart devices, to these speakers that you can talk to is now, I’m going to sound like a broken record, but it’s Apple. The Apple devices, the Apple speakers, all of that stuff tends to be more expensive, but it is well engineered and they do seriously consider security as part of all of this.
Well, there’s going to be a lot more, go online, and stick around.
You’re listening to Craig Peterson here and WTAG we’ll be back.
After the top of the hour, we’ll be talking about the Cybersquatting offense. Asking Google for phone information and more stick around. We’ll be right back.
More stories and tech updates at:
Don’t miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: