Course 9 - Internet of Things Security | Episode 3: IOT Security: Challenges, Vulnerabilities, and Real-World Cyber-Physical Attacks - CyberCode Academy

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome back to the deep Dive. Today, we are jumping
into a topic that is, let's just say, it's both
thrilling and a little bit terrifying, just a little bit, okay,
maybe a lot. We're talking about securing the Internet of Things,
you know IoT. We're surrounded by these cyber physical systems,
and the big question is why do these gadgets, which

(00:20):
are supposed to make life easier end up bringing these huge,
hidden risks into our homes.

Speaker 2 (00:25):
It's such an important question, and it's not just about
your smart toaster anymore. The line is getting really blurry
between say, your fitness tracker and critical industrial systems, power
grids and cars exactly. And the central problem, the real
tension here is just the speed of it all. We're
rolling out millions of new devices, but the security needed

(00:47):
to protect them is just not keeping pace. It's lagging
way behind.

Speaker 1 (00:50):
And you can really see how serious this is just
by looking at the rise of cyber insurance. It's a huge,
booming field designed to cover everything from data breaches to
you know, actual hardware failure from a cyber attack.

Speaker 2 (01:02):
Right the very fact that businesses now have to carry
this kind of specific insurance tells you everything. It shows
the threat has matured. It's not just about a virus
on your computer anymore.

Speaker 1 (01:13):
No, the threat has moved out of the screen and
into the physical world.

Speaker 2 (01:16):
It absolutely has.

Speaker 1 (01:17):
So let's unpack that. Yeah, why are so many of
these devices insecure, like right out of the box. It
seems to come down to, well, market pressure.

Speaker 2 (01:27):
That's the heart of it. It's a business challenge. You're
in a race to get to market. So the priority
is new features, making it easy to use and just
you know, pushing it out the door.

Speaker 1 (01:35):
Fast, and security gets left behind.

Speaker 2 (01:38):
It becomes a feature they plan to patch in later.
If they applied the same security standards we expect from
say corporate it, the product would be delayed by months,
maybe even years.

Speaker 1 (01:50):
So it's this constant tradeoff security versus convenience and speed.
And you mentioned there's another challenge tied to this, which is.

Speaker 2 (01:57):
Just us the public precisely. There is a general lack
of security literacy. Someone buys a smart thermostat and they
don't really get that they're adding a new computer, a
new node to their home network.

Speaker 1 (02:08):
Did just see a thermostat?

Speaker 2 (02:09):
They just see a thermostat. They don't understand the level
of connectivity it needs, or what credentials it might be using.
Companies just sell these things assuming a level of knowledge
that the average person, well, they.

Speaker 1 (02:22):
Just don't have, which perfectly sets up this idea of
old threats and new boxes. It's not always some sophisticated
new hack, is it.

Speaker 2 (02:29):
No, not at all. A lot of the time the
vulnerabilities are just carried over from much older systems, things
that were never properly secured in the first place.

Speaker 1 (02:38):
So we're talking about fundamental mistakes.

Speaker 2 (02:39):
Yes, the flaws that researchers find again and again aren't
these complex zero day attacks that no one's ever seen.
They're known issues, basic oversights that frankly should been fixed
decades ago.

Speaker 1 (02:52):
So if you were to make a checklist of these
common known flaws, what would be at the top.

Speaker 2 (02:57):
Number one, without a doubt is authentication or lack thereof.
We're talking about super easy to guess passwords or even worse,
hard coded credential.

Speaker 1 (03:06):
Like admin and password.

Speaker 2 (03:08):
It's exactly admin one, two, three, four, five, things the
user can even change. This is what allows for those
massive bot nets like MIRR, where millions of devices get
taken over at once just by trying a few default passwords.

Speaker 1 (03:22):
Okay, so after bad passwords, what's next on the list?

Speaker 2 (03:24):
The next layer is how they handle communication and data.
You find devices storing information completely unencrypted or talking to
their servers over an open.

Speaker 1 (03:35):
Channel, so anyone listening on the network can just see
it all.

Speaker 2 (03:37):
They can see it all. And that goes for both
local communication like from your phone's app to the device,
and remote communication with the company servers.

Speaker 1 (03:45):
And then there's a problem of leaving digital doors unlocked.

Speaker 2 (03:48):
That's a perfect way to put it. Devices often ship
with all these unnecessary access points left wide open, things
like command line interfaces or remote access back doors that
were only supposed to be used for say, factory.

Speaker 1 (03:59):
Testing, but they never get closed.

Speaker 2 (04:01):
They never get closed, and an attacker who finds one
has a direct, high level way right into the system.

Speaker 1 (04:06):
This is where it gets really fascinating, because you see
how these simple flaws lead to some well pretty canistrophic results.
Let's start with something you might find in any home,
a baby monitor, right.

Speaker 2 (04:19):
So, security researchers looked at a bunch of these Wi
Fi baby monitors and found some truly lazy design flaws. Lazy,
how well beyond the usual guessable passwords. Some device is
allowed for a complete authentication bypass.

Speaker 1 (04:34):
Wait a bypass? You mean you don't need a password
at all?

Speaker 2 (04:37):
Not at all. An attacker could literally just send a
specific unauthorized request to the device and poof, they could
add their own user account.

Speaker 1 (04:44):
A new user with what kind of privileges?

Speaker 2 (04:47):
Full administrative privileges, no password, no check nothing. It's a
complete breakdown of basic access control. And then on top
of that, there were privileged escalation flaws.

Speaker 1 (04:56):
Meaning you could start as a normal user and become
an admin exactly.

Speaker 2 (05:00):
A regular user could log in but then just manually
type in the URL for an admin only page and
the device was again too lazy to check if they
were actually allowed to be there. They just get full
admin access instantly.

Speaker 1 (05:12):
That's not even hacking, that's just poor design.

Speaker 2 (05:14):
It's just bad code.

Speaker 1 (05:16):
Okay, So let's move from the nursery to the kitchen.
The smart fridge. I mean it seems harmless enough, right
It connects to your Gmail to help with shopping lists.

Speaker 2 (05:24):
This is a classic case of a device's features outpacing
its security. The critical flaw here was that the fridge
it failed to validate SSL certificates when talking to Google servers.

Speaker 1 (05:37):
Okay, break that down for us. What does failing to
validate an SSL certificate actually let an attacker do?

Speaker 2 (05:44):
Sure, so, when your device talks to a server like Google,
the certificate is how it proves the servers who it
says it is. If the fridge doesn't bother to check
that proof.

Speaker 1 (05:54):
It'll talk to anyone who claims to be Google.

Speaker 2 (05:55):
Precisely, it opens the door for what's called a man
in the middle attack. An attacker on the same network
can pretend to be a Google server and the fringe
will happily hand over your log.

Speaker 3 (06:06):
In credentials, your Gmail username and password, your Gmail username
and password, and once an attacker has that, they have
the keys to your entire digital kingdom, bank accounts, password
resets everything.

Speaker 2 (06:17):
The fridge was just the entry point.

Speaker 1 (06:19):
That is terrifying. Yeah, and it brings us to probably
the scariest example of all the jeep incident.

Speaker 2 (06:25):
Ah Yes, the Watershed moment.

Speaker 1 (06:28):
Where attackers took control of a car while it was
on the highway. This is the definition of a cyber
physical failure.

Speaker 2 (06:34):
It really was. They could mess with the radio and
the wipers, sure, but the terrifying part was that they
got access to the car's internal network, the cn bus,
and from there. From there they could control the transmission.
They were able to disable it while the car was
moving at speed.

Speaker 1 (06:50):
And how did they get in? What was the vulnerability?

Speaker 2 (06:53):
It came down to insecurities in the car's entertainment and
telematox unit. It had open ports on its cellular connection
and the software wasn't properly segmented. The systems controlling the
Wi Fi weren't isolated from the systems controlling the engine.

Speaker 1 (07:07):
A basic architectural flaw, a huge one.

Speaker 2 (07:10):
And it led to the recall of one point four
million vehicles just to apply a software patch.

Speaker 1 (07:15):
Which proves, I guess that trying to fix security after
the fact is way more expensive than just building it
in from the start.

Speaker 2 (07:22):
Oh exponentially more. It proves that security can't be an
add on. It has to be part of the design
from day one.

Speaker 1 (07:29):
So that's the vendor's responsibility. What does that look like
in practice.

Speaker 2 (07:32):
Well, first, vendors have to get rid of default passwords.
They need to enforce strong complex credentials right from the
initial setup, and they need a real strategy for updates
pushing patches automatically and being willing to recall devices when
something is seriously wrong.

Speaker 1 (07:48):
And what about just reducing the number of ways in
the attack surface?

Speaker 2 (07:52):
Absolutely critical. All those extra features and ports that aren't
needed for normal use, those factory diagnostic tools, they need
to be disabled by default before the device ever leaves
the factory.

Speaker 1 (08:02):
Okay, that covers the vendors. What about for users or
for developers who are setting up these complex networks in
say a smart building. How do we move beyond just
better passwords?

Speaker 2 (08:14):
This is where you get into more advanced strategies. The
two big ones are better monitoring and smarter network architecture.

Speaker 1 (08:20):
Let's start with monitoring. What does that mean in.

Speaker 2 (08:21):
This context, it means using tools like embedded proxies or
content filters. A proxy can sit between your IoT devices
and the Internet and inspect everything they're trying to do.

Speaker 1 (08:32):
So it's like a security guard for your network traffic.

Speaker 2 (08:35):
A very nosy security guard. If your smart light bulb
suddenly tries to connect to a suspicious server in another country,
the proxy can see that and block it immediately, regardless
of your firewall rules.

Speaker 1 (08:46):
And the second strategy was network architecture. You mentioned segmentation
earlier with the Jeep.

Speaker 2 (08:51):
Yes, network segmentation is probably the single most powerful defense
you can implement. The idea is to create isolated subnowe works.
Don't think of your home network as one big open room.
Think of it as a building with many separate, locked rooms,
and you.

Speaker 1 (09:08):
Give each device a key to only the rooms.

Speaker 2 (09:10):
It needs exactly. You use something called trust models. For instance,
your really trusted devices, your laptop, your phone, are in
one secure room. Then all your less trusted IoT gadgets,
the smart TV, the fridge, that light bulb, they all
go into a completely separate guest network.

Speaker 1 (09:27):
So then get to the internet, but they can't talk
to your important stuff.

Speaker 2 (09:30):
Right If that smart fridge gets compromised, the attacker is
trapped in that one room. They can't move laterally to
attack your main computer because the firewall rules simply forbid
that communication.

Speaker 1 (09:42):
It contains the damage.

Speaker 2 (09:43):
It contains the damage. You just block communication that isn't
absolutely necessary.

Speaker 1 (09:48):
So when you pull this all together, it's clear the
IoT security landscape is well, it's a huge challenge. We've
taken all these older technologies Wi Fi, Bluetooth, cellular that
were never built for this and we've connected them to
the physical world.

Speaker 2 (10:03):
And understanding that the flaws often lie in those simple,
old design mistakes is the first step. We've really gone
across the entire spectrum today, from a physical threat to
a baby monitor, all the way to complex network design
for a car.

Speaker 1 (10:17):
The message seems pretty clear. The security has to catch
up to the complexity of what we're building.

Speaker 2 (10:21):
It has to do and it has to do it
fast and for.

Speaker 1 (10:24):
You, our listener. Here a final thought to chew on.
We've talked a lot about Wi Fi and cellular networks
being repurposed for IoT, so here's your challenge. Think of
another common communication protocol used in IoT today, maybe something
beyond those two, and try to identify three new security
issues that come up just because it's being used in
this hyper connected physical world. Something to explore on your

(10:45):
own

All Episodes

Course 9 - Internet of Things Security | Episode 3: IOT Security: Challenges, Vulnerabilities, and Real-World Cyber-Physical Attacks

Episode Transcript

Popular Podcasts

Stuff You Should Know

My Favorite Murder with Karen Kilgariff and Georgia Hardstark

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Course 9 - Internet of Things Security | Episode 3: IOT Security: Challenges, Vulnerabilities, and Real-World Cyber-Physical Attacks