November 25, 2015 By Douglas Bonderud 2 min read

There’s no doubt that the Internet of Things (IoT) is on an upswing. As noted by IT Business, firms like IDC are calling for at least 22 billion connected devices by 2018, with more than 200,000 apps and services being developed for the IoT specifically. But big business and effective security don’t always go hand in hand: According to SC Magazine, a team of researchers has just defeated one of the most widely used IoT encryption solutions, the Algebraic Eraser. What’s more, they’ve done it using parameters provided by the creators of the key itself. Does this make effective security “mission impossible” in a truly connected world?

The Internet of Things: A Disappearing Act

While the Internet of Things links high-performance devices like smartphones, desktops and tablets, the bigger impact is felt by the connections between smaller devices with minimal computing capacity — for example, temperature sensors, RFID tags and mobile payment solutions. To help secure these devices, Connecticut-based firm SecureRF designed the Algebraic Eraser, an encryption algorithm also part of ISO/IEC specification AWI 29167-20 for securing air interface communications devices. Here’s the problem: Researchers have now twice defeated this countermeasure.

The first time, SecureRF argued the results were influenced by weak algorithm parameters chosen by the researchers and created a workaround. Problem solved, right? Not quite. Lead researcher Simon Blackburn and his team weren’t convinced that the Eraser was actually foolproof, so they set out to crack it again with “parameters being used in practice” and provided by SecureRF. Not only did Blackburn and his fellows break the key a second time, but they did so in less than eight hours.

Blow the House Down

So what does this mean for the future of IoT? Are all devices inherently unsafe? Does access to a single device compromise the entire network? An article from RCR Wireless likens the Internet of Things to a house with millions of windows and doors; if attackers smash one window or break down one door, they have access to the network at large and are able to cause widespread chaos. At the recent Federal Building Council event, cyber defense firm M2 Security said its solution to the problem is “just nail down all the doors and windows.”

Sounds like a great idea, unless of course attackers have cracked the code that safeguards these devices from unwanted intrusion. In this scenario, nailed windows and locked doors don’t matter; attackers have the key and can walk in unannounced. While the Algebraic Eraser is mostly used to secure lower-priority devices on corporate networks, the interconnected nature of these technologies means that even breaching a peripheral sensor or payment gateway puts cybercriminals within striking distance of critical data.

Bottom line? IoT adoption isn’t slowing down, but effective security may require more than simply rewriting the same encryption algorithm each time it’s defeated. Per-device security on par with critical IT infrastructure is rapidly becoming a necessity for even the smallest, arm’s-length sensors and monitors. IoT levels the playing field, and to make security possible, companies need to step up their game.

More from

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today